DCAS and System SSL

This section gives an overview of using System TLS/SSL with the DCAS.

DCAS uses AT-TLS for its TLS/SSL support. The secure protocol begins with a handshake. Then, the DCAS client authenticates the DCAS and vice versa. At this time, the DCAS and the DCAS client also agree on how to encrypt and decrypt the data.

You can specify the cipher level used for encryption and decryption for each connection at the time DCAS is configured, using the TTLSCipherParams configuration keyword. More details: AT-TLS policy statements .

SSL provides data privacy and integrity as well as client and server authentication based upon public-key certificates. For each SSL connection, SSL uses a public/private key (PKI) mechanism for authenticating each side of the connection and for agreeing on encryption keys. These keys are generated and stored in key databases, known as key rings.

X.509 certificates, containing public keys, are also required. The X.509 certificates can be created or requested and received. In either case, a certificate is then associated with and becomes part of a key ring. You have access to several services for creating and managing key rings and certificates:

The gskkyman tool

This tool is shipped with System SSL and runs out of the z/OS UNIX shell. You can use it to create key rings and certificates that are stored in HFS. Specify key rings created with gskkyman in the DCAS configuration file using the KEYRING keyword.

If you use gskkyman, you must also create a password stash file. The password stash file protects the key ring file because it contains private keys associated with the certificates contained in the key ring. Specify the password stash file in the DCAS configuration file using the STASHFILE keyword. For details on using the gskkyman tool, refer here .

The RACDCERT command

You can also use the RACDCERT command in RACF to create, register, store, and administer keys and certificates. If you use RACDCERT, specify the key ring to the DCAS server in the configuration file using the SAFKEYRING keyword. A key ring created this way does not have a password file associated with it. For details on RACDCERT command, refer here .