Author Topic: SSL on z/OS  (Read 10585 times)

Greg Ira

  • Full Member
  • ***
  • Posts: 238
    • View Profile
SSL on z/OS
« on: March 11, 2016, 07:22:37 AM »
Has anyone set up SSL on a z/OS CMOD server (V9.5)?  Documentation is rather sparse regarding this and I'm quite unfamiliar with SSL in general.  I think I've managed to set up the keyring file and stash file but I seem to be stuck getting beyond this point.  For example, based on the config guide there is no way to specify a port for SSL.  Any help would be appreciated.

Thanks
Greg

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2138
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SSL on z/OS
« Reply #1 on: March 11, 2016, 08:04:36 AM »
There's a document on how to do it, although it's rather incomplete. 

https://developer.ibm.com/answers/storage/temp/4321-using-ssl-with-ibm-content-manager-ondemand.pdf

The most important tip I can give you is that you *MUST* use one the certificates listed in the PDF which are accepted by default with the IBM GSKit.  Getting third party (or self-signed/internal) certificates working is painful, and there appears to be little to no documentation on adding new certificates to the Thick Client.  (I didn't do the ODWEK piece, but I imagine that is equally nightmarish.)

As for assigning the port number, it's in the PDF link above, I think the parameter for ars.cfg is SSL_PORT.



IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Greg Ira

  • Full Member
  • ***
  • Posts: 238
    • View Profile
Re: SSL on z/OS
« Reply #2 on: March 11, 2016, 09:39:37 AM »
Thanks!   That's a lot more than I had before.  I'll run through it and see what I can do.  Thanks for the tips as well.

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Re: SSL on z/OS
« Reply #3 on: March 15, 2016, 08:46:49 AM »
Hello Greg --- tons of disclaimers, this isn't my procedure, but you might give this a try:

Setting up RACF with a self-signed certificate.

From TSO option 6 run these series of RACF commands
For ARSSOC95 STC that runs under userid ARSSV950.


1. create a self-signed certificate:

RACDCERT CERTAUTH GENCERT                   
  SUBJECTSDN(CN('ARSSOC95') O('IBM') C('US'))
    WITHLABEL('ARSSOC95.CERT') ID(ARSSV950)


2. create ring (since one does not exist as far as I know)

RACDCERT ID(ARSSV950) ADDRING(ARSSOC95.SSLRING)

3. Connect certificate to the ring:

RACDCERT ID(ARSSV950) CONNECT(ID(ARSSV950) LABEL('ARSSOC95.CERT')
RING(ARSSOC95.SSLRING) DEFAULT)
                                   

4. Not necessary but why not see what we have by listing the certificate

RACDCERT ID(ARSSV950) LIST

Gives you this info

Digital certificate information for user ARSSV950:     
                                                       
  Label: ARSSOC95.CERT                                 
  Certificate ID: 2QjB2eLi5fn18MHZ4uLWw/n1S8PF2eNA     
  Status: TRUST                                       
  Start Date: 2016/03/03 00:00:00                     
  End Date:   2017/03/03 23:59:59                     
  Serial Number:                                       
       >00<                                           
  Issuer's Name:                                       
       >CN=ARSSOC95.O=IBM.C=US<                       
  Subject's Name:                                     
       >CN=ARSSOC95.O=IBM.C=US<                       
  Signing Algorithm: sha1RSA                           
  Key Type: RSA                                       
  Key Size: 1024                                       
  Private Key: YES                                     
  Ring Associations:                                   
    Ring Owner: ARSSV950                               
    Ring:                                             
       >ARSSOC95.SSLRING<       


5. Export the certificate to a dataset.

RACDCERT ID(ARSSV950) EXPORT(LABEL('ARSSOC95.CERT')) DSN(CERT.TEXT) 
 FORMAT(CERTB64) 

