Skip to Content

Transport Layer Security (TLS)

Transport Layer Security (TLS) is a cryptographic protocol that provide security over sockets. TLS has robust set of encryptions, it is very common and easy to use, and it can also protect against imposters.

Related topic

Configuring BMC II for z/OS

Warning

Important

When the BMC AMI Ops Automation server connection is enabled for TLS, then non-TLS connections will not be supported. The BMC AMI OpsA server connection does not support a mixture of TLS and non-TLS connections.

To use SAF keyrings or z/OS PKCS #11 token, you should have the have the following items:

  • In the IBM Resource Access Control Facility (RACF):
    • A TLS certificate
    • A certificate authorization chain
    • A key ring with the TLS certificate connected first followed by any intermediate certificates used to sign the key
  • Integrated Cryptographic Service Facility (ICSF): 
    The ICSF Private Key Data Set (PKDS) should contain the private key that matches the TLS certificate. For more Information about ICSF and PKDS, see the IBM Cryptographic Services Integrated Cryptographic Service Facility (ICSF) System Programmer's Guide.

Managing SAF keyrings

You can use RACDCERT to manage keyrings and certificates. Refer to the provided sample JCLs :

<hlq>.BBSAMP(IIMRACD2)
<hlq>.BBSAMP(IIMRACD4)

Managing z/OS PKCS #11 token using GSKKYMAN utility

Using gskkyman utility you can manage tokens. By using the following examples you can:

  • create a new z/OS PKCS #11 token
  • create a self-signed certificate
  • Import trusted certificate for clients and servers

 These example are not the only way to create certificates, you can decide to import or request a signed certificate. For more information, see z/OS Communications Server: IP Configuration Guide - Using the gskkyman in the IBM documentation.

To create a new z/OS PKCS #11 token

  1. Start OMVS
  2. Issue the gskkyman command.
  3. Choose Create new token.
  4. Enter the token name.

To create a self-signed certificate

  1. Select the Manage token option and type the token the token name.
  2. Select Create a self-signed certificate.
  3. Choose User or server certificate.
  4. Choose Certificate with an RSA key.You can fill RSA key size, signature Digest type, and certificate information based on the level of security you require, and your site information.

 To Import trusted certificate for clients and servers

  1. Select the Manage token option, and type the token the token name
  2. Select Import a certificate.
  3. Type the certificate you want to import. You can fill “RSA key size”, “signature Digest type”, and certificate information based on the level of security you require, and your site information.

Managing key database using GSKKYMAN utility

Using gskkyman utility you can manage databases.

Using the following example you can: 

  • Creating a new data base
  • Creating a password file
  • Creating a server self-signed certificate (server certificate must be added to the client's key database as a CA certificate)

 These example are not the only way to create certificates, you can decide to import or request a signed certificate. for further information, please refer to "z/OS Communications Server: IP Configuration Guide - Using the gskkyman" in the IBM documentation.

To create a new data base

  1. Start OMVS

  2. Create a new directory in where you want to save the new data base (Make sure that only Biiz and the owner will have access to this directory since it will contain sensitive information) 

    mkdir /home/Biiz

  3. Issue change directory command, and change it to be the new directory.

    cd /home/Biiz
  4.  Issue gskkyman command, and choose Create new database.
  5. Enter the new database name, and password (and set the other fields as you see fit):                                               

To create a password file

  • Choose Store database password

 To create a server self-signed certificate (this is an example, you can still use CA certificates)

  1. Choose Create a self-signed certificate.                               
  2. Choose User or server certificate.
  3. Choose Certificate with an RSA key” (we require RSA key).
  4. You can fill the RSA Key Size, Signature Digest Type, and the certificate information based on the level of security you require, and your site information.

To enable TLS

You must specify the encryption type of that connection as *TLS in the mcell.dir (IIMDIRxx).

For example:

cell <cell_name>   *TLS   <host/IP:PORT>

Edit the configuration file of that connection (IIMCNFxx) to point to databse file name (.rdb)|SAF keyring|z/OS PKCS #11 token. If you are using a data base file (.rdb) in the CertificateKeyring parameter, point CertificatePasswordFile parameter to the data base password file. The file name (.rdb) and z/OS PKCS #11 tokens are generated by GSKKYMAN utility and  SAF keyring is generated by RACDCERT.

CertificateKeyring=< databse file name (.rdb)|SAF keyring | z/OS PKCS #11 token>
CertificatePasswordFile= <Database password file>  

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Ops Automation 8.4