Working with SSL/TLS on z/OS
This information describes how you set up and work with Transport Layer Security (TLS) on z/OS®.
Each topic includes examples of performing each task using RACF®. We can perform similar tasks using the other external security managers.
On z/OS, you must also set the number of server subtasks that each queue manager uses for processing TLS calls, as described in Set the SSLTASKS parameter on z/OS .
z/OS TLS support is integral to the operating system, and is known as System SSL . System SSL is part of the Cryptographic Services Base element of z/OS. The Cryptographic Services Base members are installed in the pdsname . SIEALNKE partitioned data set (PDS). When you install System SSL, ensure that you choose the appropriate options to provide the CipherSpecs that you require.
Additional user ID requirements for TLS on z/OS
This information describes the additional requirements your user ID needs to set up and work with TLS on z/OS.
Set the SSLTASKS parameter on z/OS
Use the ALTER QMGR command to set the number of server subtasks for processing TLS calls
Set up a key repository on z/OS
Set up a key repository at both ends of the connection. Associate each key repository with its queue manager.
Locating the key repository for a queue manager on z/OS
Use this procedure to obtain the location of your queue manager's key ring.
Specifying the key repository location for a queue manager on z/OS
To specify the location of your queue manager's key ring, use the ALTER QMGR MQSC command to set your queue manager's key repository attribute.
Giving the channel initiator the correct access rights on z/OS
The channel initiator (CHINIT) needs access to the key repository and to certain security profiles.
When changes to certificates or the key repository become effective on z/OS
Changes become effective when the channel initiator starts or the repository is refreshed.
Creating a self-signed personal certificate on z/OS
Use this procedure to create a self-signed personal certificate.
Requesting a personal certificate on z/OS
Apply for a personal certificate using RACF.
Creating a RACF signed personal certificate
RACF can function as a certificate authority and issue its own CA certificate.
Add personal certificates to a key repository on z/OS
Use this procedure to add or import a personal certificate to a key ring.
Exporting a personal certificate from a key repository on z/OS
Export the certificate using the RACDCERT command.
Delete a personal certificate from a key repository on z/OS
Delete a personal certificate using the RACDCERT command.
Renaming a personal certificate in a key repository on z/OS
Rename a certificate using the RACDCERT command.
Associating a user ID with a digital certificate on z/OS
IBM MQ can use a user ID associated with a RACF certificate as a channel user ID. Associate a user ID with a certificate by installing it under that user ID, or using a Certificate Name Filter.
Defining a sender channel and transmission queue on QMA on z/OS
Use the DEFINE CHANNEL and DEFINE QLOCAL commands to set up the required objects.
Defining a receiver channel on QMB on z/OS
Use the DEFINE CHANNEL command to set up the required object.
Starting the sender channel on QMA on z/OS
If necessary, start a listener program and refresh security. Then start the channel using the START CHANNEL command.
Exchanging self-signed certificates on z/OS
Exchange the certificates you previously extracted. If we use FTP, use the correct format.
Defining a sender channel and transmission queue on QM1 on z/OS
Use the DEFINE CHANNEL and DEFINE QLOCAL commands to set up the required objects.
Defining a receiver channel on QM2 on z/OS
Use the DEFINE CHANNEL command to set up the required object.
Starting the sender channel on QM1 on z/OS
If necessary, start a listener program and refresh security. Then start the channel using the START CHANNEL command.
Refreshing the SSL or TLS environment on z/OS
Refresh the TLS environment on queue manager QMA using the REFRESH SECURITY command.
Allowing anonymous connections on a receiver channel on z/OS
Use the ALTER CHANNEL command to make SSL or TLS client authentication optional.
Starting the sender channel on QM1 on z/OS
If necessary, start the channel initiator, start a listener program, and refresh security. Then start the channel using the START CHANNEL command.
Starting the sender channel on QMA on z/OS
If necessary, start the channel initiator, start a listener program, and refresh security. Then start the channel using the START CHANNEL command.
Parent topic: Working with SSL/TLS