Preparing for secure Internet delivery

z/OS product and service offerings can be downloaded directly from IBM's servers to your z/OS system. SMP/E provides capabilities to perform these download operations using the RECEIVE command and the GIMGTPKG service routine. SMP/E supports secure and encrypted download operations using FTPS (FTP over SSL/TLS) and HTTPS (HTTP over SSL). However, using either of these download methods requires preparation and one-time setup.

Note: Support for HTTP and HTTPS downloads is added to SMP/E V3.5 and V3.6 with APAR IO20858, and additional fixes to support changes to IBM's secure delivery servers are added to SMP/E V3.5 and V3.6 with APAR IO22326.

This topic provides an overview of using SMP/E for secure internet download operations, in particular from IBM's secure delivery servers, and the one-time steps you need to take to prepare.

SSL overview
Enable certificate authority certificates
Define CLIENT input for RECEIVE and GIMGTPKG

HTTPS Fast Path!

The quick and easy method to enable secure download operations is to instruct the SMP/E RECEIVE command and GIMGTPKG service routine to use the HTTPS download method and certificate authority (CA) certificates managed by the default z/OS Java truststore. To do so, simply specify the SMP/E <CLIENT> tag with the following attributes:

<CLIENT
  downloadmethod=”https”
  downloadkeyring=”javatruststore”
  javahome="/usr/lpp/java/J6.0"
  >
</CLIENT>

If you want to understand the background and details of the above attributes, or if you want to explore other options such as FTPS or using CA certificates stored in your z/OS security manager database, then read on. Otherwise, you can skip the rest of this topic.