Setting SSL/TLS encrypted communications
The sample IPVCONFG configuration file member has TLS 1.2 encrypted communications active with the following line under the CONFIG=DEFAULT section:
SSL_REQUIRED=YES
To use other versions of TLS, see Configuration file keyword descriptions for additional values that
can be specified for the SSL_REQUIRED keyword. If TLS encryption is not required in your environment, comment
out this line and uncomment the next line (or alter your existing line to SSL_REQUIRED=NO
). If TLS is required, replace SSL_REQUIRED=YES with SSL_REQUIRED=TLSVxxx, where TLSVxxx is one of
the supported TLS versions listed in the description of SSL_REQUIRED in Configuration file keyword descriptions.
If using a SAF keyring and not using AT-TLS, uncomment and modify the SSL_KEYRING line. The SSL_LABEL line should also be uncommented and modified if the certificate you generate does not have a label of 'ADFzCC Server Certificate'.
For use of a certificate in a keyring, the userid of the server task or job, as well as the userids connecting to the server need to be permitted UPDATE access to the IRR.DIGTCERT.LISTRING facility and CONTROL access to the IRR.DIGCERT.GENCERT facility in order to share the certificate amongst users of the common server.
For RACF® users, a keyring and certificate can be created by the following example commands. Note that the minimum key size when using TLS 1.3 is 2048.
RACDCERT ID(IPVSRV) ADDRING(RINGA)
RACDCERT GENCERT SITE SIZE(2048) -
SUBJECTSDN( -
CN('Common Server') -
OU('ADL') -
O('ADL') -
C('AU')) -
WITHLABEL('ADFzCC Server
Certificate')
RACDCERT ID(IPVSRV) -
CONNECT(SITE LABEL('ADFzCC Server
Certificate') -
RING(RINGA) USAGE(PERSONAL) -
DEFAULT)
SETR REFR RACL(DIGTCERT)
In this example, IPVSRV is used for the user ID of the ADFzCC server task.
Note that the generated certificate must be a SITE certificate. This is because multiple users will need access to the certificate. An alternative to SITE certificates is to use AT-TLS. See Using AT-TLS for encrypted communications for more information.
Updating the server config to include SSL_KEYRING=IPVSRV/RINGA would use the above generated certificate. These commands serve as a working example only and should be updated as desired to match your needs. RACDCERT commands are documented in the z/OS® Security Server RACF® Command Language Reference.
PERMIT CSF* CLASS(CSFSERV)
ID(groupid) ACCESS(READ)
For more
details see the Cryptographic Services ICSF Administrator's Guide.If you wish to specify a cipher string or TLS key shares for the System SSL component to use, you can do this by modifying the server JCL to specify environment variables via the STDENV DD statement as required. The sample server JCL member IPVSRV1 includes an example of specifying GSK_V3_CIPHER_SPECS_EXPANDED and GSK_SERVER_TLS_KEY_SHARES via STDENV.
Considerations when using TLS 1.3
There are two ways to configure the usage of TLS 1.3 to communicate between clients and the ADFzCC server . The first is to specify SSL_REQUIRED=TLSV1.3 and ATTLS=NO in your server configuration parameters. This method causes the server to use its own built-in support for TLS 1.3.
When using this method, you must specify values for GSK_V3_CIPHER_SPECS_EXPANDED and GSK_SERVER_TLS_KEY_SHARES in your server startup proc. For more information on cipher specs and key share groups that can be used with TLS V1.3, see https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-required-updates-enable-tls-v13-protocol-support.
The second method is to specify SSL_REQUIRED=TLSV1.3 and ATTLS=YES in your server configuration. This method causes the server to offload the encryption work to ATTLS, and can work with both version 14 and version 15 clients. For more information on using AT-TLS, see Using AT-TLS for encrypted communications.