Enabling HTTPS Security on the HTTP Listener for PDS

If you are using RACF, a private key must be generated together with the certificate. The generated key must be type RSA. The supported private key size is up to 4096 bits.

Generating the Certificate and Key

• Generating the Certificate. You can generate the certificate using the TSO RACDCERT command with options GENCERT (generate certificate) or GENREQ (generate certificate request).

  For example:

  RACDCERT GENCERT SUBJECTSDN(CN('Workspace Manager') -
  
  OU('IOD') -
  
  O('IBI') -
  
  C('US')) -
  
  SIZE(2048) -
  
  NOTAFTER(DATE(2026-12-01)) -
  
  ID(JOBOWNID) -
  
  RSA -
  
  WITHLABEL('IBIcert')
  
  SETROPTS RACLIST(DIGTCERT) REFRESH
  
  

• Creating the Key Ring. You can create the key ring using the RACDCERT ADDRING command. For example:

  RACDCERT ADDRING(IBIring1) ID(JOBOWNID)

• Connecting the Certificate to the Key Ring. You can connect the certificate to a ring using the RACDCERT CONNECT command. For example:

  RACDCERT CONNECT(LABEL('IBIcert') DEFAULT RING(IBIring1)) -
  
  ID(JOBOWNID)

The ID owner of all objects is the same. It must be the owner ID of the server job. In these examples, the value JOBOWNID is used arbitrarily.

The following JCL shows how to run the RACDCERT command in a batch:

//*** JOB CARD *************

//********************************************************

//STEP1 EXEC PGM=IKJEFT01

//SYSTSPRT DD SYSOUT=*

//SYSTSIN DD *

RACDCERT LIST ID(JOBOWNID)

For detailed information and options of the RACDCERT command, see the IBM document z/OS Security Server RACF Command Language Reference.

TLS 1.3 SSL Protocol Requirements

The TLS 1.3 protocol requires additional RACF permissions be given to users and/or groups connecting to the WebFOCUS Reporting Server. READ permission must be given to CSFOWH CL(CSFSERV).

If you do not plan to use the default of TLS 1.3, you can force the WebFOCUS Reporting Server to use TLS 1.2 by adding the following parameter to the edaserve.cfg file:

ssl_protocol = tls_1_2

Enabling HTTPS

Once the key ring and label are created, to enable HTTPS:

1. Go to the WebFOCUS Reporting Server browser interface Workspace page.
2. Expand Special Services and LIsteners.
3. Right-click TCP/HTTP and click Properties of HTTP.

   The Listener Configuration page opens.

4. Expand the Security section.
5. In the Enable HTTPS drop-down list, select Yes.

   Additional fields open in which you can enter the certificate label and keyring values you defined using the RACDCERT commands.

   SSL_CERTIFICATE = keyring
   
   SSL_LABEL = certificate

6. Click Save and Restart Server.