You must have authorization to issue the following RACDCERT commands:
ADD, ADDRING, CONNECT,
EXPORT, GENCERT, LIST, and
LISTRING, to create a RACF® key ring and
certificates. For more information about the RACDCERT commands and the
authorizations that are required, see RACDCERT (Manage RACF digital
certificates) in the z/OS Security Server RACF Command Language Reference.
You must have access to the keytool command for creating Java™ KeyStores (JKS) and certificates for the client. This command is provided with
the IBM SDK for z/OS,
Java Technology Edition. For more information
about the keytool command, see Keytool in the IBM
SDK, Java Technology Edition Security Guide.
You must have write access to the server.xml configuration file.
How to configure a TLS connection between IBMz/OS Connect and the client
Configure a IBMz/OS Connect server so that
clients must connect by using an HTTPS connection with TLS server authentication.
About this task
This configuration creates the following artifacts:
A certificate authority (CA) signed personal RACF certificate for a IBMz/OS Connect server to identify itself on TLS
connections.
A RACF key ring to act as the server's keystore.
A Java KeyStore (JKS) for a client to use as its
truststore so that it can trust the certificate that is presented by the IBMz/OS Connect server on the TLS connection.
You can also configure TLS client authentication, sometimes referred to as mutual TLS
authentication, to require the client to provide its personal certificate on the connection. This
configuration creates the following artifacts:
A CA signed personal certificate for the client to identify itself on the TLS connections.
A JKS to act as the client's keystore.
A RACF key ring for the IBMz/OS Connect server to use as its truststore so that
it can trust the certificate that is presented by the client.
The certificates, key rings, and JKS files that are used in this task are described in Figure 1.
Figure 1. How certificates, key rings, and JKS files are used in this task.
This task makes the following assumptions:
RACF is the security manager for the IBMz/OS Connect server. If you are using an alternative
External Security Manager, refer to the appropriate product documentation for the equivalent
commands.
The client, which might be an intermediate server such as an API Gateway, can use JKS files for
its keystore and truststore. This task uses a JKS for the client, but other keystore types or SAF
key rings might be used depending on the client and the operating system that it runs on.
The keytool command is used to create the certificates and JKS files for the
client. The IBMz/OS Connect server uses a single RACF key ring for both its keystore and truststore. An
alternative method is to use a separate RACF key ring for
each role.
The client uses separate JKS files for its keystore and truststore.
The default IBMz/OS Connect SSL elements in the
server.xml configuration file are customized. This method is typical for
configuring TLS on the IBMz/OS Connect server's
default HTTPS port. If you are configuring TLS for an additional HTTPS port, follow these
instructions, but replace the default id attribute values of the
ssl and keyStore elements with customized values. You would also
need to associate the customized ssl element with the appropriate
httpEndpoint element by configuring the sslOptions subelement. For
example,
In this example, mySSLConfig is the id attribute value
of the ssl element.
Note: The term label is used by RACF and
alias is used by JKS to reference the same artifact, therefore in this documentation,
the phrase label or alias is used for clarity.
Procedure
In the following steps, you configure the TLS connection between the IBMz/OS Connect server (steps 1 - 5) and the client
(steps 6 - 9). Finally, you configure the IBMz/OS Connect server to use the RACF key ring (steps 10 - 13).
Enter the RACF commands from the z/OS LPAR where the IBMz/OS Connect server is hosted.
Create a RACF key ring for the IBMz/OS Connect server to use as its keystore.
Enter the following
command:
RACDCERTID(ZCSERV1) ADDRING(Keyring.ZOSCONN)
The
command uses the following values:
ZCSERV1 is the user ID that owns the key ring. The user ID under which the IBMz/OS Connect server runs must have READ access to this
key ring. Either specify the server's user ID on the ID property or ensure that the server's user ID
has READ access to the key ring owned by an alternative user ID.
Keyring.ZOSCONN is the name of the key ring to be created.
Create a CA certificate for the IBMz/OS Connect
server.
Create a self-signed RSA key pair to act as a CA certificate. A key pair
consists of a public and private key.
CN('myServer.host.com') O('IBM') OU('zosConnect') C('US') is an example
distinguished name (DN) for the certificate. The common name (CN) value is typically the hostname of
the z/OS LPAR that hosts the IBMz/OS Connect server.
zosConnectCA is the label or alias for the CA certificate that is used to sign
the personal certificate.
zosConnectServerCert is the label, or alias, for the personal certificate to be
created and signed.
