CONNX Supports SSL/TLS connections from the CONNX client to any CONNX server running on the VMS including RMS, RDB, and Codasyl DBMS.

CONNX provides SSL support on OpenVMS Itanium only.

In order to use CONNX with SSL on OpenVMS, the following requirements must be met.

1. The CNXCONNECTBACK setting on the mainframe must be set to 0.   This ensures that the initial encrypted socket connection is the only socket connection.

2. The VMS Server must be Itanium based.

3. A SSL Certificate and Key file are required.

Creating your SSL Certificate and Key file

Use openssl to create your certificate and key file.

CONNX ships with a 64bit OpenSSL command line.  It is located in the OpenSSL directory under the root of your 64bit CONNX installation.

 

Open a command prompt, and navigate to this directory.

Please refer to OpenSSL documentation for details on all of the possible settings when creating keys and certificates.  Here is an example of a self-signed key an certificate creation:

 

openssl req -nodes -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -config openssl.cnf

 

In the above example, key.pem is the private key file, and cert.pem is the certificate file.  Both of these files will be required when configuring the SSL Listener.

 

Enabling SSL for CONNX Servers on OpenVMS

To Enable CONNX SSL support on OpenVMS, the following logical must be present before the CONNX Listener starts:

$define /system CNXLISTENSSL 1

 

Transfer your SSL Certificate and key to OpenVMS using FTP.

Define two logicals that will point CONNX to the certificate and key called SSLCERT and SSLKEY.

$define /system SSLCERT dka0:[myuser]CERT.PRM

$define /system SSLKEY dka0:[myuser]KEY.PRM

 

 

These logicals must be defined at the system level.  In order to start some listeners with SSL support and some without, omit defining the CNXLISTENSSL logical at the system level, and instead start the SSL listener(s) with @cnxsvr startssl.

Once the logicals are in place the CONNX Listener must be restarted.

 

On the client side, the CONNX data dictionary must be configured to use SSL to connect to the server.

 

On the import dialog for RMS, RDB, and Codasyl DBMS, there is a checkbox "Use TLS/SSL"

Once SSL has been configured for the VMS listener, select the "Use TLS/SSL" button.

 

If you have an existing data dictionary, and you want to enable SSL for one or more databases in the CDD, there is also a "Use TLS/SSL" checkbox at the database panel for any database that supports SSL.

Use this checkbox to enable/disable SSL for the specified database connection.

 

 

It is possible to configure some databases in the CDD to use SSL, and others without SSL.