BlueZone Security

Chapter 8

How to Enable SSL on z/OS

There are a few basic tasks which will be described in detail then are referenced in the various configuration scenarios.  This document is based on z/OS 1.4 & 1.5.  The program gskkyman is documented in System SSL Programming V1R4.0 SC24-5901-03 and an online copy of the document can be found at:

http://publibfp.boulder.ibm.com/cgi-bin/bookmgr/BOOKS/gska1a21/CCONTENTS

Steps Required for Creating Certificates:

Steps Required to Implement SSL:

Create an HFS KEYRING File

  1. Enter the OMVS environment

  2. Create a directory for all SSL objects and change to that directory

  3. Enter the command: gskkyman

  4. Option 1 – Create a new database

  5. Enter a name for it like key.kdb

  6. Enter a password twice

  7. Enter a password expiration value

  8. Enter database record length, use 2500

  9. Option – 10 to save the database password in a file,

  10. Database is ready for use

Create a Self-signed Certificate if a Trusted CA is Not Available

  1. Option 6 – Create a Self-signed Certificate

  2. Select one of the CA certificate types like 1 – CA with 1024 RSA key

  3. Enter a label like: SigningCA

  4. Enter certificate information:

    1. Common name like Signing Certificate

    2. Organization Unit like Seagull Software

    3. Organization like PD

    4. City

    5. State

    6. Country

    7. Number of days certificate will be valid (1 – 9999)

  5. Option 1 – Manage Keys and Certificates

  6. Select SigningCA

  7. Option 7 – Export Certificate and Key

  8. Option 3 or 4 PKCS #12 version 3

  9. File name SigningCA.p12

  10. Enter password twice

  11. Enter 0 for export encryption

  12. Change to your PC

  13. FTP the p12 file to the PC using Binary if option 3 was used to export or ASCII is option 4 was used.

  14. Open a browser like IE:

    1. Tools->Internet Options…

    2. Contents tab

    3. Certificates button

    4. Import…

    5. Next

    6. Select file that was FTP'ed to the PC

    7. Next

    8. Enter certificate password and select Mark this key as exportable checkbox.

    9. Next

    10. Place in Trusted Signing store

    11. Next

    12. Finish

Create a Server Certificate

  1. Option 4 – Create New Certificate Requests

  2. Select one of the certificate types like 1 – CA with 1024 RSA key

  3. Request file name like Server.arm

  4. Enter certificate information:

    1. Common name like Server Certificate

    2. Organization Unit like Seagull Software

    3. Organization like PD

    4. City

    5. State

    6. Country

  5. Exit gskkyman

  6. Sign the request by issuing:

gskkyman -g -x 360 -cr Server.arm -ct Server.cer -k yourkey.kdb

  1. Enter yourkey.kdb password

  2. gskkyman

  3. Option 2 – Open Database

  4. Yourkey.kdb

  5. Enter password

  6. Option 5 – Receive Requested Certificate

  7. Enter the name of the certificate: Server.cer

Create a Client Certificate

  1. Option 4 – Create New Certificate Requests

  2. Select one of the certificate types like 1 – CA with 1024 RSA key

  3. Request file name like Client.arm

  4. Enter certificate information:

    1. Common name like Client Certificate

    2. Organization Unit like Seagull Software

    3. Organization like PD

    4. City

    5. State

    6. Country

  5. Exit gskkyman

  6. Sign the request by issuing:

gskkyman -g -x 360 -cr Client.arm -ct Client.cer -k yourkey.kdb –l SigningCA

  1. Enter yourkey.kdb password

  2. gskkyman

  3. Option 2 – Open Database

  4. Yourkey.kdb

  5. Enter password

  6. Option 5 – Receive Requested Certificate

  7. Enter the name of the certificate: Client.cer

  8. Option 1 – Manage Keys and Certificates

  9. Select Client

  10. Option 7 – Export Certificate and Key or Option 6 – No Key

  11. Option 3 or 4 PKCS #12 version 3 (if option 6 it will be PKCS #7)

  12. File name Client.p12

  13. Enter password twice

  14. Enter 0 for export encryption

  15. Change to your PC

  16. FTP the p12 file to the PC using Binary if option 3 was used to export or ASCII if option 4 was used.

  17. Open a browser like IE:

    1. Tools->Internet Options…

    2. Contents tab

    3. Certificates button

    4. Import…

    5. Next

    6. Select file that was FTP'ed to the PC

    7. Next

    8. Enter certificate password and select Mark this key as exportable checkbox.

    9. Next

    10. Place in Personal store

    11. Next

    12. Finish

  18. In BlueZone Open the Configuration dialog:

    1. On the MenuBar select Session:Configure:Configure

    2. Select the Security tab and check the Enable Secure Sockets Layer checkbox

    3. Select SSL v3

    4. Select the Certificate tab and select Client Certificate in Disk File

    5. Browse and select Client.p12 file

  19. FTP Client.p12 back as an MVS dataset

  20. Go back to the mainframe

  21. Go to ISPF 6 to enter a TSO command

  22. Enter the RACF command:

RACDCERT ID(USERID) ADD('USERID.CLIENT.P12') TRUST WITHLABEL('Client') PASSWORD(‘xxxxxxxx’)

