Installing and customizing BSA CI

Prerequisites

BSA CI requires an OMVS segment. You can use a separate OMVS segment, or you can use the default OMVS segment.

Prerequisites for using SSL

The following prerequisites are only of interest if you want to use runtime mode SSL.

  • IBM System SSL
  • Public and private keys for the SSL connection

    SSL provides data privacy and integrity as well as client and server authentication based on public-key certificates. For each SSL connection, SSL uses a public and a private key.

  • Key rings

    There is a PKI mechanism for authenticating each side of the connection and for agreeing on encryption keys. These keys are generated and stored in key databases, known as key rings.

  • X.509 certificates

    X.509 certificates, containing public keys, are also required. The X.509 certificates can be created or requested and obtained. In either case, a certificate is then subsequently linked to or associated with and becomes part of a key ring.

SSL client certificate support

If you plan to implement SSL client certificate support, you must also have CA certificates from each certifying authority that verifies your client certificates. The certificate authority (CA) belongs to a started task, i.e. the STC is the owner of a CA. Several CAs can be used within BSA CI at the same time. A CA is the issuer of certificates and keys. RACF and ACF/2 can also be used as a CA and issue certificates. For each CA, a member for the key ring and one for the port definition must be available.

You must create a CA, make it HIGHTRUST, and add a key ring belonging to BSA CI to the CA. Next, create a certificate for BSA CI and connect it to the key ring.

For detailed instructions on the SSL options mentioned in the following procedure, see "Defining SSL authentication security".

Procedure

Do the following to install BSA CI (You can ignore steps 1 and 3 if you are using NOSSL):

  1. For SSL only: Define a security environment and the certificates.
  2. Create JCL for the BSA CI started task.
  3. For SSL only: Create and customize a member for the key ring and for the key-related parameters.

    Note: Create a member for each key ring in use.

  4. Create and customize a member for the port and for other parameters.
  5. Optional: Customize the logon procedure and the product exit.
  6. Define a user ID (COMUID) and associate it with the BSA CI started task.

    Note: The user ID of the STC requires an OMVS segment (separate OMVS segment or default OMVS segment). READ access to the facility class BPX.DEFAULT.USER is required.

  7. Define default user for RACF.

    To set up RACF so that it automatically uses default OMVS segments for users and groups that do not have their own OMVS segments in their USER or GROUP profiles, proceed as follows:

    1. Create a FACILITY class profile called BPX.DEFAULT.USER with universal access READ and APPLDATA(defaultuser/ defaultgroup).
    2. Define a RACF user profile containing an OMVS segment for defaultuser.
    3. Define a RACF group profile containing an OMVS segment for defaultgroup.