SSL/TLS and advanced replication
SSL/TLS can be used to communicate between a replicating server (supplier, gateway, forwarder, or peer) and a replica server (consumer, gateway, forwarder, or peer).
Replica server with SSL/TLS enablement
Set up the replica server for SSL/TLS by updating the LDAP server
configuration file if it is not already configured for SSL/TLS. An
LDAP URL with a prefix of ldaps:// is required in
the listen configuration option in the replica server so that
a secure connection can be configured. See Setting up for SSL/TLS for
more information.
If a SASL EXTERNAL bind is performed between the replicating and replica servers, the replica server must be configured to use server and client authentication. The sslAuth configuration option must be set to serverClientAuth. The replica server must have the replicating servers certificate in its key database file, RACF® key ring, or PKCS #11 token. See Setting up for SSL/TLS for more information.
Replicating server with SSL/TLS enablement
- Run the gskkyman utility or the RACDCERT command as if you were the client. For more information, see z/OS Cryptographic Services System SSL Programming for the gskkyman utility or z/OS Security Server RACF Command Language Reference for the RACDCERT command. The key database file, RACF key ring, or PKCS #11 token must contain the replicating servers key pair and certificate. Receive the replicas self-signed certificate and mark it as trusted.
- In the LDAP server configuration file on the replicating server:
- Set the sslKeyRingFile configuration option to the replica key database file, RACF keyring, or PKCS #11 token that is created above.
- If a key database file is used, set sslKeyRingFilePW to the password for the key database file, or set sslKeyRingPWStashFile to the file name where the password is stashed.
- Ensure any environment variables that control SSL/TLS settings are properly defined in the LDAP server environment variable file. The environment variables for enabling TLS protocol levels are shared with the server definitions. For example, GSK_PROTOCOL_TLSV1_2=ON enables this protocol level for both inbound client connections to the replicating server and for outbound connections from the replicating server to the replica. However, since the replicating server acts as an SSL/TLS client to the replica, the environment variable usage for controlling cipher suites is as described for the client API. The SSL cipher format that you should use on the outbound connections to the replicas is controlled by the LDAP_SSL_CIPHER_FORMAT environment variable and then either the GSK_V3_CIPHER_SPECS or GSK_V3_CIPHER_SPECS_EXPANDED environment variable, depending on which format is chosen. The SSL cipher suites on the inbound client connections are controlled by the configured setting of sslCipherSpecs and can potentially share the setting that is specified on GSK_V3_CIPHER_SPECS_EXPANDED. Where settings are shared for both inbound client connections and outbound connections to replicas, the cipher list must include the necessary cipher suites for both sets of connections.
- The ibm-replicaURL attribute value in the replication agreement
entry must use an LDAP URL with a prefix of
ldaps://. This indicates that an SSL connection is used between the replicating and replica servers. See Table 4 information about the ibm-replicaURL attribute value.
The above procedure can also be used to set up the replicating server to use SASL EXTERNAL binds. The SSL-related configuration options in the LDAP server configuration file, if specified, represent the default values for the related optional attributes in ibm-replicationCredentialsExternal objects. These defaults can be overridden by specifying the optional attributes. See Table 7 for more information about SASL EXTERNAL credentials entries.
Because the replicating server acts as an SSL/TLS client to the replica server, the replicating server binds with the replica server.