SSL for Telnet Using Server Certificate

  1. Follow - Create an HFS KEYRING File

  2. Follow - Create a Self-signed Certificate if a Trusted CA is Not Available

  3. Follow - Create a Server Certificate

  4. OMVS change to your SSL directory

    1. gskkyman

    2. Option 2 – open database

    3. Enter your database name

    4. Enter password

    5. Option 1 – Manage keys

    6. Select the Server Certificate

    7. Option 3 – Set key as default

  5. Add the following to TCPIP.PROFILE:

    1. TelnetParms

    2. SECUREPORT 992

    3. KEYRING HFS /ssl/key.kdb

    4. SSLTIMEOUT 120

    5. EndTelnetParms

SSL for Telnet Using Client Certificate

  1. Follow - Create an HFS KEYRING File

  2. Follow - Create a Self-signed Certificate if a Trusted CA is Not Available

  3. Follow - Create a Server Certificate

  4. Follow - Create a Client Certificate

  5. Add the following to TCPIP.PROFILE:

    1. TelnetParms

    2. SECUREPORT 992

    3.  KEYRING HFS /ssl/key.kdb

    4. CLIENTAUTH SAFCERT

    5. SSLTIMEOUT 120

    6. EndTelnetParms

SSL for FTP Using Server Certificate

  1. Steps 1 – 3 were done for telnet

  2. Modify the FTP configuration dataset, ie. TCPIP.FTP.DATA and add:

    1. EXTENSIONS AUTH_TLS

    2. SECURE_LOGIN NO_CLIENT_AUTH

    3. TLSTIMEOUT 500

    4. KEYRING /ssl/key.kdb

    5. SECURE_CTRLCONN PRIVATE

    6. SECURE_DATACONN PRIVATE

    7. SECURE_FTP REQUIRED

    8. TLSPORT 0

NOTE  TLSPORT 0 was an undocumented parameter.

SSL for FTP Using Client Certificate *

  1. Steps 1 – 4 were done for telnet

  2. Modify the FTP configuration dataset, ie. TCPIP.FTP.DATA and add:

    1. EXTENSIONS AUTH_TLS

    2. SECURE_LOGIN VERIFY_USER

    3. TLSTIMEOUT 500

    4. KEYRING /ssl/key.kdb

    5. SECURE_CTRLCONN PRIVATE

    6. SECURE_DATACONN PRIVATE

    7. SECURE_FTP REQUIRED

    8. TLSPORT 0

NOTE  This configuration has not been attempted *

Express Logon (ELF)

  1. Follow - Create an HFS KEYRING File

  2. Follow - Create a Self-signed Certificate if a Trusted CA is Not Available

  3. Follow - Create a Server Certificate

  4. Follow - Create a Client Certificate

  5. Add EXPRESSLOGON to the TelnetParms block

  6. SETR CLASSACT(PTKTDATA)

  7. RDEF PTKTDATA TSOSYS1 SSIGNON(KEYMASKED(E001193519561977)) UACC(NONE) APPLDATA(‘NO REPLAY PROTECTION’)

    1. KEYMASKED can be any combination of 16 hexadecimal characters.

    2. TSOSYS1 is TSO concatenated with the value of SID in SMFPRMxx if VTAM generic resource naming is not being used. If VTAM generic resource naming is being used, see z/OS V1R4.0 Security Server RACF Security Administrator’s Guide, 7.13.3.1 Determining Profile Names.

    3. A passticket expires in 10 minutes, to make it expire after signing on add: APPLDATA(‘NO REPLAY PROTECTION’).

SSL for CICS Using Server Certificate

  1. Follow - Create an HFS KEYRING File

  2. Follow - Create a Self-signed Certificate if a Trusted CA is Not Available

  3. Follow - Create a Server Certificate

NOTE  When creating the Server Certificate, the label name needs special attention.  It is not required but it is better to name the label the same as the starting point of the host name: https://cics14.seagullsoftware.com would have a label of cics14.  If both are named the same it will eliminate a dialog box when the URL is accessed.

  1. On the PC

    1. Locate the Signing CA certificate on the PC and FTP it to the mainframe using binary or ASCII depending on which option was used when it was exported. FTP to an MVS dataset.

  2. On MVS go to ISPF option 6, ISPF Command Shell and issue the RACF commands:

    1. RACDCERT ID(CICS USERID) ADDRING(RINGNAME)

    2. RACDCERT ID(CICS USERID) CONNECT(CERTAUTH LABEL(‘Signing CA label’) RING(RINGNAME))

    3. RACDCERT ID(CICS USERID) CONNECT(LABEL(‘Server label’) RING(RINGNAME))

  3. Edit the CICS SIP file:

    1. ENCRYPTION=NORMAL, (56 bit) =STRONG (168 bit),

    2. KEYRING=RINGNAME,

    3. SSLDELAY=600,

    4. SSLTCBS=8,

  4. Change the CICS startup JCL making sure the SSL SGSKLOAD data set is available by means of the STEPLIB, JOBLIB unless it is listed the LNKLST IPL parameter.

  5. For the CICS TCPIPSERVICE resource

    1. Set the port number.  684 is the well known port

    2. Set the SSL property to YES

SSL for CICS Using Client Certificate

  1. Follow SSL for CICS Using Server Certificate

    1. RACDCERT ID(CICS USERID) CONNECT(LABEL(‘Client label’) RING(RINGNAME))

  2. For the CICS TCPIPSERVICE resource

    1. Change the SSL property to CLIENTAUTH

    2. Set Certificate to the label of the Client Certificate