 
 Now I have dataset:    MYUSER.CERT.TEXT
 
 Taking a peek inside I see
 
-----BEGIN CERTIFICATE-----                                     
 MIICNDCCAZ2gAwIBAgIBADANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEM
 MAoGA1UEChMDSUJNMREwDwYDVQQDEwhBUlNTT0M5NTAeFw0xNjAzMDMwNTAwMDBa
 Fw0xNzAzMDQwNDU5NTlaMC4xCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNJQk0xETAP
 BgNVBAMTCEFSU1NPQzk1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJT776
 /4A3NQJiWqU0XCwcJxxxu0R8/ddxVKS7AibVN/GBDzugjbLcVFyWs0dCGiWiL3kZ
 KRniG54qqfzW2mneDnUB/UfoLH7HZoLKPWrmqmFK8v23ZxvmHzuJ2Rbz2ZjCvkH0
 ZMa7JZmUDvcH8R08N46U65x6rVZsDNHHRllmXQIDAQABo2IwYDA/BglghkgBhvhC
 AQ0EMhYwR2VuZXJhdGVkIGJ5IHRoZSBTZWN1cml0eSBTZXJ2ZXIgZm9yIHovT1Mg
 KFJBQ0YpMB0GA1UdDgQWBBRH4N+n1DfX+rerRHzi3zJ/0oa9yzANBgkqhkiG9w0B
 AQUFAAOBgQBGm2dADvz/uZeerFtFmdzUdo821Hfsts+h/TEEot0QEztlQJfyxgNK
 mlwNuZhanujXaKKp00eXQYLTT1NGlSRA/nLs7OC60IKIYCGTaR6CNR2NDiBiNeuY
 6TU/bVxOdEEtMtij4LmuTnVmOdtO954vmxKD3H0ELrwox2v9+T7ywg==         
-----END CERTIFICATE-----   
     

Setting up the ARSSOC95 server with SSL port

1. Edit ars.ini and for ARCH950 instance add these lines.

SSL_PORT=11449
SSL_KEYRING_FILE=ARSSOC95.SSLRING
SSL_KEYRING_LABEL=ARSSOC95.CERT


2. Restart ARSSOC95 to pick up the ars.ini change.


Set up the client for SSL.

       
1. Get the certificate from z/OS to the desktop via FTP

open command window in the directory:   C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config

ascii ftp to get certificate into that directory.


C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>ftp host.xxx.com
Connected to host.xxx.com.
220-FTPD1 IBM FTP CS V2R1 at HOST.XXX.COM, 08:56:18 on 2016-03-04.
220 Connection will close if idle for more than 5 minutes.
User (host.xxx.com:(none)): myuser
331 Send password please.
Password:
230 MYUSER is logged on.  Working directory is "MYUSER.".
ftp> ascii
200 Representation type is Ascii NonPrint
ftp> get 'MYUSER.CERT.TEXT' cert.txt
200 Port request OK.
125 Sending data set MYUSER.CERT.TEXT
250 Transfer completed successfully.
ftp: 840 bytes received in 0.00Seconds 420.00Kbytes/sec.
ftp> quit
221 Quit command received. Goodbye.

2. While still in the command window add the gsk8 directories to the path.

C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>set PATH=%PATH%;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib

3.  Now to perform some gskit magic.


C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -keydb -create -db "ondemand.kdb" -pw "myKeyDBpasswd" -stash -populate

C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -add -db "ondemand.kdb" -pw "myKeyDBpasswd" -label "ARSSOC95.CERT"
 -file cert.txt -format ascii



4.  Time to configure the client. 

Change to the port number specified above for SSL,  SSL_PORT=11449,  and check the "Use Secure Sockets Layer" check box.



Give that a try.

Ed
« Last Edit: January 19, 2017, 07:06:36 AM by Ed_Arnold »
#zOS #ODF

Justin Derrick

  • IBM Content Manager OnDemand Consultant
  • Administrator
  • Hero Member
  • *****
  • Posts: 2138
  • CMOD Guru for hire...
    • View Profile
    • Tenacious Consulting
Re: SSL on z/OS
« Reply #4 on: March 15, 2016, 06:21:08 PM »
3.  Now to perform some gskit magic.

