Configure secure communication to protect the data and resources of Z APM Connect when it collects transaction tracking data of z/OS® subsystems.
You may either generate new certificates , import your own certificates, or disable security between z/OS and the Z APM Connect DG.
The z/OS components include Z APM Connect Container, and may also include the z/OS Connect Enterprise Edition (z/OS Connect EE) server or CICS® Transaction Gateway (CICS TG) server, depending on the type of transactions to be tracked.
When using TLS protection, the Z APM Connect DG Machine acts as the TLS server and the z/OS components act as the TLS client. Z APM Connect DG Machine uses the Java™ Secure Sockets Extension (JSSE) for its TLS processing and the z/OS components use Application Transparent TLS (AT-TLS) support.
Note: An administrator for your security server is needed. If you use RACF®, the SPECIAL OPERATIONS attribute is required.
Tip: A brief review of keystores and truststores
Keystores and truststores are repositories that contain certificates.
A keystore contains personal certificates.
A personal certificate represents the identity of the TLS endpoint and contains a public and a private key. Both the client (for example, CICS TG server) and the server (for example, Z APM Connect DG machine) might have personal certificates to identify themselves.
A truststore contains the signer certificates (also known as Certificate Authority (CA) certificates) which the endpoint trusts.
A signer certificate contains a public key, which is used to validate personal certificates. By installing the server’s signer certificate into the client's truststore, you are allowing the client to trust the server when establishing a TLS connection. The same principle is true for a server to trust a client when TLS client authentication is enabled.
Z APM Connect supports only Java KeyStores (JKS) key rings.
Two secure connection configuration options are provided. The option you choose depends on the environment you installed Z APM Connect DG:
If you install Z APM Connect DG on a distributed Linux® environment with Docker, follow the section of Configuring secure communications between z/OS components and Z APM Connect Distributed Gateway Linux machine.
If you install Z APM Connect DG on Red Hat® OpenShift® Container Platform using Helm chart, follow the section of Configuring secure communications between z/OS components and Z APM Connect Distributed Gateway OpenShift or Kubernetes cluster.