Connect (add) the personal certificate to the key ring.
zosConnectCA is the label or alias for the CA certificate.
'ZCSERV1.CERTS.ZCCA' is the name of the target z/OS sequential file.
CERTDER specifies a DER encoded X.509 certificate.
In the following steps, you configure the TLS connection on the client.
Prepare to use the keytool command.
Create a directory to contain the certificates and JKS files to be created by the
keytool command.
In a later step, you copy those files to other locations, so if you run
the keytool command on z/OS, make the
location a z/OS
UNIX System Services (USS) directory. For example,
/u/myuser/zOSConnectJKS.
Add the keytool command to the PATH environment variable.
For example,
exportPATH=$PATH:<javaInstallPath>/bin
The value <javaInstallPath> is the installation path of the IBM SDK for z/OS that
includes the keytool command.
Import the CA certificate used to sign the IBMz/OS Connect server's personal certificate into the
client's JKS truststore as a trusted certificate.
Transfer in binary format, the z/OS sequential
file 'ZCSERV1.CERTS.ZCCA' containing the exported CA certificate to the
client's workstation.
The method that you use depends on the operating system on which
the client is running and the file transfer utilities you have access to. You might be able to FTP
to the z/OS LPAR and get the z/OS sequential file directly, or you might first need to copy the z/OS sequential file to a USS file, and then get the USS file.
For example,
zosConnectCA is the alias to be given to the CA certificate to be
imported.
zosConnectCA.cer is the name of the certificate file that contains the public
key of the CA certificate to be imported.
clientTrust.jks is the name of the JKS file into which the certificate is to be
imported. This file is used as the client's truststore.
The command creates the JKS file if it does not exist and issues the following
prompt:
Trust this certificate? [no]:
Enter yes in response.
Check that the CA certificate was added to the client's truststore correctly.
List the contents of the client's truststore by issuing the following command from the USS
directory you created in step 6.
keytool-list -v -keystore clientTrust.jks
The
expected response contains the following information:
Your keystore contains 1 entry
Alias name: zosconnectca
Entry type: trustedCertEntry
Owner: CN=CA for zosConnect, OU=zosConnect, O=IBM, C=US
Issuer: CN=CA for zosConnect, OU=zosConnect, O=IBM, C=US
Make the client's truststore JKS file available to the client.
In this task, the client's truststore is called clientTrust.jks. Transfer
this file in binary mode to the workstation that hosts the client. The instructions for configuring
your client to use these JKS files depend on your client application. For more information, see the
documentation for the client application.
In the following steps, you configure the IBMz/OS Connect server to use the RACF key
ring.
Configure the HTTPS port for the IBMz/OS Connect
server.
Identify an unused TCP/IP port on your z/OS LPAR,
which can be used as the HTTPS port for IBMz/OS Connect. Specify the port value on the httpsPort attribute of the
httpEndpoint element in the server.xml configuration file.
For example, to use 9443 as the default HTTPS port, add the following element
to the
configuration:
Configure the IBMz/OS Connect server to require
HTTPS requests.
Set the attribute requireSecure="true" in the
server.xml configuration file to force all requests at that scope to use an
HTTPS connection. This attribute can be set at different scopes:
To require an HTTPS connection globally for the server, set
requireSecure="true" on the zosconnect_zosConnectManager element
in the server.xml configuration file. For
example,
To require an HTTPS connection for a specific API, set requireSecure="true" on
the zosConnectAPI element in the server.xml configuration
file. For
example,
This
setting takes precedence over the global setting.
To require an HTTPS connection for a specific service, set requireSecure="true"
on the service element in the server.xml configuration file.
For
example,
For
more information about the ssl repertoire element, see the Server configuration section in the IBM
WebSphere® Application Server for z/OS Liberty documentation.
The server now
has only a keystore. Because it does not yet have any trusted certificates, it does not require a
truststore.
Configure the IBMz/OS Connect server to
reference the RACF key ring that contains the server's
personal certificate and CA certificate.
Create a keyStore element in the server.xml
configuration file. For example,
defaultKeyStore must match the value that is specified on the
keyStoreRef attribute of the ssl element.
The location value must be the RACF key
ring that acts as the server's keystore.
The password attribute is mandatory, so a value must be specified. However, the
value is not used when type="JCERACFKS" because RACF key rings are not secured with passwords.
