How To
Summary
The purpose of this technote is to provide some additional details for the section in chapter 8 of the Planning and Installation Guide
"Installing a Dynamic Workload Console server."
( https://www.ibm.com/docs/en/SSGSPN_10.2.2/eqqi1mst.pdf )
Objective
Steps
NOTE: This technote will cover the certificate requirements to do the installation of the DWC on z/OS ( dwcinst.sh script). To secure the connection between the DWC and zWS server task in addition to this, refer to technote https://www.ibm.com/support/pages/node/7156239
( ZWSTECHNOTE : DWCZOS : Secure connection between zconnector / DWC on zWS server task using SSL )
Steps to follow:
Step 1: Create a certificate on z/OS customizing and using the sample jcl attached (certcstm.txt)
NOTE: The owner of the ring (the userid which runs the sample JCL) must also be the userid of the controller and
the server task which connects to the zconnector
Step 2: Export the z/OS certificate using the RACF utility panel ICHP00 ( RACF - SERVICES OPTION MENU )option 7 --> 1 --> 4 (Write a certificate to a data set) [be sure to allocate the dataset beforehand]. Example:
Space units . . . . . TRKS
Primary quantity . . 5
Secondary quantity 1
Directory blocks . . 0
Record format . . . . VB
Record length . . . . 84
Block size . . . . . 27998
Step 3: create Distributed Certificates on some distributed environment like UNIX, using the following procedure. Note this distributed machine is ONLY for running openSSL as this cannot be run on z/OS. After the installation this distributed environment does not have to be part of the DWC configuration:
- openssl genrsa -out ca.key 2048
- or
- openssl genrsa -out ca.key 4096
- openssl req -x509 -new -nodes -key ca.key -subj "/CN=<common_name>" -days nnnnn -out ca.crt
- NOTE: nnnnn can be whatever value you want, for example 3650 for ten years
- NOTE: Once the certificates are created, the expiration date ( expiry ) cannot be modified. The certificates would need to be created again to have a different expiration date
- openssl genrsa -des3 -out tls.key 2048
- or
- openssl genrsa -des3 -out tls.key 4096
- openssl req -new -key tls.key -out tls.csr
- openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days nnnn -out tls.crt -extfile /etc/pki/tls/openssl.cnf -extensions v3_req
- Put the ca.crt, tls.crt and tls.key into the ssl folder to be used for installation
Step 4: Transfer (FTP) the certificate from z/OS to the Distributed environment in ASCII mode [be sure to be in ASCII mode]
Step 5 : Convert all the certificates in p12 format, in the folder pointed from sslkeysfolder there should be two files called respectively TWSServerKeyFile.p12 and TWSServerTrustFile.p12 in which there are already your certificates. See attached file for details:
NOTE: These file names must NOT be modified, use exactly as shown
Step 6: Transfer (FTP) the certificates (ca.crt and tls.crt) from step 3, from Distributed to z/OS environment in ASCII mode [be sure to be in ASCII mode and to have allocated the datasets beforehand as in step 3]
Step 7: Transfer (FTP) the certificate database to z/OS (see attached file DWC.FTP_.PROCESS.txt )
Step 9: Install the DWC in the usual way with scripts configureDb.sh and dwcinst.sh, be sure to add the parameters
--sslkeysfolder and --sllpassword
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
10 October 2024
UID
ibm17154608