Setting SSL/TLS encrypted communications
The sample HFICONFG configuration file
member has TLS 1.2 encrypted communications active with the following
line under the CONFIG=DEFAULT
section:
SSL_REQUIRED=YES
If you would like to use other versions of TLS, see Configuration file keyword descriptions for other values that can be specified for SSL_REQUIRED
. If TLS encryption is not required in your environment, comment out this line
and uncomment the next line (or alter your existing line to SSL_REQUIRED=NO
). If TLS is required, replace
SSL_REQUIRED=YES
with SSL_REQUIRED=TLSVxxx
, where
TLSVxxx
is one of the supported TLS versions listed in the description of the
SSL_REQUIRED
keyword in Configuration file keyword descriptions.
If using a SAF keyring and not using AT-TLS, uncomment and modify the SSL_KEYRING
line. The
SSL_LABEL
line should also be uncommented and modified if the certificate you generate does not have a
label of 'ZCC Server
Certificate'.
For use of a certificate in a keyring, the userid of the server task or job, as well as the userids connecting to the server need to be permitted UPDATE access to the IRR.DIGTCERT.LISTRING facility and CONTROL access to the IRR.DIGCERT.GENCERT facility in order to share the certificate amongst users of the common server.
For RACF® users, a keyring and certificate can be created by the following example commands. Note that the minimum key size when using TLS 1.3 is 2048.
RACDCERT ID(HFISRV) ADDRING(RINGA)
RACDCERT GENCERT SITE SIZE(2048) -
SUBJECTSDN( -
CN('Common Server') -
OU('ADL') -
O('ADL') -
C('AU')) -
WITHLABEL('ZCC Server
Certificate')
RACDCERT ID(HFISRV) -
CONNECT(SITE LABEL('ZCC Server
Certificate') -
RING(RINGA) USAGE(PERSONAL) -
DEFAULT)
SETR REFR RACL(DIGTCERT)
In this example, HFISRV is used for the user ID of the ZCC server task.
Note that the generated certificate must be a SITE certificate. This is because multiple users will need access to the certificate. An alternative to SITE certificates is to use AT-TLS. See Using AT-TLS for encrypted communications for more information.
Updating the server config to include SSL_KEYRING=HFISRV/RINGA
would use the above generated certificate. These commands serve as a working example
only and should be updated as desired to match your needs. RACDCERT commands are documented in the z/OS® Security Server RACF®
Command Language Reference.
PERMIT CSF* CLASS(CSFSERV)
ID(groupid) ACCESS(READ)
For more
details see the Cryptographic Services ICSF Administrator's Guide.If you wish to specify a cipher string or TLS key shares for the System SSL component
to use, you can do this by modifying the server JCL to specify environment variables via the STDENV DD statement as
required. The sample server JCL member HFISRV1 includes
an example of specifying GSK_V3_CIPHER_SPECS_EXPANDED
and GSK_SERVER_TLS_KEY_SHARES
via
STDENV.
Considerations when using TLS 1.3
There are two ways to configure the usage of TLS 1.3 to communicate between clients and the ZCC
server. The first is to specify SSL_REQUIRED=TLSV1.3
and
ATTLS=NO
in your server configuration parameters. This method causes the server to use its own built-in
support for TLS 1.3.
When using this method, you must specify values for GSK_V3_CIPHER_SPECS_EXPANDED
and
GSK_SERVER_TLS_KEY_SHARES
in your server startup proc. For more information on cipher specs and key share
groups that can be used with TLS V1.3, see https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-required-updates-enable-tls-v13-protocol-support.
The second method is to specify SSL_REQUIRED=TLSV1.3
and ATTLS=YES
in your server
configuration. This method causes the server to offload the encryption work to ATTLS. For more
information on using AT-TLS, see Using AT-TLS for encrypted communications.