TAM/Z SSL processing with signed certificates

book

Article ID: 141699

calendar_today

Updated On:

Products

CA Trusted Access Manager for Z

Issue/Introduction

What is needed to allow SJVSTC to use non-self signed certificates for SSL processing?

Environment

Release : 1.1

Component : TRUSTED ACCESS MANAGER FOR Z

Resolution

The parameters below can b added to the SJVENV file to get SJVSTC to support keyrings and certificates that are not self-signed.

#---------------------------------------------------------------------
# SSL Configuration
# 1. If SSL_ENABLED=TRUE, uncomment the SERVER_KEY_RING line.
#
# 2. In SERVER_KEY_RING, specify the TAMSTC's STC ID for ,
# and the keyring name associated with TAMSTC for .
# For example:
# SERVER_KEY_RING=safkeyring://TAMSTC/TAMRING
# NOTE: is case-sensitive; make sure to match exactly
# as was entered to the ESM.
#
# 3. (OPTIONAL) Update "server.ssl.ciphers" with the list of TLS
# ciphers that are allowed for use. If enabling multiple
# ciphers, separate each by a comma. By default, all system-
# supported ciphers are allowed for use.
#
#---------------------------------------------------------------------
SERVER_KEY_RING=safkeyring://TAMSTC/TAMRING
#IJO="$IJO -Dserver.ssl.ciphers="
IJO="$IJO -Djava.protocol.handler.pkgs=com.ibm.crypto.provider"

#---------------------------------------------------------------------
# TAMSTC SSL options - do not change unless directed by Support
#---------------------------------------------------------------------
IJO="$IJO -Dibmssl.usekeyring=TRUE"
IJO="$IJO -Dserver.ssl.enabled=${SSL_ENABLED}"
IJO="$IJO -Dserver.ssl.protocol=TLSv1.2"
IJO="$IJO -Djavax.net.ssl.trustStore=${SERVER_KEY_RING}"
IJO="$IJO -Djavax.net.ssl.trustStoreType=JCERACFKS"
#IJO="$IJO -Dserver.ssl.key-store=${SERVER_KEY_RING}"
#IJO="$IJO -Dserver.ssl.key-store-type=JCERACFKS"