Creating and customizing a member for key ring and other parameters

Creating and customizing a member for key ring and other parameters

Key ring/key label in DD BSSOSEC

To be able to use SSL for communication, the BSA CI in question needs at least one server certificate for authentication. The server certificate and other relevant certificates (like client certificates) are stored in a key ring file. The key ring file is generally located in the z/OS security system, for example, RACF. A label assigned to the server certificate is also stored in the security system.

The name and location of the key ring and other parameters necessary for controlling the BSA CI are defined in DD BSSOSEC by default. You can define a different DD name in the LST parameter Bnn_TCPIP_SSL_PORT_[app]. If you work with multiple key rings, code multiple DD statement in the JCL of the BSA CI and assign each DD name to the corresponding port via Bnn_TCPIP_SSL_PORT_[app] (see "LST parameters for BSA CI").

Example

An example of how to use the parameters can be found in member SSLKEY00 in the BSA.SAMPLIB:

KEYRING = BETA-RING
KEYLABEL = "BSA_ZOS_COMSVR"
SHOWCERT = YES
SHOWPARAM = YES

Parameters in DD BSSOSEC

The following parameters are defined in DD BSSOSEC:

  • KEYRING

    Name of the key ring containing the server certificate to be used.

    Format: [USERID/]name - where USERID represents the owner of the ring.

    Note: If the key ring name includes a forward slash (for example, "PRODCOMS/custring"), always enter the user ID before the key ring name to avoid definition errors.

  • KEYLABEL

    Name of the key label of the server certificate to be used.

  • SHOWCERT

    The local (server) and partner (client) certificate are output in the system log of the BSA CI.

    Format: [YES | NO], default: NO

  • SHOWPARAM

    Output of the parameters of the DD statement assigned to a respective port.

    Format: [YES | NO], default: NO

  • LDAP_SERVER

    specifies an LDAP server host name. Each host name can contain an optional port number separated from the host name by a colon (max. 1023 characters). The LDAP server is used to obtain CA certificates when validating a certificate and when the local database does not contain the required certificate. The local database must contain the required certificates if no LDAP server is specified.

    Even when an LDAP server is used, root CA certificates must be located in the local database since the LDAP server is not a trusted data source. The LDAP server is also used to obtain certificate revocation lists (CRL).

  • LDAP_USER

    indicates the distinguished name to be used when connecting to the LDAP server.

  • LDAP_USER_PW

    specifies the password to use when connecting to the LDAP server.

The following parameters define which protocols are accepted by the BSA CI. To reduce the risk of vulnerability (POODLE attack), fallback to SSL3 is disabled by default. TLSV11 and TLSV12 are available as of z/OS V2.1, or via PTF for z/OS V1.13.

  • SUPPORT_SSLV3

    Format: [YES | NO], default: NO

  • SUPPORT_TLSV1

    Format: [YES | NO], default: YES

  • SUPPORT_TLSV11

    Format: [YES | NO], default: NO

  • SUPPORT_TLSV12

    Format: [YES | NO], default: NO