I think this may be most documentation for configuring the CMOD client for SSL anywhere on the planet.

I went through this configuring-CMOD-with-self-signed-certficates-from-a-corporate-certificate-authority two years ago, and it was brutal.

-JD.
IBM CMOD Professional Services: http://TenaciousConsulting.com
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Education & Webinars:  https://CMOD.Training/

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Commands for listing Certificate Information on the Client
« Reply #5 on: March 16, 2016, 09:54:52 AM »
C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>set PATH=%PATH%;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib


C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -list -db ondemand.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
!       "Entrust.net Secure Server Certification Authority"
!       "Entrust.net Certification Authority (2048)"
!       "Entrust.net Client Certification Authority"
!       "Entrust.net Global Client Certification Authority"
!       "Entrust.net Global Secure Server Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority"
!       "VeriSign Class 2 Public Primary Certification Authority"
!       "VeriSign Class 3 Public Primary Certification Authority"
!       "VeriSign Class 1 Public Primary Certification Authority - G2"
!       "VeriSign Class 2 Public Primary Certification Authority - G2"
!       "VeriSign Class 3 Public Primary Certification Authority - G2"
!       "VeriSign Class 4 Public Primary Certification Authority - G2"
!       "VeriSign Class 1 Public Primary Certification Authority - G3"
!       "VeriSign Class 2 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G3"
!       "VeriSign Class 3 Public Primary Certification Authority - G5"
!       "VeriSign Class 4 Public Primary Certification Authority - G3"
!       "Thawte Primary Root CA"
!       "Thawte Primary Root CA - G2 ECC"
!       "Thawte Server CA"
!       "Thawte Premium Server CA"
!       "Thawte Personal Basic CA"
!       "Thawte Personal Freemail CA"
!       "Thawte Personal Premium CA"
!       ARSSOC95.CERT



C:\Program Files (x86)\IBM\OnDemand Clients\V9.5\config>gsk8capicmd -cert -details -db ondemand.kdb -stashed -label ARSSOC95.CERT

Label : ARSSOC95.CERT
Key Size : 1024
Version : X509 V3
Serial : 00
Issuer : CN=ARSSOC95,O=IBM,C=US
Subject : CN=ARSSOC95,O=IBM,C=US
Not Before : March 2, 2016 9:00:00 PM PST
Not After : March 3, 2017 8:59:59 PM PST


Ed
#zOS #ODF

Greg Ira

  • Full Member
  • ***
  • Posts: 238
    • View Profile
Re: SSL on z/OS
« Reply #6 on: March 16, 2016, 11:44:29 AM »
Thanks Ed.  Good info

Greg Ira

  • Full Member
  • ***
  • Posts: 238
    • View Profile
Re: SSL on z/OS
« Reply #7 on: March 24, 2016, 06:11:16 AM »
Ed,
 Do you know if the method of defining the keyring and cert through RACF should work even if we are only using CMOD internal security and don't have ARSUSECZ enabled?

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Re: SSL on z/OS
« Reply #8 on: March 24, 2016, 07:06:11 AM »
Ed,
 Do you know if the method of defining the keyring and cert through RACF should work even if we are only using CMOD internal security and don't have ARSUSECZ enabled?

As Calvin of Calvin and Hobbes would say, "Oog."

In other words that's a set up that I haven't heard of anyone trying yet.

Ed
#zOS #ODF

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Some SSL client stuff
« Reply #9 on: March 30, 2016, 11:14:58 AM »
If you're going to work with SSL at all the easiest thing to do is to put the bin and lib in the PATH variable for the system.

