Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

PowerExchange SSL Configuration Steps

PowerExchange SSL Configuration Steps

Before you begin SSL configuration for PowerExchange, your organization should have a local CA certificate from a well-known CA vendor. A self-signed CA certificate can be generated instead for internal use, such as connections within your organization's network or internal testing.
The steps described in this task should be performed by security administrators. Security administrators have specific permissions and system access that allow them to generate and manage security certificates and policy files.
All certificates created for use with PowerExchange must be generated to the X.509 standard. For example, the PKCS7 format meets the X.509 standard, so it can be used to generate the certificates.
To implement SSL support in PowerExchange, complete the following tasks:
  1. Configure each z/OS server.
    1. Configure the DBMOVER file for the PowerExchange Listener and specify the ports to be used for secure connections.
    2. Update the rules in AT-TLS policy file specifying the job names and ports to be used for secure connections.
    3. Create a personal certificate.
  2. Configure each Linux, UNIX, Windows or IBM i machine.
    1. Create a CA certificate.
    2. Create a personal certificate.
    3. Customize the DBMOVER configuration file on the server.
  3. If remote peer certificate validation is performed, then the Certificate Authority that issued the remote certificate must be present as a trusted CA in the local system:
    1. On z/OS, remote peer certificate validation is performed if the AT-TLS rule specifies a Handshake Role of "ServerWithClientAuth" while no remote peer certificate validation is performed if the AT-TLS rule specifies a Handshake Role of "Server".
    2. On non- Z/OS listeners, remote peer certificate validation is performed according to the SSL_REQ_CLNT_CERT parameter.
    3. On Linux, UNIX, and Windows clients, remote peer certificate validation is performed according to the SSL_REQ_SRVR_CERT parameter.
  4. Verify the secure connections between PowerExchange clients and servers using DTLREXE PING.