Migrate from OPENSSL to SYSSSL with RACF

book

Article ID: 227079

calendar_today

Updated On:

Products

XCOM Data Transport - z/OS XCOM Data Transport

Issue/Introduction

We want to move from OpenSSL to IBM System SSL and we have a couple of question since they want to use CERTs managed by RACF.

They currently have CA/Server/Client certificate and a couple of certificates from partners on cassl.pem.

1. Do you have a process to move all this certificates to RACF?

2. Should we use just one KEYRING with all certificates on the same keyring?

3. Should we grant access to batch jobs userid access to read that keyring if we use batch to send transfers to partners?

 

 

 

Environment

Release : 12.0

Component : CA XCOM Data Transport for z/OS

Resolution

1. XCOM Support does not have a process to provide on how to move all the certificates to RACF or any other Security package, since that is a RACF Security Admin process/responsibility. We advise that you check with the Security Admin for the site for the process they may have in place for SSL certificates handling.

2. In reference to the KEYRING(s), that would be a decision for the Security Admin in conjunction with the users as to how to handle the keyring. These are decisions that the user and the security admin need to discuss. XCOM Support is unable to suggest how and where the SSL certificates are to be kept or handled in a Keyring.

3. About the access needed for the Keyring, that is something that the RACF admin should be able to advice the user, since that is part of the security process. We would suggest that you test and adjust any access required before placing it in production  .

In summary, XCOM provides you with sample scripts to generate/create sample SSL certificates. It also provides you with the config files necessary to tell XCOM where the certificates are found. Allowing you to generate and configure XCOM using these sample certificates will allow you to become familiar with what XCOM requires in order to work with SSL certificates. We document that you should not be using the sample certificates for your production environments and should consult with your site Security Admin on what procedures should be followed for a production environment.

A client in conjunction with their Security Admin has to decide if they want to use certificates generated by a third party vendor or that from their security package, such as RACF, Top Secret, or ACF2. They also have to decide how and where to keep those SSL certificates in order to protect them and control the access to them. XCOM Support is unable to suggest or indicate how the SSL certificates are to be managed. 

With that being said, once you have the SSL certificates setup all you need to do is configure the XCOM SYSconfigSSL.cnf file provided if using IBM System SSL to indicate where XCOM will find the SSL certificates. In addition to specifying SSL_VERSION=SYSTEM and specifying the path to the SYSconfigSSLcnf on parameter XCOM_CONFIG_SSL= in the CONFIG member used by XCOM.