The purpose of the z/OS-specific file is to specify z/OS® unique options. A sample file is in /usr/lpp/tcpip/samples/sendmail/cf/zOS.cf
and can be copied to /etc/mail/zOS.cf with the installation information.
The actual location of the file can be set by the confZOS_FILE m4
parameter. It is assumed that the administrator received the following
information from the security administrator.
- KeyfilePath
- Directory path for the key ring files and password stash files.
- ServerKeyFile
- Name of the key database file or RACF® key ring, used when sendmail acts as the server. If a key
database is specified, it must be an existing z/OS UNIX file. If a RACF key ring
is specified, it must be an existing key ring and the current user
ID must have READ access to the IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST
resources in the FACILITY class.
- ClientKeyFile
- Name of the key database file or RACF key ring, used when sendmail acts as the client. If a key
database is specified, it must be an existing z/OS UNIX file. If a RACF key ring
is specified, it must be an existing key ring and the current user
ID must have READ access to the IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST
resources in the FACILITY class.
- ServerPWFile
- Name of the file that contains the password for the key database
file, used when sendmail acts as the server. It must not be given
a value when a RACF key ring
is specified in ServerKeyfile.
- ClientPWFile
- Name of the file that contains the password for the key database
file, used when sendmail acts as the client. It must not be given
a value when a RACF key ring
is specified in ClientKeyfile.
- CipherLevel
- Specifies the list of SSL version 3, TLS version 1.0,
TLS version 1.1, or TLS version 1.2 ciphers in the order of usage
preference. If it is not set, it takes on the default SSLV3 cipher
specifications. The default cipher specification list is one of the
following lists:
- "05040A0306090201" when Security Level 3 FMID JCPT321 is
installed
- "0306090201" when Security Level 3 FMID JCPT321 is not installed
- GskTraceFile
- Specifies the file to receive SSL Trace information, used to debug
problems using the sendmail TLS interface. The GSK_TRACE_FILE environmental
variable is set to the value specified. For a discussion of concerns
when obtaining a System SSL trace, see z/OS Cryptographic Services System SSL Programming. Ensure that the file is writable by the
UID that sendmail will execute under. Be aware that sensitive information
might be written to this file, and use a percent sign (%) to substitute
the PID into the file name and avoid multiple tasks writing to (and
over) the same file. To create a readable copy of the trace information,
use the System SSL gsktrace command, which takes the trace file name
as input and writes readable trace output to standard output.
- SSLV3
- Controls whether SSLV3 is enabled for connections that are secured
using System SSL.
- TRUE indicates that SSLV3 is enabled.
- FALSE indicates that SSLV3 is disabled. This is the default.
Note: This parameter is honored only when TLS is enabled in the
sendmail.cf file.
z/OS sendmail also supports
querying for certificate revocation lists (CRLs) if an LDAP server
is specified.
- LdapServer
- Support LDAP for X.500 certificate verification.
- LdapUser
- LDAP user ID to support X.500 certificate verification.
- LdapPw
- LDAP password to support X.500 certificate verification.
- LdapPort
- Port number to be used to connect to the LDAP server.