Setting up secure communication for UMS

By default, Unified Management Server encrypts data that it passes to Zowe using a self-signed certificate. You can use a different certificate by specifying the location of the certificate keystore in z/OS® UNIX System Services and then running a Unified Management Server script. Follow steps in this task if you did not configure your own certificate when you installed Unified Management Server and want to use a custom certificate.

Before you begin

Recommendation: For any environment other than proof-of-concept testing environments, it is highly recommended to use key rings for both keystores and truststores.

Using a key ring as a keystore

You can use a different certificate by specifying the location of the key ring using commands listed in this section.
  • Know the PARMLIB member that contains the Unified Management Server configuration parameters. This was first edited when you installed Unified Management Server. The default is IZP.PARMLIB(IZPUMSPM). .
  • If you self-generated your server certificate and you want to enable client authentication, your server certificate must contain the TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) value in the extended key usage section. Also, the digital signature and key agreement must be set as extension value in the key usage section.
To add the server certificate and the certificate authority used to sign it to your key ring, run the following commands.
Note: The default UMS started task ID is the same as the Zowe started task ID, which is referred to as <zowe_started_task_id> in the example below. 
RACDCERT CONNECT(ID(<zowe started task id>) LABEL(‘<SERVER_CERTIFICATE_LABEL>’) RING(<RINGNAME>) USAGE(PERSONAL) DEFAULT) ID(<zowe started task id>)
RACDCERT CONNECT(CERTAUTH LABEL(‘<CA_LABEL>’) RING(<RINGNAME>) USAGE(CERTAUTH))  ID(<zowe started task id>)
SETROPTS RACLIST(DIGTCERT,DIGTRING) REFRESH

Using a file-based keystore

You can use a different certificate by specifying the location of the certificate keystore in z/OS UNIX System Services and then running a Unified Management Server script.

  • Make sure that you did not already configure Unified Management Server to use your certificate when you installed it. If you specified the certificate keystore location in the IZP_UMS_CERTIFICATE_DIR parameter before you installed Unified Management Server, you do not need to follow these steps.
  • Place the certificate or keystore that you want to use in z/OS UNIX and note the location.
  • If your certificate is in a keystore, obtain the keystore password.

Procedure

  1. In z/OS, edit the PARMLIB member that contains Unified Management Server configuration parameters.
  2. In the following parameter, specify the z/OS UNIX path to the directory that contains your certificate: 
    IZP_UMS_CERTIFICATE_DIR
    The importer expects the directory to have files of certain extensions.
    • The .jks files are assumed to be a Java™ Key Store.
    • The .pfx or .p12 files are assumed to be PKCS #12 certificate stores.
    • The .cer files are assumed to be a plain certificate, which is not included in a key/certificate store.

    If a file has no extension, or has any other extension, it is ignored by the importer.

  3. Navigate to the location given for IZP_UMS_VARDIR in IZPINST. If none is given, navigate to the SMP/E location: 
    <IZP_SMPE_HOME>/ums/var

    IZP_SMPE_HOME is the value used in IZPINST for the SMP/E location.

  4. Ensure that the following variables are added to your z/OS UNIX System Services profile, or issue export commands for these variables to get them applied in an individual session: 
    export _BPXK_AUTOCVT=ON
export _CEE_RUNOPTS="FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)"
export _TAG_REDIR_IN=TXT
export _TAG_REDIR_OUT=TXT
export _TAG_REDIR_ERR=TXT
  5. To run the HTTPS configuration script, enter the following command: 
    ./izp-import-certs.sh
  6. When prompted, enter the keystore password. Or, if you are not importing your certificates from a password-protected keystore, press Enter.
    The script pulls the certificate from the specified location into the Unified Management Server certificate store so that Unified Management Server can use the certificate to encrypt communication with Zowe.
  7. Stop and start Unified Management Server.

What to do next

Applicable to SQL Tuning Services : Users are required to create connection profiles for SQL Tuning Services. If you are using SSL encryption for the Db2 connectivity, UMS will pass the name of the UMS truststore to SQL Tuning Services when the profile is created.
  • Using a file-based keystore

    If you are using a file-based keystore with UMS, ensure that SQL Tuning Services started task user ID has read permissions on the UMS truststore file.

  • Using a key ring as a truststore

    If you are using key rings with UMS, SQL Tuning Services started task user ID also needs access to read the UMS key ring. You can select one of the following options:

    • Define and permit UPDATE on IRR.DIGTCERT.LISTRING in class FACILITY to SQL Tuning Services. This action permits those user IDs the authority to read any key ring on the system.
    • Define and permit CONTROL on <UMS keyring owner>.<UMS keyring name>.LST in class RDATALIB to the UMS and SQL Tuning Services started task user IDs.
    • Create the connection profiles outside UMS and pass the name of a truststore already used for SQL Tuning Services started tasks. Make sure to connect the appropriate Db2 Root CAs to the key rings so the services can connect securely to Db2.