Setting up encryption
The agent for z/OS uses TCP/IP to connect to Db2® on z/OS, the Profile Service in IBM z/OS Debugger, and Rational® Test Control Panel. You can set up TLS encryption on each of these connections. The connection to Rational® Test Control Panel is encrypted by default.
Procedure
- Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by Db2® for z/OS.
This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.
-
Create an Identity Store (keystore) that must be used by the Db2® transport, and then import the CA certificate in Rational®
Integration Tester.
If you encrypt the connection to Db2® on z/OS, and you must also choose to use Db2® as your simulation database, then you must import the CA certificate with which your simulation Db2® instance was signed into your keystore.
-
Create a text file that contains the following property:
db2.jcc.override.sslConnection=true
-
Open the zosagent.ini file for editing, and then add the following properties at the end of the file:
-Ddb2.jcc.propertiesFile=fully/qualified/path/to/text/file/containing/property
-Djavax.net.ssl.trustStore=fully/qualified/path/to/truststore/containing/server/CA/certificate
-Djavax.net.ssl.trustStorePassword=trustStorepassword
-
Decide how you want to set up encryption for the connection to the Profile Service in IBM z/OS Debugger from the following descriptions.
- Select Trust All for Server certificates to trust on the database driver z/OS tab. When you select Trust All, you do not provide the Agent for z/OS with the certificate authority certificate, which was used to sign the Profile Service certificate.
- If you do not want to select Trust All, you must perform the following steps to encrypt the messages between the Agent for z/OS and the Profile Service:
- Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by the Profile Service.
This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.
- Within the same Rational®
Integration Tester Identity Store (keystore) used to store the Db2® CA certificate, import the CA certificate that was used to sign the Profile Service certificate. Note: If the Profile Service certificate and the Db2® certificates were signed by using the same CA certificate, skip this step.
- If you did not set up the agent to use the Rational® Integration Tester Identity Store, perform steps 3 and 4 in this task to set up encryption of the Db2® connection.
- Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by the Profile Service.