When configuring a Liberty JVM server in CICS® for remote JCICSX API development, you can configure it
to use SSL for data encryption.
About this task
To enable the remote development functionality of the JCICSX API, a Liberty JVM server is required
in CICS to receive requests from the developer's local
Liberty JVM server. To enable SSL communication between the remote Liberty JVM server in CICS and
the local Liberty JVM server on the developer's machine, the remote server must be configured to use
SSL and its certificate must be trusted by the local Liberty server.
Procedure
- For system programmers, configure the remote Liberty JVM server as
follows:
As a system programmer, you need to generate a certificate for the remote
Liberty JVM server with its host name registered.
- Register the host name of the remote server in the server.xml
file.
By default the host name of the Liberty server is
localhost
.
In this case your SSL connection will fail because the certificate will be registered to
localhost
while your client will be trying to connect to the host name of your CICS region. To override the default
localhost
host name, add the
defaultHostName
variable to your
server.xml
file:
<variable name="defaultHostName" value="your-hostname"/>
where
your-hostname is the host name of the remote Liberty JVM server. For more
information, see
Setting the default host name of a Liberty server.
- Generate a new copy of the remote Liberty JVM server's public
certificate.
After setting the default host name of your server, you must regenerate
the certificate for it.
- Stop the Liberty JVM server.
- Delete the Java keystore that stores the certificates. It
is the key.p12 file located in
{server.config.dir}/resources/security.
- Start the liberty server.
- Verify that a new key.p12 file is regenerated.
- Verify that the host name is correct in the certificate using OpenSSL or the Java
keytool utility:
- For application developers, configure the local Liberty JVM server
to trust the remote server's public certificate as follows:
By default, the local
Liberty JVM server might refuse to connect to the remote Liberty JVM server because it does not
trust the public certificate that the remote Liberty provides during the SSL handshake. Therefore,
the application developer must download a copy of the certificate from the remote Liberty server and
add it to the truststore used by the local Liberty server.
- Download a copy of the public certificate from the remote Liberty JVM server:
- To use OpenSSL:
-
- Run the following command to show the certificates of the remote server, where
your-hostname and your-port are the host name and port number
of your remote Liberty JVM
server:
openssl s_client -showcerts -connect your-hostname:your-port
- From the output, copy the first certificate. Include the following lines and the information
between these
lines:
"-----BEGIN CERTIFICATE-----"
"-----END CERTIFICATE-----"
- Paste the certificate into a new file with a .cer extension, for example,
publicKey.cer.
Note: Note: Be sure not to include additional lines in this
file; otherwise the certificate won't be added to you local Liberty truststore
successfully.
- If you have access to the remote Liberty server, you can also use the Java keytool utility to
download the certificate:
-
- Navigate to the keystore on your remote Liberty JVM server. The file path is
{server.config.dir}/resources/security/key.p12.
- Use the Java keytool utility to create a public
certificate:
keytool -rfc -export -keystore key.p12 -alias default -file /your/save/location/public-remote.cer -v -storepass yourKeyStorePassword -storeType yourType
where yourType is the keystore type, which defaults to
PKCS12
. For more information, see Liberty default keystore type changed to PKCS12.
- Navigate to the folder of the keystore on the local Liberty JVM server:
{server.config.dir}/resources/security.
- Import the public certificate that the system programmer downloaded into the
truststore of the local Liberty, using the following
command:
keytool -importcert -file /cert/location/public-remote.cer -keystore key.p12 -storepass localPassword -storetype yourType -trustcacerts -v
where yourType is the keystore type, which defaults to
PKCS12
. For more information, see Liberty default keystore type changed to PKCS12.
- Restart the local Liberty JVM server to pick up the new certificate.
What to do next
The application developer can add a JCICSX resource to the local Liberty JVM
server to check whether the connection is working. Samples can be found at JCICSX samples in GitHub.