Enabling secure ODBC communications using AT-TLS and RACF
Article ID: 124467
Updated On:
Products
IDMS
IDMS - Database
IDMS - ADS
Issue/Introduction
This document describes how to use RACF to generate SSL certificates for ODBC connections using AT-TLS.
Enabling SSL security is a somewhat complex process requiring configuration changes in multiple locations within your environment.
In this article we provide step-by-step guidance to perform this task using the RACF Security Manager to generate and house your Certificates.
While this configuration does not include support for SSL Client Authentication, the same process can be extended to also generate certificates for that functionality as well.
AT-TLS Policy Modification
SSL enablement on the mainframe is performed using Application Transparent, Transport Layer Security, or AT-TLS. AT-TLS is a component of IBM's z/OS Communications Server product. It is configured using what's called the "Policy Agent", or PAGENT. PAGENT policies identify which traffic on the mainframe stack should be secured using SSL. A sample set of 'Policy Rules' used for the securing of the IDMS ODBC/JDBC Listener port has been provided for your reference, under file name ZM17 Pagent.conf.txt in the attached file samples.zip. The contents of this file should be tailored to your site-specific environment and added to your PAGENT configuration.
Enabling SSL security is a somewhat complex process requiring configuration changes in multiple locations within your environment.
In this article we provide step-by-step guidance to perform this task using the RACF Security Manager to generate and house your Certificates.
While this configuration does not include support for SSL Client Authentication, the same process can be extended to also generate certificates for that functionality as well.
AT-TLS Policy Modification
SSL enablement on the mainframe is performed using Application Transparent, Transport Layer Security, or AT-TLS. AT-TLS is a component of IBM's z/OS Communications Server product. It is configured using what's called the "Policy Agent", or PAGENT. PAGENT policies identify which traffic on the mainframe stack should be secured using SSL. A sample set of 'Policy Rules' used for the securing of the IDMS ODBC/JDBC Listener port has been provided for your reference, under file name ZM17 Pagent.conf.txt in the attached file samples.zip. The contents of this file should be tailored to your site-specific environment and added to your PAGENT configuration.
Environment
CA IDMS/Server, all supported releases.
Resolution
Certificate Generation
The attached file, samples.zip, also contains four sample JCL streams.
They are samples for generating the SSL certificates.
The jobs must be tailored for your use and be run by your mainframe security administrator on the LPAR where the IDMS CV runs and PAGENT is configured.
RACFIDM1.JCL.txt - Create and export the certificates
RACFIDM2.JCL.txt - Create a new Key Ring and add the certificates to it
RACFIDM3.JCL.txt - List the Key Ring
RACFIDM0.JCL.txt - this job can be used to undo and restart the entire process in the event of any problems or if you decide to start over for any reason.
ODBC Client Configuration
Once the new Key Ring has been created and the Certificates are in place, download (in binary) the exported Certificate, which was given a template name of: 'uuuuuuuu.JSRVCERT.PKC12DER'.
Next, on the Windows client, convert the Certificate into PEM format.
Assuming the Certificate was brought downloaded with file name 'JSRVCERT.PKC12DER' to a directory called 'temp', the command to do that is:
Finally, configure your IDMS ODBC Data Source such that the 'Server Certificate' on the SSL tab of the Data Source points to the PEM file created above (JSRVCERT.PEM).
The attached file, samples.zip, also contains four sample JCL streams.
They are samples for generating the SSL certificates.
The jobs must be tailored for your use and be run by your mainframe security administrator on the LPAR where the IDMS CV runs and PAGENT is configured.
RACFIDM1.JCL.txt - Create and export the certificates
RACFIDM2.JCL.txt - Create a new Key Ring and add the certificates to it
RACFIDM3.JCL.txt - List the Key Ring
RACFIDM0.JCL.txt - this job can be used to undo and restart the entire process in the event of any problems or if you decide to start over for any reason.
ODBC Client Configuration
Once the new Key Ring has been created and the Certificates are in place, download (in binary) the exported Certificate, which was given a template name of: 'uuuuuuuu.JSRVCERT.PKC12DER'.
Next, on the Windows client, convert the Certificate into PEM format.
Assuming the Certificate was brought downloaded with file name 'JSRVCERT.PKC12DER' to a directory called 'temp', the command to do that is:
openssl pkcs12 -in C:\temp\JSRVCERT.PKC12DER -out C:\temp\JSRVCERT.PEM
Finally, configure your IDMS ODBC Data Source such that the 'Server Certificate' on the SSL tab of the Data Source points to the PEM file created above (JSRVCERT.PEM).
Additional Information
Attachments
Feedback
Yes
No
Powered by
