Configuring XCOM™ Data Transport® for z/OS for a managed PKI infrastructure
search cancel

Configuring XCOM™ Data Transport® for z/OS for a managed PKI infrastructure

book

Article ID: 10387

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS

Issue/Introduction

Migrating XCOM™ Data Transport® for z/OS 12.0 certificates to mainframe security from its current configuration in local USS datasets. 



Environment

  • OpenSSL
  • System SSL
  • XCOM™ Data Transport® for z/OS
  • ACF2™
  • Top Secret®
  • IBM RACF

Resolution

You may use self-signed certificates or those supplied by a Certificate Authority. 

They can be stored in a keyring that is maintained by ACF2™, IBM RACF or Top Secret®.  The XCOM™ Data Transport® for z/OS server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT]. 

Please see: Configure the System SSL Configuration File in the XCOM Data Transport for z/OS - 12.0 online documentation.  This includes the keyring parameters.

The requirement is (and has always been) that the root certificate (cassl.pem and casslkey.pem files) are the same on both partners. 

Regarding a managed PKI infrastructure, the way certificate handling works today, you MUST have your certificates either

  • In local USS datasets or
  • In your security package's keyring handler. 

Making calls to retrieve certificates is not a function of XCOM. Locating and loading of certificates is done by either OpenSSL or IBM's System SSL - depending on which you are using. 

That said, there is no ability nor configuration for XCOM to use certificates in any manner other than what is currently documented. 

Additional Information

  • For Top Secret, see Digital Certificates in the Top Secret® for z/OS 16.0 documentation
  • For ACF2, see Digital Certificate Support in the ACF2™ for z/OS 16.0 documentation
  • For IBM RACF, see IBM's z/OS Security Server RACF Security Administrator's Guide.