Creating the z/OS-specific file

The purpose of the z/OS-specific file is to specify z/OS® unique options. A sample file is in /usr/lpp/tcpip/samples/sendmail/cf/zOS.cf and can be copied to /etc/mail/zOS.cf with the installation information. The actual location of the file can be set by the confZOS_FILE m4 parameter. It is assumed that the administrator received the following information from the security administrator.

KeyfilePath
Directory path for the key ring files and password stash files.
ServerKeyFile
Name of the key database file or RACF® key ring, used when sendmail acts as the server. If a key database is specified, it must be an existing z/OS UNIX file. If a RACF key ring is specified, it must be an existing key ring and the current user ID must have READ access to the IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST resources in the FACILITY class.
ClientKeyFile
Name of the key database file or RACF key ring, used when sendmail acts as the client. If a key database is specified, it must be an existing z/OS UNIX file. If a RACF key ring is specified, it must be an existing key ring and the current user ID must have READ access to the IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST resources in the FACILITY class.
ServerPWFile
Name of the file that contains the password for the key database file, used when sendmail acts as the server. It must not be given a value when a RACF key ring is specified in ServerKeyfile.
ClientPWFile
Name of the file that contains the password for the key database file, used when sendmail acts as the client. It must not be given a value when a RACF key ring is specified in ClientKeyfile.
CipherLevel
Start of changeSpecifies the list of SSL version 3, TLS version 1.0, TLS version 1.1, or TLS version 1.2 ciphers in the order of usage preference. If it is not set, it takes on the default SSLV3 cipher specifications. The default cipher specification list is one of the following lists:
  • "05040A0306090201" when Security Level 3 FMID JCPT321 is installed
  • "0306090201" when Security Level 3 FMID JCPT321 is not installed
Tip: If System SSL needs to access z/OS Integrated Cryptographic Services Facility (ICSF), ICSF must be started before starting sendmail. For information about using hardware Cryptographic Features with System SSL, see z/OS Cryptographic Services System SSL Programming
End of change
GskTraceFile
Specifies the file to receive SSL Trace information, used to debug problems using the sendmail TLS interface. The GSK_TRACE_FILE environmental variable is set to the value specified. For a discussion of concerns when obtaining a System SSL trace, see z/OS Cryptographic Services System SSL Programming. Ensure that the file is writable by the UID that sendmail will execute under. Be aware that sensitive information might be written to this file, and use a percent sign (%) to substitute the PID into the file name and avoid multiple tasks writing to (and over) the same file. To create a readable copy of the trace information, use the System SSL gsktrace command, which takes the trace file name as input and writes readable trace output to standard output.
Start of change
SSLV3
Controls whether SSLV3 is enabled for connections that are secured using System SSL.
  • TRUE indicates that SSLV3 is enabled.
  • FALSE indicates that SSLV3 is disabled. This is the default.
Note: This parameter is honored only when TLS is enabled in the sendmail.cf file.
End of change

z/OS sendmail also supports querying for certificate revocation lists (CRLs) if an LDAP server is specified.

LdapServer
Support LDAP for X.500 certificate verification.
LdapUser
LDAP user ID to support X.500 certificate verification.
LdapPw
LDAP password to support X.500 certificate verification.
LdapPort
Port number to be used to connect to the LDAP server.
Parent topic: Steps for configuring z/OS UNIX sendmail