Configuring SSL server authentication on the client

To complete this task you use FTP to transfer the signed personal certificate from the CICS® server to the client machine, then iKeyman to create a Java™ keystore (jks) file where the certificate is stored.

iKeyman is provided as part of the Java Runtime Environment.

  1. Transfer the personal certificate to your Client machine using an FTP client. Alternatively you can issue FTP commands on the command line.
    In Configuring SSL server authentication on the CICS server, you specified FORMAT(CERTB64) to ensure that the certificate was stored in ASCII. You must therefore specify ASCII when you transfer the certificate using FTP. The following example shows the FTP commands required to transfer the certificate, and the associated system responses:
    C:\ftp server
      Connected to server.company.com
      User (server.company.com:(none)): name
      331 Send password please. Password: xxx name is logged on.
      Working directory is "/u/directory".
      ftp> asc 
      Representation type is Ascii NonPrint
      ftp> quote site recfm=vb
      SITE command was accepted
      ftp> get 'CTGUSER.PERSONAL.CERT'
      Port request OK. 125 Sending data set CTGUSER.PERSONAL.CERT 
      Transfer completed successfully.
      ftp> quit

    You have to specify the site recfm=vb FTP command because the server certificate is stored in a variable blocked data set.

  2. Rename CTGUSER.PERSONAL.CERT to personalcert.arm.
  3. Start ikeyman on your Client machine.
  4. Create a new Java keystore file:
    1. From the iKeyman main menu, select Key Database File > New.
    2. From the New dialog, click the Key database type list then select the file type JKS.
    3. In the File name field enter the name of the Java keystore file that you want to create. In this scenario the file name is ctgclientkeyring.jks.
    4. Click OK. Because you are creating a new Java keystore file, the Password prompt dialog now prompts you to provide a password. Enter a password into the Password and Confirm password fields. In this scenario the password is MyPassword.
    5. Click OK.
  5. Import the personal certificate personalcert.arm from the data set into the Java keystore file:
    1. Click the arrow and select Signer certificates from the list.
    2. Click Add and specify the file name and location of the file that you transferred to the client (in this scenario personalcert.arm).
    3. Click OK.
    4. In the Enter a label dialog, enter a label for the certificate. The label identifies the certificate but is not used during security processing. This scenario uses the label cics tg racf server certificate.
    5. Click OK. The server personal certificate is imported from the data set that you transferred to the client, into the Java keystore file.

You have now configured SSL server authentication on the client.