To be able to use SSL for communication, the BSA CI in question needs at least one server certificate for authentication. The server certificate and other relevant certificates (like client certificates) are stored in a key ring file. The key ring file is generally located in the z/OS security system, for example, RACF. A label assigned to the server certificate is also stored in the security system.
The name and location of the key ring and other parameters necessary for controlling the BSA CI are defined in DD BSSOSEC by default. You can define a different DD name in the LST parameter Bnn_TCPIP_SSL_PORT_[app]. If you work with multiple key rings, code multiple DD statement in the JCL of the BSA CI and assign each DD name to the corresponding port via Bnn_TCPIP_SSL_PORT_[app] (see "LST parameters for BSA CI").
An example of how to use the parameters can be found in member SSLKEY00 in the BSA.SAMPLIB:
KEYRING = BETA-RING
KEYLABEL = "BSA_ZOS_COMSVR"
SHOWCERT = YES
SHOWPARAM = YES
The following parameters are defined in DD BSSOSEC:
Name of the key ring containing the server certificate to be used.
Format: [USERID/]name - where USERID represents the owner of the ring.
Note: If the key ring name includes a forward slash (for example, "PRODCOMS/custring"), always enter the user ID before the key ring name to avoid definition errors.
Name of the key label of the server certificate to be used.
The local (server) and partner (client) certificate are output in the system log of the BSA CI.
Format: [YES | NO], default: NO
Output of the parameters of the DD statement assigned to a respective port.
Format: [YES | NO], default: NO
specifies an LDAP server host name. Each host name can contain an optional port number separated from the host name by a colon (max. 1023 characters). The LDAP server is used to obtain CA certificates when validating a certificate and when the local database does not contain the required certificate. The local database must contain the required certificates if no LDAP server is specified.
Even when an LDAP server is used, root CA certificates must be located in the local database since the LDAP server is not a trusted data source. The LDAP server is also used to obtain certificate revocation lists (CRL).
indicates the distinguished name to be used when connecting to the LDAP server.
specifies the password to use when connecting to the LDAP server.
The following parameters define which protocols are accepted by the BSA CI. To reduce the risk of vulnerability (POODLE attack), fallback to SSL3 is disabled by default. TLSV11 and TLSV12 are available as of z/OS V2.1, or via PTF for z/OS V1.13.
Format: [YES | NO], default: NO
Format: [YES | NO], default: YES
Format: [YES | NO], default: NO
Format: [YES | NO], default: NO