Setting SSL/TLS encrypted communications

The sample HFICONFG configuration file member has TLS 1.2 encrypted communications active with the following line under the CONFIG=DEFAULT section:

SSL_REQUIRED=YES

If you would like to use other versions of TLS, see Configuration file keyword descriptions for other values that can be specified for SSL_REQUIRED. If TLS encryption is not required in your environment, comment out this line and uncomment the next line (or alter your existing line to SSL_REQUIRED=NO). If TLS is required, replace SSL_REQUIRED=YES with SSL_REQUIRED=TLSVxxx, where TLSVxxx is one of the supported TLS versions listed in the description of the SSL_REQUIRED keyword in Configuration file keyword descriptions.

If using a SAF keyring and not using AT-TLS, uncomment and modify the SSL_KEYRING line. The SSL_LABEL line should also be uncommented and modified if the certificate you generate does not have a label of 'ZCC Server Certificate'.

For use of a certificate in a keyring, the userid of the server task or job, as well as the userids connecting to the server need to be permitted UPDATE access to the IRR.DIGTCERT.LISTRING facility and CONTROL access to the IRR.DIGCERT.GENCERT facility in order to share the certificate amongst users of the common server.

For RACF® users, a keyring and certificate can be created by the following example commands. Note that the minimum key size when using TLS 1.3 is 2048.

RACDCERT ID(HFISRV) ADDRING(RINGA)
RACDCERT GENCERT SITE SIZE(2048)           -
         SUBJECTSDN(                       -
           CN('Common Server')             -
           OU('ADL')                       -
           O('ADL')                        -
           C('AU'))                        -
 WITHLABEL('ZCC Server
      Certificate')
RACDCERT ID(HFISRV)                                       -
         CONNECT(SITE LABEL('ZCC Server
      Certificate')   -
         RING(RINGA) USAGE(PERSONAL)                      -
         DEFAULT)
SETR REFR RACL(DIGTCERT)

In this example, HFISRV is used for the user ID of the ZCC server task.

Note that the generated certificate must be a SITE certificate. This is because multiple users will need access to the certificate. An alternative to SITE certificates is to use AT-TLS. See Using AT-TLS for encrypted communications for more information.

Updating the server config to include SSL_KEYRING=HFISRV/RINGA would use the above generated certificate. These commands serve as a working example only and should be updated as desired to match your needs. RACDCERT commands are documented in the z/OS® Security Server RACF® Command Language Reference.

PERMIT  CSF*  CLASS(CSFSERV)
            ID(groupid)  ACCESS(READ)

If you wish to specify a cipher string or TLS key shares for the System SSL component to use, you can do this by modifying the server JCL to specify environment variables via the STDENV DD statement as required. The sample server JCL member HFISRV1 includes an example of specifying GSK_V3_CIPHER_SPECS_EXPANDED and GSK_SERVER_TLS_KEY_SHARES via STDENV.