Configuring SSL and HTTPS support with Java keystore (JKS)

To use HTTPS between a SOAP Gateway client and SOAP Gateway, or SSL between SOAP Gateway and its server (IMS Connect), you must create the keystore and truststore, and configure the SOAP Gateway server.

To configure SOAP Gateway for HTTPS communications with its clients, and SSL communications with IMS Connect:

  1. If the SOAP Gateway client (for example, a web service or a Java™ application) does not require authentication of the SOAP Gateway server, go to step 2. If server or client authentication is required:
    1. Create a keystore for SOAP Gateway that contains a private and public key pair and export it as a server certificate.
    2. Create a client truststore, and import the SOAP Gateway server certificate.
    3. If client authentication is required:
      1. Create a client keystore, and export the client certificate.
      2. Create a truststore for SOAP Gateway
      3. Transfer and import the client certificate into the SOAP Gateway truststore.
    4. Configure SOAP Gateway with server authentication, truststore, and keystore information by using the SOAP Gateway management utility iogmgmt -prop -u command to update the SOAP Gateway server properties.
  2. If SSL security is required between SOAP Gateway and IMS Connect, use of the Application Transparent Transport Layer Security (AT-TLS) is recommended. IBM® z/OS® Communications Server provides this AT-TLS feature.

    To set up System SSL between SOAP Gateway and IMS Connect, see the IMS Connect SSL connections topic in IMS Communications and Connections information.

    If NIST SP800-131a is required, you must use System SSL between SOAP Gateway and IMS Connect. You must apply the following fix, depending on the IMS version:
    • IMS V13 APAR PM96825
    • IMS V12 APAR PM98017
    If you use Java keystore (JKS):
    1. Create a truststore for SOAP Gateway if you have not done so.
    2. Export the IMS Connect certificate.
    3. Import the IMS Connect certificate to the SOAP Gateway truststore.
    4. Decide the IMS Connect SSL port to use. Set up the IMS Connect and SSL configuration members with the appropriate values. For more information about setting up these configuration members, see the IMS 14 Communications and Connections information.
  3. Set up the connection bundle with the appropriate SSL parameters, including the HTTPS port number from step 2d. Use the SOAP Gateway management utility iogmgmt -conn -u command to update the connection bundle, including the port number, the SSL keystore name and password, and the SSL truststore name and password.

    For FIPS compliance, if you are using System SSL, the SSL encryption type (the -e flag) should be set to STRONG by using the iogmgmt -conn -u command.

    If you are using AT-TLS, do not specify any JKS SSL properties. Specifications of any JKS SSL properties in an AT-TLS environment will result in SSL handshake failure.

  4. If IMS Connect requires authentication of the client, use of AT-TLS is recommended. If you use JKS, import the SOAP Gateway public key certificate into the keyring. For more information, see the IMS 14 Communications and Connections information.