Configuring your SSL server

To configure your SSL server you create a server key ring and certificate, export the server's signer certificate, and transfer the server certificate to the client.

Create a server key ring and server certificate

Issue the following command to create both the KeyStore and certificate:

keytool -genkey -alias aliasname -keysize numericvalue -dname distname
   -keystore location -keypass password -storepass password
   -keyalg algorithm
The options are:
-genkey
Generates a key pair and wraps the public key into a self-signed certificate.
-alias aliasname
Defines the alias name that identifies the store containing the self-signed certificate and private key.
-keysize numericvalue
Defines the size of the key.
-dname distname
Specifies the X.500 distinguished name to be associated with the alias. This is used as the issuer and subject fields of the self-signed certificate. The distinguished name consists of a number of fields separated by commas in the following format:

Each strvalue is a string value. The meaning of the abbreviations is as follows:

  • cn = common name
  • o = organization
  • ou = organization unit
  • l = city/locality
  • s = state/province
  • c = country name
An example of an X.500 distinguished name is shown here:
Figure 1. An X.500 distinguished name
"cn=someserver.location.ibm.com,o=IBM,ou=IBMGB,
   l=Winchester,s=Hants,c=GB"
-keystore location
The key ring file location. For example: ktserverss.jks
-keypass password
The password used to protect the private key. Set this to the same value as the -storepass password, to enable the CICS Transaction Gateway to establish a connection over SSL.
-storepass password
The password used to protect the integrity of the key ring. Set this to the same value as the -keypass password, to enable the CICS Transaction Gateway to establish a connection over SSL.
-keyalg algorithm
The algorithm to be used to generate the key pair.

An example of this command is shown here:

Figure 2. Using the keytool command to create a key ring containing a single self-signed certificate
keytool -genkey -alias exampleServerCert -keysize 1024
   -dname "cn=vmware2.location.ibm.com,o=IBM,ou=IBMGB,l=Winchester,s=Hants,c=GB"
   -keystore ktserverss.jks -keypass default -storepass default
   -keyalg RSA

View the newly created certificate

Use a command similar to the following to view all certificates in the key ring, including the one you just created:
keytool -list -keystore storename -storepass password -v
Where the options are:
-list
List the contents of the key ring.
-keystore storename
The name of the key ring containing the certificates you want to view.
-storepass password
The password needed to access the key ring.
-v
Show details of the certificates in the key ring.
An example of the keytool command to view certificates is shown here:
Figure 3. Using the keytool command to view certificates
keytool -list -keystore ktserverss.jks -storepass default -v

Export the server's signer certificatd

The next step is to export the signer certificate and store it in a safe place. This can then be imported into the repository of any client that needs to connect to this SSL server.

The certificate is exported by using the following instance of the keytool command:
keytool -export -alias aliasname -keystore location
   -storepass password -file filename -rfc
Where the options are:
-export
Export a certificate.
-alias aliasname
Name of the key (in the key ring) to export.
-keystore location
The key ring location.
-storepass password
The password used to protect the integrity of the key ring.
-file filename
The name of the file to export the certificate to.
-rfc
Export the certificate in RFC format (Base64 encoded ASCII).
An example of the keytool command to export a signer certificate is shown here:
Figure 4. Using the keytool command to export the signer certificate
keytool -export -alias exampleServerCert -keystore ktserverss.jks -storepass default 
   -file exampleServerCertKT.arm -rfc

Transfer the server certificate to the client

If you use FTP to transfer the file, ensure that your FTP client is in ASCII mode.


Information Information

Feedback


Timestamp icon Last updated: Tuesday, 19 November 2013


https://ut-ilnx-r4.hursley.ibm.com/tgzos_latest/help/topic/com.ibm.cics.tg.zos.doc//ctgzos/ktssc.html