Enabling trust between the agent and the object storage

The object storage supplies a certificate to the agent. If the object storage certificate is self-signed or the CA that you have used to sign the certificate is not trusted by the agent, the connection is not trusted. 

Running without trust impacts TCP/IP GCP consumption and reduces product performance. Therefore, we recommend that you enable trust between the agent and the object storage.

This topic describes how to configure trusted communication between the BMC AMI Cloud agents to the object storage.

Related topic

Securing-network-communication

Prerequisites

Before enabling trust between the agent and the object storage, make sure that the object storage CA is trusted by RACF.

If you are working with cloud object storage such as Amazon S3, Google, or Microsoft Azure, you might have already configured RACF to trust your public CA.

If you are working with an on-premises storage device, we assume that the device’s certificate was already signed with the organizational root CA that was imported into RACF as a CA certificate. For more information about importing certificates into RACF, see the RACDCERT IMPORT (Import certificate) topic in the IBM documentation.

If the storage CA is not in RACF, perform the following steps:

  1. Transfer the certificate in pkcs12 format to z/OS in binary mode and store it as a data set (for example, SYS2.AMICLOUD.OBJSTORE.P12).

  2. Import the CA certificate into RACF by using the following TSO command: 

    RACDCERT ADD('SYS2.AMICLOUD.OBJSTORE.P12') CERTAUTH TRUST WITHLABEL('ObjectStorage') PASSWORD('pkcs12-password')

Best practice
We recommend using the RACF CERTAUTH virtual key. This virtual key can be used when an application validates other certificates but has no need for its own certificate and private key.

To use the virtual key, specify the KEYRING parameter as follows:

KEYRING *AUTH*/*.

To enable trust between the BMC AMI Cloud agent and the object storage

  1. Depending on whether you can use RACF virtual keyrings, perform one of the following steps:

    • If you can use RACF virtual keyrings:Under the agent's $MODEL9_HOME/conf directory, create a file named stdenv-overrides.sh and add the following statements to it: 

      IJO=" $IJO -Djavax.net.ssl.trustStore=safkeyring://*AUTH*/*"
      IJO=" $IJO -Djavax.net.ssl.trustStoreType=JCERACFKS"
      IJO=" $IJO -Djava.protocol.handler.pkgs=com.ibm.crypto.provider"
    • If you can’t use RACF virtual keyrings:

      1. Create a keyring to be used by the BMC AMI Cloud agent user with the certificate: 

        RACDCERT ADDRING(AMICLOUD)
        ID(M9USER) SETROPTS RACLIST(DIGTRING) REFRESH
        RACDCERT CONNECT(CERTAUTH LABEL('ObjectStorage') RING(AMICLOUD))
        SETROPTS RACLIST(DIGTCERT, DIGTRING) REFRESH

      2. Under the agent's $MODEL9_HOME/conf directory, create a file named stdenv-overrides.sh and add the following statements to it:

        IJO=" $IJO -Djavax.net.ssl.trustStore=safkeyring://M9USER/AMICLOUD"
        IJO=" $IJO -Djavax.net.ssl.trustStoreType=JCERACFKS"
        IJO=" $IJO -Djava.protocol.handler.pkgs=com.ibm.crypto.provider"

        Important

        If you are using a different user from M9USER or a different keyring name, update the safkeyring statement to match your user name and keyring accordingly. 

  2. To enable object storage certificate verification, in the agent.yml file, specify false in the following parameter:

    objstore.endpoint.no.verify.ssl: false
  3. Restart the agent STC.

If no errors are visible in the log after startup, you are done. You can also list the connections under SDSF to make sure they are reused.

Important

Because certificates have expiration dates, make sure to note the expiration date and update your configuration before that date. Failing to do so will prevent the agent from accessing the object storage when the certificate expires.

You can always revert back by either removing the objstore.endpoint.no.verify.ssl parameter or by specifying true

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*