Enabling communications with Dynamic Workload Console
|After you installed the Dynamic Workload Console and the z/OS connector you must enable |the communication between them. The Dynamic Workload Console and the z/OS connector use |RMI/IIOP over SSL to communicate. The SSL security paradigm implemented |in the WebSphere® Application |Server requires two stores to be present on the clients and the server:
|-
|
- A keystore |
- It contains the private key. | |
- A trust store |
- It contains the certificates of the trusted counterparts. | |
Figure 26 shows the keys that must be extracted |and distributed to enable SSL between the z/OS connector and the Dynamic Workload Console. |Each arrow in the diagram includes the following activities performed |using an appropriate key management tool on each keystore:
|-
|
- Create a self-signed certificate or import a third party certificate. |
- Extract a new key. |
- Open the appropriate trust store. |
- Use the new key to add a signed certificate to the trust store.
To define SSL basic authentication security, you must first request |a signed certificate for your server and a certificate authority (CA) |certificate from the certificate authority that signed your server |certificate. After you have received both these certificates, you |must:
|-
|
- From the z/OS environment, extract the public key CA certificate |and store it in the trusted Certificate Authority repository of the Dynamic Workload Console. |
- From the Dynamic Workload Console, extract the public key of the self-signed certificate |and store it in the trusted certificate repository of WebSphere Application Server for z/OS.
To perform these operations, complete the following steps:
|- |
|
- Export the WebSphere Application Server for z/OS certificate to a data set, as follows:
|
-
|
- Connect to RACF® and select |option DIGITAL CERTIFICATES, KEY RINGS, AND TOKENS. |
- Select option Digital certificates functions. |
- Select option Write a certificate to a data set. |
- Export the WebSphere Application Server certificate authority certificate to a data set |and transfer the file to the Dynamic Workload Console using the FTP protocol in binary |or ASCII mode.
| - Import the file into the trusted certificate authority repository |of the Dynamic Workload Console using the iKeyman utility. The iKeyman utility is located |in installation_directory/TDWC/_jvm/jre/bin. |
- From the Dynamic Workload Console, export the self-signed certificate to a file using |the iKeyman utility. For more information, see the section about interface |communication in Administration Guide. |
- Transfer the file to the z/OS environment and add it to the RACF database as follows:
|
-
|
- In RACF, select option |DIGITAL CERTIFICATES, KEY RINGS, AND TOKENS. |
- Select option Digital certificates functions. |
- Select option Add, alter, delete or list certificates. |
- Select option Add a digital certificate to the RACF database. Set the status to Trust |(T).
| - Associate the certificate to the trusted certificate authority
|repository of WebSphere Application Server for z/OS, as follows:
|
-
|
- In RACF, select option |Key Ring functions. |
- Select option Connect a digital certificate to a key ring. In |field Ring Name, type the name of the WebSphere Application Server controller key ring.
| - |Define an EJBROLE profile and then permit a System Authorization
|Facility (SAF) user to the profile as follows:
|
-
|
- On the WebSphere Application Server, the deployment descriptor of the zConnector defined
|under the Enterprise Applications, displays the default role, TWSAdmin,
|that needs to be defined in the RACF class
|EBJROLE as follows:
|
rdefine EJBROLE <SAF_prefix>.TWSAdmin owner(SYS1) |audit(failures(READ)) uacc(NONE)
where, <SAF_prefix> |is the prefix of the profile, and the value can be found on the WebSphere Application Server, Security > Global security > External authorization providers |> SAF authorization options, in the SAF profile prefix field.
| - Grant READ access to a specific user by issuing the following RACF command:
|
permit <SAF_prefix>.TWSAdmin class(EJBROLE) id(userid) access(READ)
| - On the WebSphere Application Server, the deployment descriptor of the zConnector defined
|under the Enterprise Applications, displays the default role, TWSAdmin,
|that needs to be defined in the RACF class
|EBJROLE as follows:
|
- Restart WebSphere Application Server to make changes effective. |
Secure communications is now enabled between the Dynamic Workload Console and the z/OS connector.
|