Configuring the SSL Server

The Secure Socket Layer (SSL) server provides the processing capability that allows secure (encrypted) communication between two TCP/IP connection participants (one of which is a server or client application on the local z/VM® host). Such communication may be secured by a static SSL connection (one that is secured when the connection is initially established, and remains as such for the duration of the connection) or through Dynamic SSL/Transport Layer Security (TLS), which allows a client or server application to control the acceptance and establishment of connections that are encrypted using SSL.

For z/VM, implicit (static) SSL connections are supported only between a remote client and an application (or, protocol) server that resides on the local z/VM host. The application server must be listening on a port identified as SECURE by your installation, and the remote client must support the SSL protocol according to RFC 2246. Explicit (dynamic) SSL/TLS connections are supported for any z/VM Pascal or Assembler client or server application that makes use of the set of application programming interfaces (APIs) provided for this purpose. For more information about the APIs provided for using Dynamic SSL/TLS, see z/VM: TCP/IP Programmer's Reference.

For static SSL connections, no changes to a z/VM application server are necessary to participate in SSL. The application server does not perform any data encryption or decryption; this is handled by the z/VM SSL server.

Dynamic SSL/TLS connections are supported by the following z/VM TCP/IP application servers and clients, which have been updated to accommodate this support:
  • TCP/IP server
  • SSL server
  • FTP server
  • FTP client
  • Telnet server (Internal to the TCP/IP server)
  • Telnet client
  • SMTP server
Note: The LDAP server makes use of SSL/TLS services that are separate from those provided by the z/VM SSL server. Thus, you do not protect the LDAP server ports in the same manner as that described here, for other servers such as the FTP server.

Under SSL protocol, the application server is always authenticated. To participate in an SSL session, an application server must provide a certificate to prove its identity. Server certificates are issued by Certifying Authorities (CAs), each of which establishes its own identity by providing a CA certificate. Server certificates and CA certificates are stored in a certificate database (also referred to as a key database) that is accessible to the SSL server. The key database resides in the z/VM Byte File System (BFS) and is managed independent of the SSL server, through the use of a utility program, gskkyman.

To configure the SSL server, you must perform the following steps:

SSL Server Configuration Steps
  1. Determine the SSL Server Configuration For Your Installation
  2. Update the TCP/IP Server Configuration File (PROFILE TCPIP)
  3. Update the DTCPARMS File for the TCP/IP Server.
  4. Update the DTCPARMS File for the SSL DCSS Management Agent Server.
  5. Update the DTCPARMS File for the SSL Server Pool
  6. Set up the certificate database.
  7. Implement Customization for Protected Communications
    1. Designate the Secure Ports (Static SSL Connections)
    2. Configure TLS Services (Dynamic SSL/TLS Connections)

Dynamic Server Operation: The SSL server provides an SSLADMIN command interface that allows you to perform certificate database administration and server administration tasks. See Dynamic Server Operation.