Can a keyring be used with CA XCOM for z/OS
search cancel

Can a keyring be used with CA XCOM for z/OS

book

Article ID: 188325

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS XCOM - SUPPORT

Issue/Introduction

Can CA XCOM for z/OS be configured with RACF certificates in a keyring or only with gskkyman certificates (database HFS file, SAF key ring or Z/OS PKCS #11 token)?

 
 

Environment

Release : 12.0

Component : CA XCOM Data Transport for z/OS

Resolution

Using Certificates with Your CA XCOM for z/OS Product

Certificates are loaded and processed dynamically at the time the secure session is being negotiated with the partner
system. Dynamic loading and processing provides flexibility, because certificates can be updated as needed while the 
CA XCOM Data Transport server remains active.

Certificates can be stored in one of the following locations for use by CA XCOM Data Transport for z/OS:

* In zFS data sets.
* In the z/OS system security package.

Regardless of where the certificates are stored, the server or batch job must run with the appropriate system and security 
definitions that are needed to create a UNIX System Services (USS) environment to run under.

Use Certificates Stored in zFS Data Sets

If the certificates are stored in zFS data sets, the CA XCOM Data Transport server or batch job must have sufficient 
access authority to read the data sets. The following parameter sections in the configssl.cnf file control certificate 
usage. These sections provide the directory and file names that contain the certificate and encryption key data:

[CA]
[CA_DIRECTORY]
[CERTIFICATE]
[PRIVATEKEY]

Use Certificates Stored in the z/OS Security Package

If the certificates are stored in one or more KEYRINGs that are maintained by the z/OS system security package, the server 
or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this 
case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than 
the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT].

If the INITIATE_SIDE or RECEIVE_SIDE parameters are provided in the [KEYRING] section of a configssl.cnf data set, the 
four sections pertaining to accessing zFS files are ignored for the type of transfer to which the parameter applies. 
The INITIATE_SIDE parameter applies the KEYRING data to locally initiated transfers. The RECEIVE_SIDE parameter applies 
the KEYRING data to remotely initiated transfers only.

For more information about defining digital certificates to your z/OS security system, see the documentation for your 
security software:

* For CA Top Secret, see the CA Top Secret documentation.
* For CA ACF2, see the CA ACF2 for z/OS documentation.
* For IBM RACF documentation, see the IBM z/OS Security Server RACF Security Administrator Guide