To migrate from SSLv3 to TLS1.2,  we need to create a ring of certificates that are already created and functioning from the USS directory.

The manual says we have to use the command makesyssl from the sysssl directory, however, there is no clarification on how to use it when the certificates are appended into one .pem file and there are 3 different keys to import with the each individual certificate.

The appended certificates also have no comments, so we don´t recognize which one corresponds with each key.

We need an example on how to use the command makesysssl when certificates are appended in one .pem file and how to associate them to each key and password.

XCOM™ Data Transport® for z/OS

The makesysssl script is a sample script that will take the .pem certificates created by the XCOM sample make scripts, convert them to pcks12 and import them into the IBM System SSL database. 

If you review the makesysssl script you will see that it contains openssl commands to convert the sample .pem files to pkcs12 prior to importing them to the IBM System SSL database.

Your Security Admin should have the knowledge and details about converting any .pem certificates into the pcks12 format. We strongly suggest that you involve the Security Admin at your site in any discussion of creating, configuring or converting SSL certificates for the use of XCOM or any product. They may already have procedures that should be followed at your site to make sure that the certificates are secured and handled properly.

The SSL certificates created by XCOM out of the box during the install, using the make scripts, are sample SSL certificates. That helps you with getting the knowledge on how to get XCOM configured for secured transfers and testing before placing the product into your Production environment with production SSL certificates. 

SSL certificates can be obtained from a third party vendor, your Security package such as RACF/TSS/ACF2, IBM gskkyman utility, etc., that is why you need to involve your Security Admin in this process.

XCOM support is not responsible for creating, verifying, or converting SSL certificates for sites. That should be addressed by the sites Security Admin.

Please refer to the XCOM r12 Manual,  Scroll down to Support for IBM System SSL

As far as configuring XCOM r12 for z/OS to use TLS 1.2:

1. You have to use IBM System SSL. In order to do that you have to modify the following parameters in the CONFIG member:
   SSL_VERSION= from OPEN to SYSTEM
2. XCOM_CONFIG_SSL= this should have the path to find the SYSconfigSSL.cnf file that should be used for XCOM and IBM System SSL. In addition to having valid SSL certificates accessible for the XCOM transfers.