1. The Common Services CCI Server task on the mainframe, (typically named CCISSL) must be configured to use SSL. These CCI Server task settings (symbolic parameters) are the main ones required:
- UNSECON Specifies communication security. It may be set to allow, or require SSL.
- PROT Security protocol used- TLS.
- CLAUTH Specifies if client certificates used. This may be “N” (no) but if enabled, Web Viewer (CCI Client) will need a client certificate added to its KeyStore.
2. On the Web Viewer side, there are new parameters in the config tool to set. The connection test has been enhanced to feed back additional information about any errors.
Web Viewer ships with a sample KeyStore file that contains the same sample certificate delivered with CCI on the mainframe. This sample certificate cci.jks is in this directory:
C:\Program Files\CA\CA_OM_Web_Viewer\apache-tomcat-8.5.32\webapps\CAOMWebViewer12\config or
Modify the path if needed for your environment. You should point to this location when running the configtool. You can only use this sample certificate if you are using the sample certificates on the mainframe.
After running the configtool, you will need to recycle the Web Application Server.
You can verify that SSL is being used by reviewing the CCI Server task’s JESMSGLG. Look for messages similar to:
CAS9855I Task 0002 has TLSV1.2 session with yyyyyyyy(::ffff:18.104.22.168)/57714.
CAS9855I Task 0002 and PC using 128-bit AES_CBC, SHA-1, RSA ("002F")
If you choose to use a Keystore, the Web Viewer CCI Client interface only uses a Java KeyStore repository file. This is different from what CCI Server supports, but both contain the Trusted Certificate and (optional) Client End User certificate.
It is your responsibility to create a KeyStore file if you are using your own certificates.
The Keytool supports these two certificate formats:
- Trusted Certificate: Base64 encoded certificate file containing the CCI server’s public key in X.509
format. Typically, a PEM file.
- Client End User Certificate: A certificate file in PKCS#12 format, containing the public and private key
in X.509 format. The private key will be password protected