ZWSTECHNOTE : Install a z-centric agent using Certman utility to generate a new set of certificates

How To

Summary

Starting from z-centric agent 10.2.1 the default certificate was deprecated, for this reason before installing the z-centric agent a set of own certificates are needed. To do this the CERTMAN utility was introduced into the agent installation package.
It is the procedure to connect a z-centric agent to a z/OS controller using or not SSL communication between z/OS controller and z-centric.

Steps

1)Download and unzip the z-centric package agent from the IBM fix central web site.
2)On the windows machine, open a command prompt and navigate to the directory, like in the example:
TWS102_WIN_X86_64_AGENT_FOR_ZOS\TWS\WINDOWS_X86_64\Tivoli_LWA_WINDOWS_X86_64\TWS\bin

3)Run this command to generate all the certificates for the z-centric installation:
certman.exe generate -keypasswd xxxxxxx -outpath "C:\BUILD\CERT"

4)On z/os side create the certificate and the RING using a JCL like this sample:

/*************************************************************
//* STEP1: create a personal certificate for controller to
//* load in Distributed Environmnent
//* STEP2:create a ring and connect a certificate to ring
//* STEP3:refresh RACF DB for new certificate and ring
//* Check not only the Job RC but also the joblog to
//* highlight other issues.
//*************************************************************
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT GENCERT +
         SUBJECTSDN( CN( 'CNTCERT' ) +
                     OU( 'tws' ) +
                     O( 'ibm' ) +
                     L( 'rome' ) +
                     S( 'rome') +
                     C( 'it' )) +
         SIZE(4096) +
         WITHLABEL('CNTCERT')
/*
//*************************************************************
//STEP2 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ADDRING(CNTRING)
RACDCERT CONNECT(LABEL('CNTCERT') +
    RING(CNTRING) DEFAULT)
RACDCERT LISTRING(CNTRING)
/*
//*************************************
//STEP3 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(DIGTCERT) REFRESH
SETROPTS RACLIST(DIGTRING) REFRESH
/*

5)Export the CNTCERT into a pre-allocated dataset that must have this characteristics:
Directory blocks . . 0
Record format . . . . VB
Record length . . . . 84
Block size . . . . . 27998

and use a sample JCL like this:

//CEREXP JOB CLASS=A,MSGCLASS=A
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT EXPORT(LABEL('CNTCERT')) +
DSN('TWS102.MIC.EXPORT')
/*

6)On the windows machine, create a folder named additionalCAs,

in the folder where are stored the zCentric certificates
C:\BUILD\CERT\additionalCAs
put here the z/OS certificate, with crt extension.

7)Install the z-centric agent using a command like this example:
cscript twsinst.vbs -new -uname tws1025 -password xxxxxxxxxxxx -acceptlicense yes -jmport 2104 -jmportssl true -inst_dir "C:\Program Files\IBM\TWAZOS" -sslkeysfolder "C:\BUILD\CERTIFICATI" -sslpassword Michele1234

8)The installation will end with this message:
AWSFAB033I The installation has completed successfully.

-Import the ca.crt and tls.crt in the z/OS environment, into a pre-allocated dataset that must have this characteristics:
Directory blocks . . 0
Record format . . . . VB
Record length . . . . 84
Block size . . . . . 27998
and use a sample JCL like this for add it into the RACF and connect to the RING.

This JCL has to run before for ca.crt and then for tls.crt.

//CERTADD JOB CLASS=A,MSGCLASS=A
//***************************************************************
//
//****************************************************************
/*
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ADD('TWS102.TLSCRT') +
TRUST WITHLABEL('TLSCRT') CERTAUTH
/*
//*************************************************************
//STEP1B EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(DIGTCERT) REFRESH
SETROPTS RACLIST(DIGTRING) REFRESH
//*************************************************************
//STEP2 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT LIST(LABEL('TLSCRT')) CERTAUTH
/*
//STEP3 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT CONNECT(LABEL('TLSCRT') CERTAUTH +
    RING(CNTRING) USAGE(CERTAUTH))
RACDCERT LISTRING(CNTRING)
/*
//***************************************************************
//* REFRESH RACF DB FOR THE NEW CERTIFICATES AND KEYRING
//***************************************************************
//STEP4 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS RACLIST(DIGTCERT) REFRESH
SETROPTS RACLIST(DIGTRING) REFRESH

9)Now, the certificates are in place on both side,
update the controller’s parameter in this way:

HTTPOPTS SSLKEYRINGTYPE(SAF)
SSLPORT(xxxx)
SSLKEYRING(CNTRING)

ROUTOPTS HTTPS(ZCENSSL:'ipaddress'/2104)
here specify the ip address or the hostname of the server where the z-centric agent is installed.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSWL3F","label":"IBM Z Workload Scheduler"},"ARM Category":[{"code":"a8m0z0000001fHGAAY","label":"ZOS-\u003EIZWS-\u003EZcentric"}],"ARM Case Number":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"10.1.0;9.5.0"}]

Tips

ZWSTECHNOTE : Install a z-centric agent using Certman utility to generate a new set of certificates

How To

Summary

Steps

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?