Configuring TLS on an IPIC connection

Follow these steps to configure TLS on an IPIC connection to CICS®. Client authentication is required if the IBM® z/OS® Connect server and CICS region are in different sysplexes and the CICS IPCONN is configured with USERAUTH=IDENTIFY.

Before you begin

  1. Configure the TCPIPSERVICE on the CICS region to use TLS. For more information, see Configuring an IPIC connection in CICS.
  2. Configure a zosconnect_cicsIpicConnection element in server.xml. For more information, see Configuring an IPIC connection in IBM z/OS Connect.

About this task

The server.xml file is updated to configure TLS on an existing IPIC connection definition, with both client and server authentication.

Procedure

  1. Create a personal TLS certificate and key ring for the CICS region.
    In this example, the CICS region uses the following artifacts:
    • A self-signed certificate. In a production system, you should consider using a CA signed certificate.
    • A RACF key ring called CICSTS-KEYRING.
    If this certificate is not the default in the server keyring, it must be specified in the Certificate attribute of the TCPIPSERVICE definition. For more information, see Configuring an IPIC connection in CICS.
  2. Create a personal TLS certificate for the IBM z/OS Connect server.
    In this example, the IBM z/OS Connect server uses a self-signed certificate in a JKS keystore.
  3. Export the public part of the CICS region's personal certificate and import it into the IBM z/OS Connect server's truststore as a trusted certificate.
    This allows the IBM z/OS Connect server to trust the CICS region during the TLS handshake.
  4. If client authentication is required, export the public part of the IBM z/OS Connect server's personal certificate and import into the CICS region's RACF key ring.
    This allows the CICS region to trust the IBM z/OS Connect server during the client authentication step of the TLS handshake.
  5. Edit the IBM z/OS Connect server configuration file to define an SSL element or SSLDefault element.
  6. Add an sslCertsRef attribute to the zosconnect_cicsIpicConnection element to reference the SSL element.
    For example,
    
    <featureManager>
        <feature>zosconnect:cicsService-1.0</feature>
    </featureManager>

    <!-- Define the TLS configuration. -->
    <!-- Set clientAuthentication to true if the IBM z/OS Connect server and CICS region are in different sysplexes. -->
    <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthentication="false" />

    <!-- Define a keystore. Contains the IBM z/OS Connect server's personal certificate to be sent on TLS handshake. -->  
    <keyStore id="defaultKeyStore" password="zosconnect" location="${server.config.dir}/resources/security/serverKey.jks" />

    <!-- Define a truststore. Contains the CICS region's public certificate expected to be sent on the TLS handshake. -->   
    <keyStore id="defaultTrustStore" password="zosconnect" location="${server.config.dir}/resources/security/serverTrust.jks"/>

    <!-- Define the IPIC connection to CICS -->  
    <zosconnect_cicsIpicConnection id="cicsConn" sslCertsRef="defaultSSLConfig"
            host="192.0.2.0" port="1110" />