Enhanced HTTP client configuration file for TLS

You must create one or more Hypertext Transfer Protocol (HTTP) client configuration files for Transport Layer Security (TLS) and place them in the /etc/ssl/httpc/ directory on the z/TPF system to establish a secure HTTP client session by using TLS.

HTTP client configuration files must use the following naming convention: /etc/ssl/httpc/host.conf, where:
host
  • For a persistent connection, specifies the endpoint group name of the HTTP server that a secure HTTP session is established for.
  • For a non-persistent connection, specifies the host name or IP address of the HTTP server that a secure HTTP session is established for.
You also can create a default enhanced HTTP client configuration file, which must be called /etc/ssl/httpc/httpc.conf. This configuration file is used if a specific configuration file cannot be found for an HTTP session. If you migrate to the enhanced HTTP client support, you can use the same default configuration file that you use with the HTTP client support for the z/TPF system. If you use the host.conf configuration file for non-persistent connections with the enhanced HTTP client support, you also can use the same file that you use with the HTTP client support for the z/TPF system.
You must specify the following parameters for the HTTP client configuration file for TLS:
  • VERSION
  • CIPHER
  • VERIFYPEER
    Note: If you specify NO for the VERIFYPEER parameter, validation of the server certificate is bypassed, which is used only in test environments.
The following parameters for the HTTP client configuration file for TLS are optional:
CAINFO
Specify this parameter only when you specify YES for the VERIFYPEER parameter. Either the CAINFO or CAPATH parameter (or both) is required when the value of the VERIFYPEER parameter is set to YES.
CAPATH
Specify this parameter only when you specify YES for the VERIFYPEER parameter. Either the CAINFO or CAPATH parameter (or both) is required when the value of the VERIFYPEER parameter is set to YES.
CERTIFICATE
Specify this parameter if the server requires client authentication.
CERTTYPE
Specify this parameter if the server requires client authentication.
KEY
Specify this parameter if the server requires client authentication.
KEYTYPE
Specify this parameter if the server requires client authentication.
MAXVERSION
Specifies the maximum TLS version to be used. If you do not specify this parameter, the maximum TLS version is the maximum version that the z/TPF system supports.
Note: The USESSL parameter is ignored for the HTTP client configuration file for TLS.
The following example shows an enhanced HTTP client configuration file.

VERSION=TLSv1_2
CIPHER=AES256-SHA256
VERIFYPEER=YES
CERTIFICATE=/certs/ntpf2048_cert.pem
CERTTYPE=PEM
KEY=/certs/ntpf2048.pem
KEYTYPE=PEM
CAINFO=/certs/cacert.pem