Configuring a BWCP Project

After the personal certificate is created and the AT-TLS ports are configured, you can configure a plug-in project to create a secure connection to the CICS region.

The descriptions given in this section apply to Linux and Windows workstations.

Procedure

  1. Obtain the copies of the certificates.
    Move the copies of the personal certificate and the signing CA previously exported to z/OS data sets to the local workstation.
    1. Create the copies of the certificates.
      For example, a batch job like the following transfers a PKCS12 encoded copy of the certificates created previously, along with all its signers, from RACF to sequential files: 
      //#JOBNAME JOB (&SYSUID),'CERT COPY',CLASS=A
//*                                                                    
//STEP1 EXEC PGM=IKJEFT01,DYNAMNBR=20                                  
//SYSTSPRT DD SYSOUT=O                                                 
//SYSTSIN DD *                                                         
  RACDCERT EXPORT(LABEL('BWCP_Server_Cert')) ID(TCPIP) -                
  FORMAT(PKCS12DER) DSN('TIBUSER.BWCP.SERVER.CERT.PCKS12') -               
  PASSWORD('password')                                                 
  RACDCERT EXPORT(LABEL('TIBCO Software Inc CA')) CERTAUTH  -          
  FORMAT(CERTDER) DSN('TIBUSER.BWCP.CA.DER')
/*
    2. Transfer the copies from the z/OS system in the binary format to your local workstation. You can use any mechanism you have available.
      For example, FTP: 
         
   ftp> bin
   ftp> get 'TIBUSER.BWCP.SERVER.CERT.PCKS12' server_cert.p12
   ftp> get 'TIBUSER.BWCP.CA.DER' server_ca.der
      You now have the PKCS12 encoded RACF certificate named server_cert.p12 and the CA that it is signed with (encoded as a plain DER file named server_ca.der) in a workstation directory.
    3. After the transfer is completed, delete the z/OS copies of these sensitive files to minimize any security exposure related to having them outside RACF.
  2. Configure security information in the Transport Layer Security panel.
    1. Select the Transport Layer Security check box to enable the transport layer security setting.
    2. Click next to the TLS Configuration link.
    3. In the Select SSLClientResource Resource Template dialog, select an existing shared resource, or click Create Shared Resource to create a new shared resource.
    4. Click the TLS Configuration link.
    5. In the Basic SSL Client Configuration panel, click next to the Keystore Provider as Trust Store link.
    6. In the Select KeystoreProviderResource Resource Template dialog, select an existing shared resource or click Create Shared Resource to create a new shared resource.
    7. Click the Keystore Provider as Trust Store link, configure the following fields, and click to save your configuration.
      Field Description
      Provider Specify the certificate provider. The value of this field changes depending on the Type list.
      • When selecting JCEKS from the Type list, the value of this field can be SunJCE or IBMJCE.
      • When selecting JKS from the Type list, the value of this field can be Sun or IBMJCE.
      • When selecting PKCS#12 from the Type list, the value of this field can be SunJSSE or IBMJCE.
      URL Specify the URL. The format of the URL is:

      file:///paths/certificate.name

      Password Specify the password used to extract the Client Identity File from RACF, as specified in the JCL.
      Type Select the certificate type from this list. The items of this list can be JCEKS, JKS, or PKCS#12.
      Refresh Interval Specify the time interval to refresh. The default value is 3600000.
    8. In the SSL Client Configuration panel, select the Enable Mutual Authentication check box to enable connection pooling for this resource.
    9. Click next to the Identity Store Provider link to select multiple signer certificates from a directory.
    10. Click Test Connection to verify your configuration.
      Warning: After you load the certificates and verify that the connection can be created, the local copies of the certificates are not needed. You must permanently delete these files for security reasons.
    11. Click to save your configuration changes.