Setting up encryption

The agent for z/OS uses TCP/IP to connect to Db2® on z/OS, the Profile Service in IBM z/OS Debugger, and Rational® Test Control Panel. You can set up TLS encryption on each of these connections. The connection to Rational® Test Control Panel is encrypted by default.

Procedure

  1. Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by Db2® for z/OS.

    This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.

  2. Create an Identity Store (keystore) that must be used by the Db2® transport, and then import the CA certificate in Rational® Integration Tester.

    If you encrypt the connection to Db2® on z/OS, and you must also choose to use Db2® as your simulation database, then you must import the CA certificate with which your simulation Db2® instance was signed into your keystore.

  3. Create a text file that contains the following property:
    db2.jcc.override.sslConnection=true
  4. Open the zosagent.ini file for editing, and then add the following properties at the end of the file:

    -Ddb2.jcc.propertiesFile=fully/qualified/path/to/text/file/containing/property

    -Djavax.net.ssl.trustStore=fully/qualified/path/to/truststore/containing/server/CA/certificate

    -Djavax.net.ssl.trustStorePassword=trustStorepassword

  5. Decide how you want to set up encryption for the connection to the Profile Service in IBM z/OS Debugger from the following descriptions.
    • Select Trust All for Server certificates to trust on the database driver z/OS tab. When you select Trust All, you do not provide the Agent for z/OS with the certificate authority certificate, which was used to sign the Profile Service certificate.
    • If you do not want to select Trust All, you must perform the following steps to encrypt the messages between the Agent for z/OS and the Profile Service:
      1. Obtain a copy of the certificate authority (CA) certificate, which was used to sign the certificate used by the Profile Service.

        This certificate can be a publicly available certificate authority certificate, or it can be that your site uses a privately administered CA. Your security administrator can provide more information.

      2. Within the same Rational® Integration Tester Identity Store (keystore) used to store the Db2® CA certificate, import the CA certificate that was used to sign the Profile Service certificate.
        Note: If the Profile Service certificate and the Db2® certificates were signed by using the same CA certificate, skip this step.
      3. If you did not set up the agent to use the Rational® Integration Tester Identity Store, perform steps 3 and 4 in this task to set up encryption of the Db2® connection.