Implementing a Secured transfer from XCOM for Windows to z/OS with Top-Secret

book

Article ID: 209043

calendar_today

Updated On:

Products

CA XCOM Data Transport CA XCOM Data Transport - z/OS CA XCOM Data Transport - Windows

Issue/Introduction

We would like to implement a secured transfer from a Windows server that has XCOM in it, to a z/OS server that has both XCOM and Top-Secret in it.

There does not seem to be a document that explains how to do that, A to Z, although these are all Broadcoms' products.

All I could find are documents and videos explaining how define certificates in either Windows or z/OS, and how to code config files in each platform.

Is there such a document?

 

Environment

Release : 11.6

Component : CA XCOM Data Transport for Windows

Resolution

Please be aware that SSL is a job that falls to the Security Administrator and not XCOM. 

XCOM uses SSL certificates to allow for secured transfers. It does not matter if you have Top Secret, RACF, or ACF2, this is usually configured by the Security Admin since each site has their own procedures on how and where the SSL certificates are kept. You can keep the certificates in Top Secret/RACF/ACF2 or if using IBM's System SSL, it can be kept in their database. 

Hence why the documents and videos you reviewed is what you will find. In other words, your Security Admin for z/OS and Windows will provide the SSL certificates and all you do with XCOM is tell it where to find those certificates on that platform. 

Yes, XCOM provides you with scripts that will generate SSL certificates. We make it clear that those are Sample certificates and should not be used in your production environment because your Security Admin should be involved in setting this up.

We in support will only provide you with instructions on creating the sample SSL certificates and setting up XCOM in a simple scenario. 

So, to answer your question...

1.If you are looking to perform secured transfers between your Windows and z/OS you would need to:

  a. get a copy of the pem certificates you already have on your z/OS system

  b. place them on your Windows server or a safe location

  c. go to the %XCOM_HOME%\config directory and modify the configssl.cnf file with the necessary information about your certificate(s). 

  d. perform a secured loopback on the Windows system to make sure it works before you venture to transfer to z/OS. Here is a simple sample loopback .cnf file you can use for your SSL loopback transfer:

REMOTE_SYSTEM=127.0.0.1

LOCAL_FILE=c:\tmp\test.txt  -- obviously this file has to exist

REMOTE_FILE=c:\tmp\new.txt

FILE_OPTION=REPLACE

PORT=8045  --- that is the default SSL port for XCOM Windows

PROTOCOL=TCPIP

SECURE_SOCKET=YES

USERID=userid  --- valid userid on Windows

PASSWORD=pwd --- valid password on Windows

Save the above parameters in a file called loop.cnf

NOTE: You can find all of the details about the parameters in our XCOM for Windows manual:

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-xcom-data-transport-for-windows/11-6/reference/list-of-parameters.html

e. once you have created and saved the loop.cnf, you can issue command:

     xcomtcp -c1 -f c:\your path for\loop.cnf

   ** where you specify the valid path for c:\your path for\

f. if the transfer fails, then you need to figure out what happened. 

Setup the sample SSL certificates as we show you in the video/documents, so you can get familiar with the setup for XCOM on Windows. Once you do that you can then venture on using the real SSL certificates you intend to use. With this setup you can only do loopback transfers, but at least you can see the secured transfers working. 

Broadcom support will show you that it works with sample certificates on any of our platforms. Support cannot tell you how to configure your production certificates or where to keep them. This is something that the Security Admin should be familiar with and be involved in, since your site will have guidelines.  Involve them when dealing with the real certificates.