This optional task describes additional configuration for TLS client authentication, also called
mutual TLS authentication, to require the client to provide its personal certificate on the
connection. It does not include the additional configuration that is required to use the client's
personal certificate to authenticate with a IBMz/OS Connect server, but is a prerequisite to that
task. For more information about configuring a client certificate to authenticate with a IBMz/OS Connect server, see How to configure client certificate authentication with RACF.
Procedure
In the following steps, you configure TLS client authentication for the
client.
clientCert is the alias of the personal certificate to be created.
CN=myClient.host.com, O=IBM, C=US is an example distinguished name (DN) for the
certificate. The CN value is typically the host name of the client that owns the certificate.
clientKey.jks is the name of the JKS file to be dynamically created to act as
the client's keystore.
This command creates the JKS file if it does not exist.
Sign the client's personal certificate with a CA certificate.
A certificate signing
request (CSR) is created for the self-signed personal certificate and sent to a certificate
authority (CA). The CA verifies the request and returns a CA signed version of the personal
certificate, a CA root certificate and optionally, an intermediate certificate.
Create a certificate signing request (CSR) for the personal certificate.
clientCert is the alias to be given to the signed personal certificate to be
imported. It must match the name of the original self-signed personal certificate, so that one is
replaced in the keystore.
clientCertSigned.cer is the name of the certificate file that is returned by
the certificate authority, and contains the signed personal certificate to be imported.
clientKey.jks is the name of the JKS file into which the certificate is to be
imported. This is the client's keystore.
Confirm that the client's keystore and personal certificate are created correctly.
The
expected response should contain entries for the signed personal certificate with an Entry
type of PrivateKeyEntry and, for the CA root certificate (and if
applicable, the intermediate certificate), an entry with Entry type of
trustedCertEntry.
Export the client's CA certificate (public key) to a certificate file.
clientCA is the alias of the CA certificate to be exported.
clientCA.cer is the name of the certificate file to be created.
clientKey.jks is the name of the JKS file from which the certificate is to be
exported.
Make the client's keystore JKS file available to the client.
The client's keystore that is created in this task is called clientKey.jks.
Transfer this file in binary mode to the workstation that hosts the client. The instructions for
configuring your client to use these JKS files depend on your client application. For more
information, see the documentation for the client application.
In the following steps, you configure TLS client authentication for the IBMz/OS Connect server.
Connect the client's CA certificate (public key) to the IBMz/OS Connect server's RACF key ring truststore as a trusted certificate.
Transfer the exported client's CA certificate in binary format to the z/OS LPAR where the IBMz/OS Connect server is hosted, as a z/OS sequential file.
Name the created z/OS sequential file as
'ZCSERV1.CERTS.CLIENT'.
The transfer method that you use depends on the
operating system on which you ran the keytool command. You might be able to FTP to
the z/OS LPAR and put the z/OS sequential file directly, or you may first need to FTP the file to a USS directory and
then copy that USS file to be a z/OS sequential file. For
example,
Connect (add) the client's CA certificate (public key) as a trusted (CERTAUTH)
certificate to the RACF key ring used by the IBMz/OS Connect server as its
truststore.
Confirm that the client's CA certificate is connected to the IBMz/OS Connect server's key ring correctly.
Enter the following command to list the certificates in the key
ring:
RACDCERTID(ZCSERV1) LISTRING(Keyring.ZOSCONN)
This
screen capture shows the expected
response:
Ring:
>Keyring.ZOSCONN<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
zosConnectCA CERTAUTH CERTAUTH NO
zosConnectServerCert ID(ZCSERV1) PERSONAL NO
clientCA ID(ZCSERV1) CERTAUTH NO
Edit the SSL configuration to be used by the IBMz/OS Connect server.
Edit the existing
ssl repertoire element in the server.xml configuration file,
to add a trustStoreRef attribute with the default value. Set client authentication
as required by setting clientAuthentication="true". For
example,
defaultTrustStore must match the value that is specified on the
trustStoreRef attribute of the ssl element.
The location value must be the RACF key
ring that acts as the server's truststore.
The password attribute is mandatory, so a value must be specified. However, the
value is not used when type="JCERACFKS" because RACF key rings are not secured with passwords.
Start, or restart the server if it was already running, to pick up the changes.
The messages.log file should contain the following
message:
CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host * (IPv6) port 9443
The message uses the following values:
defaultHttpEndpoint-ssl is the id attribute value of the
httpEndpoint element followed by -ssl.
* is the value of the httpEndpoint element host
attribute.
9443 is the value of the httpEndpoint element httpsPort
attribute.