For example, here on my work laptop, this is my PATH variable:

C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files (x86)\IBM\gsk8\bin;C:\Program Files (x86)\IBM\gsk8\lib

Note the semicolons separating the entries.
_____________

To verify that the PATH is set up correctly, whether you do it dynamically or via the PATH environment variable, open up a command prompt (no need to cd anywhere) and type in:

gsk8capicmd -version

If that doesn't provide a reasonable answer then cd to where you have the dll's installed and try that command again.  On my system that would be

C:\Program Files (x86)\IBM\gsk8\lib\

If it works this time then you have a PATH problem.
______

If you don't have a PATH problem Level 2 will probably want the output of the following command (found in the \lib directory):

gsk8ver (or gsk8ver_64 if it is 64-bit Windows)
______

Side note:  I tried this with the just released 9.5.0.5 Windows Client and everything works fine.

Ed


 
« Last Edit: March 30, 2016, 11:21:00 AM by Ed_Arnold »
#zOS #ODF

Greg Ira

  • Full Member
  • ***
  • Posts: 238
    • View Profile
Re: SSL on z/OS
« Reply #10 on: April 27, 2016, 07:11:06 AM »
Just as a follow up to this.  We finally got this working so I tried consolidating the information into a single document (attached).
Thanks for everyone's assistance on this.

jeff44

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: SSL on z/OS
« Reply #11 on: July 23, 2018, 11:04:40 AM »
Hi Ed (and all)
Do you know if this works with a SITE certificate? We'd like to share the cert for batch usage.
Thanks!

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Re: SSL on z/OS
« Reply #12 on: July 24, 2018, 07:59:58 AM »
Hi Ed (and all)
Do you know if this works with a SITE certificate? We'd like to share the cert for batch usage.
Thanks!

Jeff - is what you're doing basically the same thing that I did here:

http://www.odusergroup.org/forums/index.php?topic=2296

Ed
#zOS #ODF

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1144
    • View Profile
Re: SSL on z/OS
« Reply #13 on: July 24, 2018, 02:51:22 PM »
Jeff -

z/OS Security Server RACF Security Administrator's Guide

Quote
Site certificate
A certificate that is associated with an off-platform server or other network
entity, such as a peer VPN server. This category of certificate can also be
used to share a single certificate and its private key among multiple RACF
user IDs. When used for sharing, a certificate might be referred to as a
placeholder certificate.

When googling, I found this:

RACF and SSL Security With Digital Certificates

http://ibmsystemsmag.com/CMSTemplates/IBMSystemsMag/Print.aspx?path=/mainframe/tipstechniques/systemsmanagement/RACF-and-SSL-Security-With-Digital-Certificates

Is what you're trying to do the same problem as an FTP client connecting to an FTP server on the same LPAR?

Quote
When using FTP under z/OS to connect to a remote system (whether itís another z/OS system or not), and still using only server certificates, our client again needs to have knowledge of the remote serversí certificate in order to validate it.

Ah, but isn't what you're trying to do to connect to a local system?

Quote
...youíll have been given the CA certificate for the site to which youíre connecting.

Could it possibly be as easy as the RACF commands under here:

Quote
To accept a self-signed certificate from a server, use the following RACF definitions:

These are really RACF questions.  There used to be a RACF user group out on the forums, I believe.  Maybe ask on IBM-MAIN?

Be sure to watch the system console for RACF error messages like the one I received for  "INSUFFICIENT ACCESS AUTHORITY".

Please let us know what you've tried.

Ed





« Last Edit: July 25, 2018, 10:22:23 AM by Ed_Arnold »
#zOS #ODF

Nolan

  • Global Moderator
  • Full Member
  • *****
  • Posts: 150
    • View Profile
Re: SSL on z/OS
« Reply #14 on: August 01, 2018, 10:18:42 AM »
Thanks all for posting this very timely guide.  I am setting it up now in our shop and will advise of surprises or updates required.

The only thing I have noted is that my gsk8 exe files are in the bin path and the dlls are in the lib path.  I had to copy the exe to the lib path to run commands.
J.

#zOS #AIX #Windows #Multiplatforms
#DB2 #TSM #ODF #zODF #ODWEK
#CapacityPlanning #AFP #ReportDistribution
#Finance #ICN