Configuring SSL (TLS) for a zRule Execution Server for z/OS® by using RACF

This example shows you how to use a RACF® keyring as an SSL keystore.

1. Configure the server. If you already have a certificate, skip steps a and b:
   1. Create a certificate authority (CA) certificate (signing certificate).

      This example uses RACF commands in ASCII:

      RACDCERT GENCERT
      CERTAUTH
      SUBJECTSDN(CN('ODM Sample Certification Authority')
      O('IBM')
      OU('ODM'))
      SIZE(2048)
      WITHLABEL('ODM-Sample-Certification')

   2. Create a server certificate that uses the signing certificate from the previous step, where <userid> is the zRule Execution Server for z/OS started task user ID.

      The hostname is the host name of the server that the zRES is running on.

      RACDCERT ID(<userid>) GENCERT
      SUBJECTSDN(CN('<hostname>')
      O('IBM')
      OU('ODM'))
      SIZE(2048)
      SIGNWITH (CERTAUTH LABEL('ODM-Sample-Certification'))
      WITHLABEL('<userid>-zRES') 
      ALTNAME(DOMAIN('<hostname>'))

   3. You need a keyring, to which you can add the two certificates. Create a keyring by running the following command, where <userid> is the zRule Execution Server for z/OS started task user ID and <keyring> is the name of the new keyring.

      RACDCERT ADDRING(<keyring>) ID(<userid>)

      Alternatively, you can locate an existing keyring by running this command:

      RACDCERT LISTRING(*) ID(<userid>)

   4. Run these commands to connect the certificates to the keyring you created or located in the previous step. If you use your own certification, use its LABEL to connect the certificate to the keyring.

      RACDCERT ID(<userid>) 
      CONNECT(RING(<keyring>)
      LABEL('<userid>-zRES')
      USAGE(PERSONAL) DEFAULT)

      RACDCERT ID(<userid>) CONNECT(RING(<keyring>)
      LABEL('<userid>-zRES'))

   5. Edit the ++HBRWORKPATH++/servers/sslSAF.xml file and add the following XML.

      The SAF keyring must be specified in the URL form safkeyring://<userid>/<keyring>. The <userid> value must be set to the zRule Execution Server for z/OS started task user ID and the <keyring> value must be set to the name of the keyring. The password field is not used for accessing the SAF keyring and must be set to password.

      <keyStore filebased="false" id="racfKeyStore"
      location="safkeyring://<userid>/<keyring>"
      password="password"
      readOnly="true"
      type="JCERACFKS"/> 

      <ssl id="defaultSSLConfig" keyStoreRef="racfKeyStore"
      sslProtocol="SSL_TLSv2"
      serverKeyAlias="<userid>-zRES" />

      Important: If you use your own certificate, put its LABEL in the serverKeyAlias value to replace "<userid>-zRES".
2. If you have a self-signed certificate, follow these steps to configure your browser to accept the certificate:
   1. Export the signing certificate to a CER file:

      RACDCERT CERTAUTH EXPORT(LABEL('ODM-Sample-Certification'))
      DSN('<userid>.CERT.ZRESCERT')
      FORMAT(CERTDER)
      PASSWORD('password') 

   2. FTP the exported certificate in binary to your workstation, and import it into your browser. When importing you must manually select the certificate location of "Trusted Root Certification Authorities". Allowing automatic location selection results in the certificate being stored in the wrong location. If using the Chrome browser you must close all browser windows, and kill any remaining tasks, for the change to take effect.