Configuring TELNET SSL Security using ACF2

book

Article ID: 207218

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - MISC CA ACF2 - z/OS

Issue/Introduction

There is a need to implement secure telnet on an LPAR that uses ACF2. Is it possible to use ACF2 to generate and store the certificate? Does the certificate need to be sent to the client to install?

Resolution

When configuring SECUREPORT for telnet, there is the option to use a USS based keystore or a SAF based keystore. There is also the option of using ACF2 to generate the certificates or any other 3rd party certificate utility.

To generate and store certificates in ACF2 the steps for completing this task are listed below. Clients will need to have the signing CERTAUTH certificate. 

 

Step 1 - Generate the CERTAUTH and Client Certificates using ACF2

Example using a local CA:

ACF
GENCERT CERTAUTH.SIGNER SUBJSDN(.....) LABEL(MY COMPANY CA) EXPIRE(12/31/25)
GENCERT TCPTEL.CERT1 SUBJSDN(.....) LABEL(TELNET Certificate) SIGNWITH(CERTAUTH.SIGNER)

Example using an external CA:

ACF
GENCERT TCPTEL.CERT1 SUBJSDN(.....) LABEL(TELNET Certificate)
GENREQ TCPTEL.CERT1 DSN('CERTREQ.DSN')

The external CA creates a signed certificate and sends it back to the site that did the GENREQ of the certificate request. The signed certificate can be FTP'd into a dataset, and the INSERT command can be used to replace the previously GENCERT self-signed certificate and its CERTDATA record in the INFOSTG database.

ACF
SET PROFILE(USER) DIV(CERTDATA)
INSERT CERTAUTH.externalCA DSN('CERTAUTH.DSN')
INSERT TCPTEL.CERT1 DSN('SIGNDCRT.DSN')

 

Step 2 - Create and connect certificates to a keyring

Example: 

ACF
SET PROFILE(USER) DIV(KEYRING)
INSERT TELNET.RING RINGNAME(TELNET_RING)
CONNECT CERTDATA(CERTAUTH.SIGNER) KEYRING(TELNET.RING) USAGE(CERTAUTH) DEFAULT
CONNECT CERTDATA(TCPTEL.CERT1) KEYRING(TELNET.RING) USAGE(PERSONAL) DEFAULT

 

Step 3 - Configure SECUREPORT in your telnet parms to point to the keyring created in step 2

Example:

KEYRING SAF TELNET_RING
The server certificate is connected to a key ring called TELNET_RING and designated as the default certificate.

 

Step 4 - Export the CERTAUTH certificate to a dataset, FTP the dataset in BINary to a local file and send to the client to install in the application they use to telnet into the mainframe

Example:

EXPORT CERTAUTH.NAME DSN(‘EXAMPLE.CERTAUTH.NAME’) FORMAT(CERTDER) 

Additional Information

For more information on digital certificate commands in ACF2, see the Digital Certificate Support section in the ACF2 documentation.
For more information on certificate configuration for SSL/TLS applications in ACF2, see the Configure Key Rings and Certificates for SSL/TLS Applications section in the ACF2 documentation.