By updating ssl.properties, RSE is instructed to start using encrypted communication.
$ oedit /etc/zexpl/secure/ssl.properties
-> change: enable_ssl=true
-> uncomment and change: daemon_keydb_file=keyring.racf
-> uncomment and change: daemon_key_label=rsecert
-> uncomment and change: server_keystore_file=keyring.racf
-> uncomment and change: server_keystore_label=rsecert
-> uncomment and change: server_keystore_type=JCERACFKSThe changes in the preceding example enable encryption and tell the RSE daemon and RSE server that their (shared) certificate is stored under label rsecert in key ring keyring.racf. The JCERACFKS keyword tells RSE server that a SAF-compliant key ring is used as key store.
Note that System SSL (used by the daemon) always uses ICSF, the interface to z Systems™ cryptographic hardware, when available. To be able to share the daemon definitions with the server when using ICSF, server_keystore_type JCECCARACFKS must be specified. Here, a SAF-compliant key ring is also used as key store for the public keys, but the private key is stored in ICSF. As documented in Cryptographic Services ICSF Administrator's Guide (SA22-7521), ICSF uses profiles in the CSFKEYS and CSFSERV security classes to control who can use cryptographic keys and services.