Configure the CICSRequest node
to communicate with CICS®
Transaction Server for z/OS® over
the Secure Sockets Layer (SSL) protocol by updating a CICSConnection
configurable service or the CICSRequest node to use SSL.
Before you begin
Ensure that you have completed the following tasks:
- The CICSRequest node
does not support a separate truststore, so the keystore file must
provide both personal and signer certificates. If client-authentication
(CLIENTAUTH) is enabled in the TCPIPSERVICE in CICS, the integration node
keystore file must also contain a personal certificate that is trusted
by CICS. To set up a public
key infrastructure (PKI) at integration node or integration server
level, follow the instructions in Setting up a public key infrastructure.
- Define the COMMAREA data structure as a message set, as described
in Defining a CICS Transaction Server for z/OS data structure.
- Configure IP InterCommunications (IPIC) protocol on CICS, as described in Preparing the environment for the CICSRequest node.
About this task
To configure the CICSRequest node to use SSL,
complete the following steps:
Procedure
- For
client-authenticated (CLIENTAUTH) SSL connections, CICS expects the SSL client
certificate to be mapped to a RACF® user
ID. Therefore the SSL client certificate must be mapped to a RACF user ID before attempting
to establish the SSL connection to CICS. If the client certificate
is not mapped to a RACF user
ID, the integration node might display a
ECI_ERR_NO_CICS
response.
You can map a client certificate to a RACF user
ID by using the RACF command RACDCERT,
which stores the client certificate in the RACF database and associates a user ID with
it, or by using RACF certificate
name filtering. Client certificates can be mapped one-to-one with
a user ID, or a mapping from one to the other can be provided to allow
a many-to-one mapping. You can achieve this mapping by using one of
the following methods:
- Associating a client certificate with a RACF user ID
- Copy the certificate that you want to process into an MVS™ sequential file. The file must have variable
length, blocked records (RECFM=VB), and be accessible from TSO.
- Run the RACDCERT command in TSO by using the
following syntax:
RACDCERT ADD('datasetname') TRUST [ ID(userid) ]
Where:
- datasetname is the name of the data set containing
the client certificate.
- userid is the user ID to be associated with
the certificate. This parameter is optional. If omitted, the certificate
is associated with the user issuing the RACDCERT command.
When you issue the RACDCERT command, RACF creates a profile in the DIGTCERT
class. This profile associates the certificate with the user ID. You
can then use the profile to translate a certificate to a user ID without
giving a password. For full details of RACF commands,
see z/OS Security Server RACF Command Language Reference.
- RACF certificate name
filtering
With certificate name filtering, client certificates
are not stored in the RACF database.
The association between one or more certificates and a RACF user ID is achieved by defining a filter
rule that matches the distinguished name of the certificate owner
or issuer (CA). A sample filter rule might look like the following
example:
RACDCERT ID(DEPT3USR) MAP SDNFILTER
(OU=DEPT1.OU=DEPT2.O=IBM.L=LOC.SP=NY.C=US)
This sample
filter rule would associate user ID DEPT3USR with all certificates
when the distinguished name of the certificate owner contains the
organizational unit DEPT1 and DEPT2, the organization IBM®, the locality LOC, the state/province NY,
and the country US.
- Turn on SSL support in the integration node by setting
the cicsServer property
on the CICSConnection configurable service, as shown in the following
example.
This example changes the
CICSRequest node that is configured
to use the
myCICSConnection configurable service
for the
CICS instance that
is running at
mycicsregion.com port 56789. After
you run this command, the
CICSRequest node connects to
CICS over SSL.
mqsichangeproperties IBNODE -c CICSConnection -o myCICSConnection -n
cicsServer -v ssl://mycicsregion.com:56789
Alternatively you can configure the CICS server property directly on
the CICSRequest node.
What to do next
When you have configured the integration node or the CICSRequest node to use SSL,
develop a message flow that contains a CICSRequest node by following
the steps in Developing a message flow with a CICSRequest node.