Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

SSL Statement

SSL Statement

The SSL statement specifies SSL certificate information for a Secure Sockets Layer (SSL) connection.
Linux, UNIX, and Windows
SSL_ALLOW_SELFSIGNED, SSL_CIPHER_LIST, SSL_CONTEXT_METHOD, SSL_REQ_CLNT_CERT, and SSL_REQ_SRVR_CERT
No
SSL=({PASS=
passphrase
|EPASS=
encrypted_passphrase
} ,KEY=
key
,{CALIST=
calist
|CAPATH=
directory
} )
PASS=
passphrase
Required if you do not specify the EPASS option. The passphrase used to make an SSL connection.
EPASS=
encrypted_passphrase
Required if you do not specify the PASS option. The encrypted passphrase used to make a TLS connection.
You can create an encrypted passphrase in the PowerExchange Navigator by selecting
File
Encrypt Password
.
KEY=
key
Required. The fully qualified directory path and file name for the SSL key file that is used for the SSL connection. When this parameter is specified, the client keystore is validated during the initial connection handshake.
CALIST=
calist
The fully qualified path and file name of the Certificate Authority list (CALIST) for the SSL connection. The CALIST lists trusted certificates that are stored in the truststore. You must specify either CALIST or CAPATH.
CAPATH=
directory
The location of the truststore for trusted certificates:
  • On Linux or UNIX, enter the trusted CA directory of the OpenSSL installation.
  • On Windows, enter the certs directory of the OpenSSL installation.
You must specify either CALIST or CAPATH.
IBM i
SSL_ALLOW_SELFSIGNED, SSL_CIPHER_LIST, SSL_CONTEXT_METHOD, and SSL_REQ_CLNT_CERT
No.
SSL=(CERTIFICATE_LOCATION=KDB_certificate_file_location,KEY_LABEL=private_key_label)
CERTIFICATE_LOCATION=
certificate_KDB _file_location
Required. Specifies the fully-qualified KDB file, which is also used to access the certificate in IBM Navigator for i. Example:
/home/MYUSER/certificates/MYUSER_server.kdb
KEY_LABEL=
private_key_label
Required. Specifies the key label, which can be seen in IBM Navigator for i.
z/OS
On z/OS for the PWXUGSK utility CMD=PING. SSL statements on z/OS are rejected unless used by the PWXUGSK utility.
SSL_ALLOW_SELFSIGNED, SSL_CIPHER_LIST, SSL_CONTEXT_METHOD, SSL_REQ_CLNT_CERT, and SSL_REQ_SRVR_CERT
SSL=(CERTIFICATE_LOCATION=ATTLS_keyring,KEY_LABEL=INFACert1)
On z/OS, the DBMOVER configuration file used by PWXUGSK for PING commands must be different from the DBMOVER configuration file that is used by everything else. SSL statements are not allowed in the DBMOVER file used for the PowerExchange Listener and utilities because they are ignored and secure connections are made through the AT-TLS proxy. However, when the PWXUGSK utility exercises the PING command, it calls GSK functions, which requires SSL statements that are similar to those used on IBM i.
CERTIFICATE_LOCATION=
ATTLS_keyring
Required. Specifies the certificate location, which should match what is specified in the AT-TLS policy file. The certificate can be in a RACF key ring.
KEY_LABEL=
private_cert_label
Required. Specifies the key label for the private key.
For more information about the PWXUGSK utility, see the
PowerExchange Utilities Guide
.