Implementing TLS for implementing access controls

To implement TLS

1. Open for edit your User Interface Middleware (UIM) startup member.
   The UIM startup member is an XML document that defines global operation parameters for the UIM Server.
   The UIM startup member is specified as the -M member name on the EXEC statement in the UIM Server PROC. This member is in the HTPPARM DD concatenation, usually found in the UBMCCNFG data set.

2. In the startup member, add or edit the following parameter to define the encryption level required:

   <bmc_parm id="ENCRYPTION_LEVEL" value="encryptValue" />

   An example of the UIM startup member is provided in Example-UIM-startup-member-customizing-IMS. Use one of the following values forencryptValue:

   • SSL-IF
     Uses SSL/TLS if the client supports it. This is the recommended value for an initial implementation to allow existing clients to connect.
   • SSL-REQUIRED
     Does not accept a connection unless it is a TLS handshake. This option should be used with caution because any existing client connections will not work until the client code level has been reinstalled to the updated client with the TLS support. This will required a reinstall of the client and not an update.

   Warning

   Note

   SSL-REQUIRED causes any legacy client and Database Performance for DB2 connections to not work. It is strongly recommended that SSL-IF be implemented and once all clients are updated, then switch to SSL-REQUIRED. If Database Performance for DB2 is being used, SSL-REQUIRED should not be implemented until support for SSL is available in Database Performance for DB2.

3. In the startup member, add the following section to define the location for the UIM Server certificate and associated private key:

   <bmc_parm id="SSL_STORE" value="certStorage">
        <bmc_parm id="SSL_CERTIFICATE" value="owner/KeyRingName" />
   </bmc_parm>
   <bmc_parm id="SSL_STORE" value="ICSF">
        <bmc_parm id="SSL_PRIVATE_KEY" value="icsf.private.key.label" />
   </bmc_parm>

   An example of the UIM startup member is provided in Example-UIM-startup-member-customizing-IMS. The keywords and valid values are:

   Keyword	Description	Valid entries for associated VALUE keyword
   SSL_STORE (first occurrence)	Names the storage medium for the certificate.	Use one of the following values: DSN Storage is a sequential data set R_DATALIB Storage is a RACF key ring and optionally the key ring owner
   SSL_CERTIFICATE	Name of the certificate to be used by UIM.	Specify one of the following values: A data set name if DSN was indicated for the associated SSL_STORE keyword A RACF key ring name if R_DATALIB was indicated for the associated SSL_STORE keyword
   SSL_STORE (second occurrence)	Names the storage medium for the private key.	ICSF indicates that the storage is an ICSF label.
   SSL_PRIVATE_KEY	Name of the private key to be used by UIM.	Specify the name of the ICSF label.

4. Save and close your User Interface Middleware (UIM) startup member.
5. Repeat steps Step 1 through Step 4 for every instance of the UIM Server that you have.
6. Continue with one of the following procedures:
   • If you are implementing TLS before installing the console, install the console (see Installing-the-console-on-a-personal-computer-customizing-components-for-console-enablement).
   • If you are implementing TLS for a previously installed console, reinstall the console (see Reinstalling-the-console-after-implementing-TLS).