Setting SSL encrypted communications

The sample IPVCONFG configuration file member has SSL encrypted communications active with the following line under the CONFIG=DEFAULT section: 

SSL_REQUIRED=YES

If SSL encryption is not required in your environment, comment out this line and uncomment the next line (or alter your existing line to SSL_REQUIRED=NO). If SSL is required, replace SSL_REQUIRED=YES with SSL_REQUIRED=TLSVxxx, where TLSVxxx is one of the supported TLS versions listed in the description of the SSL_REQUIRED keyword in Configuration file keyword descriptions.

If using a SAF keyring and not using AT-TLS, uncomment and modify the SSL_KEYRING line. The SSL_LABEL line should also be uncommented and modified if the certificate you generate does not have a label of 'ADFzCC Server Certificate'.

For use of a certificate in a keyring, the userid of the server task or job, as well as the userids connecting to the server need to be permitted UPDATE access to the IRR.DIGTCERT.LISTRING facility and CONTROL access to the IRR.DIGCERT.GENCERT facility in order to share the certificate amongst users of the common server.

For RACF® users, a keyring and certificate can be created by the following example commands. 

RACDCERT ID(IPVSRV) ADDRING(RINGA)
RACDCERT GENCERT SITE SIZE(2048)           -
         SUBJECTSDN(                       -
           CN('Common Server')             -
           OU('ADL')                       -
           O('ADL')                        -
           C('AU'))                        -
 WITHLABEL('ADFzCC Server Certificate')
RACDCERT ID(IPVSRV)                                       -
         CONNECT(SITE LABEL('ADFzCC Server Certificate')   -
         RING(RINGA) USAGE(PERSONAL)                      -
         DEFAULT)
SETR REFR RACL(DIGTCERT)

In this example, IPVSRV is used for the user ID of the ADFzCC server task.

Note that the generated certificate must be a SITE certificate. This is because multiple users will need access to the certificate. An alternative to SITE certificates is to use AT-TLS. See Using AT-TLS for encrypted communications for more information.

Updating the server config to include SSL_KEYRING=IPVSRV/RINGA would use the above generated certificate. These commands serve as a working example only and should be updated as desired to match your needs. RACDCERT commands are documented in the z/OS® Security Server RACF® Command Language Reference.

If you are using ICSF and have protected resources through the CSFSERV facility class, the server user or group id needs to be permitted to the resource, for example: 
PERMIT  CSF*  CLASS(CSFSERV)
            ID(groupid)  ACCESS(READ)
For more details see the Cryptographic Services ICSF Administrator's Guide.

If you wish to specify a cipher string for the System SSL component to use, you can do this by modifying the server JCL to specify an ENVAR(GSK_V3_CIPHER_SPECS=xx) or ENVAR(GSK_V3_CIPHER_SPECS_EXPANDED=xx) as required. The sample server JCL member IPVSRV1 includes an example format of the above.