This tip is related to this part of the documentation in the CA Chorus Software Manager Administration Guide.
When using ICSF with a Crypto-HW as a keystore:
- Copy the coding example from the manual.
- Set the keystoreType to be equal to “JCECCARACFKS” in server.xml.
- Verify that the parameters for sslprotocols fit the side requirements.
- When running into java.io.IOException: no such provider: IBMJCE4758.
Verify that the file $JAVA_HOME/lib/security/java.security was updated to include the ICSF hardware provider, based on IBM’s web site you need to change that file to have the following as the first provider:
security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA
Note: You need to change the other providers already in the list to a later sequence.
- Add the following RACF privileges with READ access to the MSM STC userid:
CSFIQF CL(CSFSERV )
CSFDSV CL(CSFSERV )
CSFRNGL CL(CSFSERV )
CSFDSG CL(CSFSERV )
CSFPKE CL(CSFSERV )
Note: For a detail description of these functions, see the "IBM z/OS ICSF Administrators Guide." - Verify that in the server.xml the "Connector port=" for https matches the "redirectPort=" in the part before for non-SSL HTTP/1.1.