The LISTENER line specifies the parameters for the PowerExchange Listener that is running in SSL mode:
LISTENER=(
node
,TCPIP,
port_number
,,,16384,16384,,,SSL)
To avoid command failure, maintain the relative position of the SSL parameter. Three empty parameters appear between the port number and the packet size values of 16384. Three empty parameters appear between the packet size values of 16384 and "SSL".
For good performance, it is important that the packet sizes specified in comma positions 6 and 7 of the LISTENER statement do not exceed 16384.
You can separate PowerExchange Listeners in SSL mode and non-SSL mode. For example, you might run the PowerExchange Listener in non-SSL mode on port 13131 to connect to the PowerExchange Navigator and PowerCenter Developer, and in SSL mode on port 13132 to connect to the PowerCenter Integration Service. In this case, the DBMOVER file includes these statements:
LISTENER=(node1,TCPIP,13131)
LISTENER=(node1,TCPIP,13132,,,16384,16384,,,SSL)
The SSL statement specifies the location of the KDB file and key that you use to make the SSL connection:
SSL=({PASS=
passphrase
|EPASS=
encrypted_passphrase
},CERTIFICATE_LOCATION=full path of KDB file), KEY_LABEL=
labelname
})
SSL=(EPASS=2953C5B3CF453099292E48B03A37A1A2,
CERTIFICATE_LOCATION=/HOME/R2/CERTIFICATES/R2_SERVER.KDB,
KEY_LABEL=R2_server_label)
SSL_CONTEXT_METHOD statement
The SSL_CONTEXT_METHOD statement defines the protocol used when accepting the secure connection. It should match the protocol being used on the remote machine. The most secure supported protocol supported by PowerExchange is TLSV1_2.
SSL_CONTEXT_METHOD=TLSV1_2
Authentication Statements
The SSL_REQ_CLNT_CERT statement in the DBMOVER file of the SSL server determines whether the server requires client authentication. When you configure an SSL server to require client authentication, the server requests the client personal certificate together with its signing CA certificates. The server checks that the personal certificate of the client is in-date and signed by a certificate authority in the CA list of the server.
Use the following syntax:
SSL_REQ_CLNT_CERT=Y has a similar meaning to the Handshake Role of "ServerWithClientAuth" in an AT-TLS rule on z/OS.
When the client requires authentication of server certificates, the SSL_ALLOW_SELFSIGNED statement specifies whether a self-signed certificate is sufficient to authenticate the server. Use the following syntax:
SSL_ALLOW_SELFSIGNED={
N
|Y}
SSL_REQ_CLNT_CERT=Y means that the GSK Handshake Role of "ServerWithClientAuth" is used so client certificates are requested and validated.
SSL_REQ_CLNT_CERT=N means that the GSK Handshake Role of "Server" is used so client certificates are not requested or validated.
If you configure the server to require authentication of client certificates, you must make the CA certificates available to the server. Perform the following action:
Install the certificates using IBM Navigator for i.