The NODE statement specifies the server that you want to connect to in SSL mode.
NODE=(
server_listener
,TCPIP,
remote_host
,
port_number
,,,16384,16384,,{SSL|ZOSSSL})
Use the SSL parameter to access a Linux, UNIX, or Windows system.
For good performance, it is important that the packet sizes specified in comma positions 7 and 8 of the NODE statement do not exceed 16384.
Use the ZOSSSL parameter to access a z/OS system. However, use the SSL parameter, instead of the ZOSSSL parameter, if PTFs UK26131 (z/OS 1.8) or UK26132 (z/OS 1.9) have been installed on the z/OS machine. These PTFs rectify APAR PK46403.
To avoid command failure, maintain the relative position of the SSL or ZOSSSL parameter. Five empty parameters appear between the port number parameter and the SSL or ZOSSSL parameter.
The SSL statement specifies the SSL key, pass phrase, and Certificate Authority list (CALIST) that you are using to make the SSL connection. For example:
SSL=(EPASS=
encrypted_passphrase
,KEY=
personalkey
.pem,CALIST=root.pem)
You can replace CALIST with CAPATH. For example:
SSL=(PASS=client,KEY=client.pem,CAPATH=/pwx/certs/)
To optimize performance, specify the location of multiple certificates with CAPATH.
Use CAPATH to specify the trusted CA directory of the OpenSSL installation on Linux or UNIX.
Use CAPATH to specify the ‘certs’ directory of the OpenSSL installation on Windows.
Authentication Statements
The SSL_REQ_SRVR_CERT statement in the DBMOVER file of the SSL client determines whether the client performs server authentication. When you configure an SSL client to perform server authentication, the client checks that the personal certificate of the server is in-date and signed by a Certificate Authority in the CA list of the client.
Use the following syntax:
When the client authenticates server certificates, the SSL_ALLOW_SELFSIGNED statement specifies whether a self-signed certificate is sufficient to authenticate the server. Use the following syntax:
SSL_ALLOW_SELFSIGNED={
N
|Y}
If you configure the client to perform authentication of server certificates, you must make the CA certificates available to the client. Perform the following actions:
Copy the certificates to the client machine.
Install the certificates using the appropriate steps for the operating system. Refer to the documentation for the client operating system for information about installing certificates.
In the DBMOVER file, update the CALIST or CAPATH parameter of the SSL statement to point to the CA certificates on the client.