The LISTENER line specifies the parameters for the PowerExchange Listener that is running in SSL mode:
LISTENER=(
node
,TCPIP,
port_number
,,,16384,16384,,,SSL)
To avoid command failure, maintain the relative position of the SSL parameter. Six empty parameters appear between the port number and SSL parameters.
For good performance, it is important that the packet sizes specified in comma positions 6 and 7 of the LISTENER statement do not exceed 16384.
You can separate PowerExchange Listeners in SSL mode and non-SSL mode. For example, you might run the PowerExchange Listener in non-SSL mode on port 13131 to connect to the PowerExchange Navigator and PowerCenter Developer, and in SSL mode on port 13132 to connect to the PowerCenter Integration Service. In this case, the DBMOVER file includes these statements:
LISTENER=(node1,TCPIP,13131)
LISTENER=(node1,TCPIP,13132)
The SSL statement specifies the SSL certificate that you use to make the SSL connection:
SSL=({PASS=
passphrase
|EPASS=
encrypted_passphrase
},KEY=
privatekey
.pem),{CALIST=
calist
|CAPATH=
directory
})
The KEY and CALIST parameters must fully qualify the path and file names to the key file and CA list file. If you use the CAPATH parameter, it must fully qualify the path to the truststore. For more information, see
SSL Statement.
Authentication Statements
The SSL_REQ_CLNT_CERT statement in the DBMOVER file of the SSL server determines whether the server requires client authentication. When you configure an SSL server to require client authentication, the server requests the client personal certificate together with its signing CA certificates. The server checks that the personal certificate of the client is in-date and signed by a certificate authority in the CA list of the server.
Use the following syntax:
SSL_REQ_CLNT_CERT=Y has a similar meaning to the Handshake Role of "ServerWithClientAuth" in an AT-TLS rule on z/OS.
When the client requires authentication of server certificates, the SSL_ALLOW_SELFSIGNED statement specifies whether a self-signed certificate is sufficient to authenticate the server. Use the following syntax:
SSL_ALLOW_SELFSIGNED={
N
|Y}
If you configure the server to require authentication of client certificates, you must make the CA certificates available to the server. Perform the following actions:
Copy the certificates to the server machine.
Install the certificates using the appropriate program, such as OpenSSL.
In the DBMOVER file, update the CALIST or CAPATH parameter of the SSL statement to point to the CA certificates.