Setting up TLSV1.2 L with Web Viewer 12.1
Article ID: 32444
Updated On:
Products
COMMON SERVICES FOR Z/OS
Common Services
Output Management Web Viewer
Issue/Introduction
How to use TLSV1.2 to Secure the Connection between the Web Viewer Server and CCI.
Environment
Release: 12.1-Output Management-Web Viewer
Component:
Component:
Resolution
1. The Common Services CCI Server task on the mainframe, (typically named CCISSL) must be configured to use SSL. These CCI Server task settings (symbolic parameters) are the main ones required:
Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-8.5.32\webapps\CAOMWebViewer12\config or
/opt/CA_OM_Web_Viewer/apache-tomcat-8.5.32/webapps/CAOMWebViewer12/config
Modify the path if needed for your environment. You should point to this location when running the configtool. You can only use this sample certificate if you are using the sample certificates on the mainframe.
After running the configtool, you will need to recycle the Web Application Server.
You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:
CAS9855I Task 0002 has TLSV1.2 session with yyyyyyyy(::ffff:130.200.148.229)/57714.
CAS9855I Task 0002 and PC using 128-bit AES_CBC, SHA-1, RSA ("002F")
If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.
It is your responsibility to create a KeyStore file if you are using your own certificates.
The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key
in X.509 format. The private key will be password protected
- UNSECON Specifies communication security. It may be set to allow, or require SSL.
- PROT Security protocol used- TLS.
- CLAUTH Specifies if client certificates used. This may be “N” (no) but if enabled, Web Viewer (CCI Client) will need a client certificate added to its KeyStore.
Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-8.5.32\webapps\CAOMWebViewer12\config or
/opt/CA_OM_Web_Viewer/apache-tomcat-8.5.32/webapps/CAOMWebViewer12/config
Modify the path if needed for your environment. You should point to this location when running the configtool. You can only use this sample certificate if you are using the sample certificates on the mainframe.
After running the configtool, you will need to recycle the Web Application Server.
You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:
CAS9855I Task 0002 has TLSV1.2 session with yyyyyyyy(::ffff:130.200.148.229)/57714.
CAS9855I Task 0002 and PC using 128-bit AES_CBC, SHA-1, RSA ("002F")
If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.
It is your responsibility to create a KeyStore file if you are using your own certificates.
The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key
in X.509 format. The private key will be password protected
Additional Information
The Web Viewer documentation includes a topic for creating the KeyStore using the JRE keytool utility program - Create Keystore Files for CAICCI with TLS.
If you are using the supplied sample certificates, the Common Services online documentation contains information about how to set these up on the mainframe side- Create and Populate the HFS Key database
Feedback
Yes
No
Powered by
