IBM Support

Setting up Driver when using SSL certificate to access Data Virtualization Manager

Question & Answer


Question

How do you set up SSL accessing Data Virtualization Manager where a certificate is used (not required for simple SSL setup) for the connection?

Answer

Data Virtualization Manager Server relies on IBM's AT-TLS SSL encryption on z/OS and must be defined to mainframe security. Then the driver (ODBC/JDBC) must be configured to use SSL.
Refer to IBM's z/OS Communications Server documentation for setting up AT-TLS.

Here is a sample RACF command for creating the certificate for the AVZS Data Virtualization Manager address space.
RACDCERT ID(AVZS) EXPORT( LABEL('AVZS-SERVER-01') ) -
    FORMAT(PKCS12DER) PASSWORD('SSLPASSWORD')    -  
    DSN('TSDMS.AVZS.SERVER.PKCS12')
Refer to IBM's z/OS Communications Server documentation for RACDCERT EXPORT (Export certificate package)
 
Then an example JDBC Connection String.
 jdbc:rs:dv://yourhost:1200;SUBSYS=DSN1;ENCRYPTIONMETHOD=SSL;
TRUSTSTORE=C:\TrustedStore\AVZS.SERVER.P12;TRUSTEDSTOREPASSWORD=SSLPASSWORD;
KEYSTORE=C:\TrustedStore\AVZS.CLIENT.P12;KEYSTOREPASSWORD=SSLPASSWORD
 
TRUSTSTORE points to the Server certificate
KEYSTORE points to the Client certificate.  Most customers use only Server certificates.
The TRUSTSTORE/KEYSTORE passwords are the ones specified on the RACF Export command:
RACDCERT ID(AVZS) EXPORT( LABEL('AVZS-SERVER-01') ) -
    FORMAT(PKCS12DER) PASSWORD('SSLPASSWORD')    -  
    DSN('TSDMS.AVZS.SERVER.PKCS12')    
 
In this case, the Exported certificate 'AVZS-SERVER-01' is in data set 'TSDMS.AVZS.SERVER.PKCS12', which is downloaded in Binary to the desktop as AVZS.SERVER.P12 and stored in C:\TrustedStore\
 
JDBC User Guide parameter settings:
 
EncryptionMethod
Default: noEncryption
{SSL | NoEncryption}. Determines whether data is encrypted and decrypted when transmitted over the network between the driver and database server.
If NoEncryption is used, Data is not encrypted or decrypted.
If SSL is used, data is encrypted using SSL. If the database server does not support SSL, the connection fails and the driver throws an exception.
When SSL is enabled, the following properties also apply:

  • HostNameInCertificate
  • KeyStore (for SSL client authentication)
  • KeyStorePassword (for SSL client authentication)
  • KeyPassword (for SSL client authentication)
  • TrustStore
  • TrustStorePassword
  • ValidateServerCertificate

NOTE: Connection hangs can occur when the driver is configured for SSL and the database server does not support SSL. You may want to set a login timeout using the loginTimeout property to avoid problems when connecting to a server that does not support SSL.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4NKG","label":"IBM Data Virtualization Manager for z\/OS"},"Component":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
05 October 2020

UID

ibm16220835

Page Feedback