Migrating XCOM™ Data Transport® for z/OS 12.0 certificates to mainframe security from its current configuration in local USS datasets. 

• OpenSSL
• System SSL
• XCOM™ Data Transport® for z/OS
• ACF2™
• Top Secret®
• IBM RACF

You may use self-signed certificates or those supplied by a Certificate Authority. 

They can be stored in a keyring that is maintained by ACF2™, IBM RACF or Top Secret®.  The XCOM™ Data Transport® for z/OS server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT]. 

Please see: Configure the System SSL Configuration File in the XCOM Data Transport for z/OS - 12.0 online documentation.  This includes the keyring parameters.

The requirement is (and has always been) that the root certificate (cassl.pem and casslkey.pem files) are the same on both partners. 

Regarding a managed PKI infrastructure, the way certificate handling works today, you MUST have your certificates either

• In local USS datasets or
• In your security package's keyring handler. 

Making calls to retrieve certificates is not a function of XCOM. Locating and loading of certificates is done by either OpenSSL or IBM's System SSL - depending on which you are using. 

That said, there is no ability nor configuration for XCOM to use certificates in any manner other than what is currently documented. 

• For Top Secret, see Digital Certificates in the Top Secret® for z/OS 16.0 documentation
• For ACF2, see Digital Certificate Support in the ACF2™ for z/OS 16.0 documentation
• For IBM RACF, see IBM's z/OS Security Server RACF Security Administrator's Guide.