Gen 8.6 Client Manager SSL to CICS requirements

book

Article ID: 222366

calendar_today

Updated On:

Products

CA Gen CA Gen - Run Time Distributed

Issue/Introduction

Using CA Gen 8.6 GUI client applications with Gen CICS servers via 8.6 Client Manager via the CA Gen CICS Multi-Sockets Listener (TISRVMSL).
Now want to use the new Client Manager SSL support documented here: Gen 8.6 > Middleware > Working with the Client Manager > Security in Client Manager

Gen Client:
Client Manager requirements:
 - Where to select the SSL socket option?
 - SSL validation options – is there a ruling on how to determine which option to use or this depends on the network setup for the TLS/SSL?
 - There is mention of cacert.pem; is this file expected to be changed or updated at any time?
 - Aside from above items for client side are there any other setup/changes?

Network -  TCP/IP Stack:
"Configure IPSec for the TCP/IP Stack used by the CA Gen Server to specify the options for ttls.policy. Indicate where the HandshakeRole is done (Server), specify the Certificate used and the location of Keyring.”
Is it correct this would be for the mainframe network/security administrator to setup?

Gen Server:
Are any changes required to Gen servers or Gen Multi-Sockets Listener (TISRVMSL)?

What are the supported SSL protocols?

Environment

Release : 8.6

Component : CA Gen Client Manager

Resolution

Gen Client:
a. The Configuration/Details of the target server in the Client Manager needs to have the "SSL Socket" flag selected along with the "CICS Sockets Listener" being used.
b. For SSL validation options, the mainframe network/security administrator needs to make the decision of what type of validation is required on the client side i.e. one of the 3 options "Ignore Server Certificate Validation", "Server Certificate Validation", "Server Certificate & Hostname Validation".
Per "SSL Configuration Options", if wanting to validate server certificates (2nd/3rd options above), then the cacert.pem file is used i.e. "During execution, Runtime uses the cacert.pem file to validate server certificates. The cacert.pem file is a bundle of public certificates trusted by the Certificate Authority."
NOTE: The sample certificate file cacert.pem is a text file encoded in Base64 ASCII format so can be viewed in any text editor. It contains a bundle of public CA Certificates from Mozilla certificate data (https://curl.se/docs/caextract.html), so may need to be redownloaded to kept up to date. Also, if CA certificates used by the site-specific SSL Server are not part of that downloaded file then the file will need to be replaced with a new version containing those CA certificates.
c. No other changes should be required on the client side.

Network -  z/OS TCP/IP Stack:
Per "z/OS Configuration" statement "Configure IPSec for the TCP/IP Stack used by the CA Gen Server to specify the options for ttls.policy. Indicate where the HandshakeRole is done (Server), specify the Certificate used and the location of Keyring."
The mainframe network/security administrator needs to setup the TTLS policy. When configuring the TCP/IP stack via the TCP/IP profile data set in the TCPCONFIG statement add the parameter TTLS to enable Application Transparent Transport Layer Security (AT-TLS). Also, provide information on where the AT-TLS policy and the certificate resides.
This is documented in more detail in the IBM z/OS Communications Server: IP Configuration Guide (see Chapter 20. Application Transparent Transport Layer Security data protection)

Gen Server:
No changes are required for the generated Gen servers themselves.
Also per "z/OS Configuration" no changes are required for the Gen CICS TCP/IP Single or Multi-Sockets Listener (TISRVMSL).

Supported SSL protocols:
As of August 2021, the supported protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2.
When the SSL support was introduced for the 8.6 Client Manager in June 2018 with PTF CCN86103/SS04179 that came with TLSv1.2 support.
The main CA Gen 8.6 > Technical Requirements page covers this under "Change Summary". See "Support for SSL v3/TLS v1.2 for Client Manager"
The change in that PTF is now part of the Gen 8.6 Complete Release (PTF WKS82000) which is the baseline for all future PTFs (CA Gen 8.6 Solutions & Patches)
See also "SSL, TLS Protocols" documented here under the CA Gen 8.6 > Technical Requirements > General Comments page.

Additional Information

Troubleshooting:
If connectivity problems occur, under Client Manager menu option File > Setup, set Logging Level to Tracing.
The log file IEFCMN.log created in directory "%USERPROFILE%\AppData\Local\CA\Gen 8.6\logs\cm" should then help with root cause diagnosis.
CA Gen 8.6 > Middleware > Working with the Client Manager > Client Manager Window > Client Manager Configuration > Configuring Client Manager