XCOM Data TransportXCOM Data Transport - z/OSXCOM - SUPPORT
Issue/Introduction
Can CA XCOM for z/OS be configured with RACF certificates in a keyring or only with gskkyman certificates (database HFS file, SAF key ring or Z/OS PKCS #11 token)?
Environment
Release : 12.0
Component : CA XCOM Data Transport for z/OS
Resolution
Using Certificates with Your CA XCOM for z/OS Product
Certificates are loaded and processed dynamically at the time the secure session is being negotiated with the partner system. Dynamic loading and processing provides flexibility, because certificates can be updated as needed while the CA XCOM Data Transport server remains active.
Certificates can be stored in one of the following locations for use by CA XCOM Data Transport for z/OS:
* In zFS data sets. * In the z/OS system security package.
Regardless of where the certificates are stored, the server or batch job must run with the appropriate system and security definitions that are needed to create a UNIX System Services (USS) environment to run under.
Use Certificates Stored in zFS Data Sets
If the certificates are stored in zFS data sets, the CA XCOM Data Transport server or batch job must have sufficient access authority to read the data sets. The following parameter sections in the configssl.cnf file control certificate usage. These sections provide the directory and file names that contain the certificate and encryption key data:
[CA] [CA_DIRECTORY] [CERTIFICATE] [PRIVATEKEY]
Use Certificates Stored in the z/OS Security Package
If the certificates are stored in one or more KEYRINGs that are maintained by the z/OS system security package, the server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT].
If the INITIATE_SIDE or RECEIVE_SIDE parameters are provided in the [KEYRING] section of a configssl.cnf data set, the four sections pertaining to accessing zFS files are ignored for the type of transfer to which the parameter applies. The INITIATE_SIDE parameter applies the KEYRING data to locally initiated transfers. The RECEIVE_SIDE parameter applies the KEYRING data to remotely initiated transfers only.
For more information about defining digital certificates to your z/OS security system, see the documentation for your security software: