Setting up TLSV1.2 L with Web Viewer 12.1
search cancel

Setting up TLSV1.2 L with Web Viewer 12.1


Article ID: 32444


Updated On:


COMMON SERVICES FOR Z/OS Common Services Output Management Web Viewer


How to use TLSV1.2 to Secure the Connection between the Web Viewer Server and CCI.



Release: 12.1-Output Management-Web Viewer


1. The Common Services CCI Server task on the mainframe, (typically named CCISSL) must be configured to use SSL. These CCI Server task settings (symbolic parameters) are the main ones required:
  1. UNSECON Specifies communication security. It may be set to allow, or require SSL.
  2. PROT Security protocol used- TLS. 
  3. CLAUTH Specifies if client certificates used. This may be “N” (no) but if enabled, Web Viewer (CCI Client) will need a client certificate added to its KeyStore.
2. On the Web Viewer side, there are new parameters in the config tool to set. The connection test has been enhanced to feed back additional information about any errors.

   Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
           C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-8.5.32\webapps\CAOMWebViewer12\config  or 
    Modify the path if needed for your environment. You should point to this location when running the configtool.  You can only use this sample certificate if you are using the sample certificates on the mainframe.

After running the configtool, you will need to recycle the Web Application Server.

You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:

CAS9855I Task 0002 has TLSV1.2 session with yyyyyyyy(::ffff:
CAS9855I Task 0002 and PC using 128-bit AES_CBC, SHA-1, RSA ("002F")

If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.

It is your responsibility to create a KeyStore file if you are using your own certificates. 

The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509 
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key 
in X.509 format. The private key will be password protected


Additional Information

The Web Viewer documentation includes a topic for creating the KeyStore using the JRE keytool utility program - Create Keystore Files for CAICCI with TLS.

If you are using the supplied sample certificates, the Common Services online documentation contains information about how to set these up on the mainframe side- Create and Populate the HFS Key database