Copyright statement

© Copyright IBM® Corporation 2012. All rights reserved. For legal information, see http://www.ibm.com/legal/copytrade.shtml

Establishing a connection between the DTCN Profiles view for CICS and your z/OS system

Specify the settings needed to establish a connection between the DTCN profiles view and your z/OS system by doing the following steps:

  1. Click Window > Show view > Other
  2. Type "DTCN" in the text box at the top of the window. Select DTCN profiles and click OK
  3. Click Window > Show view > Other
  4. Type "Host Connections" in the text box at the top of the window. Select Host Connections and click OK
  5. In the Host Connections view, select DTCN and click Add to create a connection to DTCN.
  6. Specify the settings in the following fields and click Save and Close:
    Name
    The name of the connection. If left blank will be auto-filled by combining the host name and port number entered separated by ":"
    Host name
    The TCP/IP name or address of the z/OS system as described in "Defining the CICS TCPIPSERVICE resource" in the Debug Tool Customization Guide
    Port number
    The port number of the z/OS system as described in "Defining the CICS TCPIPSERVICE resource" in the Debug Tool Customization Guide
  7. Select the DTCN connection you created, and click Connect.
  8. In the DTCN Signon window, specify the settings in the following fields, or select "Use existing Credentials" if you have at least one credential defined, and click OK.
    Credentials Name
    The name of the credential
    User ID
    The ID that you use to log on to the CICS system
    Password or Passphrase
    The password or passphrase that you use to log on to the CICS system
A successful connection is indicated through a green icon for the DTCN connection. Otherwise, review the values you entered, correct any mistakes, and try the connection test again. You can also review the trace file (as described in Debug Tool User's Guide Appendix I section "Locating the trace file of the DTCN Profiles or DTSP Profile view") for diagnostic information that can help identify the cause of the connection error. In the DTCN Profiles view, you can right click anywhere to see a list of actions available.

Note: If you want require a secured connection, you will need to follow the steps in the section, Establishing a secured communication between the DTCN profile view for CICS and your z/OS system

Establishing a secured communication between the DTCN profile view for CICS and your z/OS system

These steps help you enable secure communication via Secure Sockets Layer (SSL) between DTCN profile view and your z/OS system. The communication between the client and server uses the HTTP protocol.

    Server side setup

      To enable SSL communication, do the following tasks for Server side:
      • Generate key pair and self-signed certificate using Rexx RACF command.
        1. Use RACF GENCERT command to create a key entry for the CICS region owner. The key entry contains the key pair and self-signed certificate.
          Example (Create a key entry for user USERID with label: USERID-DTCNPLG-CERT): 
          /* generate key entry                                  */
"RACDCERT ID(USERID) GENCERT",
" SUBJECTSDN(CN('your_host_name.com'                  ) ",
"            T ('USERID-DTCNPLG-CERT'                 ) ",
"            OU('IBM'                                 ) ",
"            O ('IBM'                                 ) ",
"            L ('San Jose'                            ) ",
"            SP('CA'                                  ) ",
"            C ('US'                                  ))",
" NOTBEFORE(DATE(2011-02-28)  TIME(20:00:00)     )",
" NOTAFTER (DATE(2031-12-31)  TIME(19:59:59)     )",
" WITHLABEL(‘USERID-DTCNPLG-CERT’                )",
" SIZE     (1024                                 )"
        2. Connect the key entry to a key ring that belongs to the CICS region owner ID. The common name of the subject DSN must be the host name of the server that the client uses to connect to host.
          Example (Connect it to a key ring named USERID): 
          /* connect key entry to key ring                       */ 
" RACDCERT ID(USERID                                  ) ", 
"  CONNECT( RING (USERID                              ) ",
"           LABEL(‘USERID-DTCNPLG-CERT’               ))"
        3. Export the certificate and store it in a data set using the printable encoding format defined by the internet RFC 1421 standard
          Example (Export the certificate to a data set: USERID.DTCNPLG.CERT) 
          /* export certificate to a data set                    */
"RACDCERT EXPORT(LABEL('USERID-DTCNPLG-CERT'          ) ",
" ID(USERID                                           ) ",
" DSN('USERID.DTCNPLG.CERT'                           ) ",
" FORMAT(CERTB64                                      ))"
      • Initialize parameters in CICS region
        1. Add the KEYRING parameter in the CICS region start up job and point to the key ring created for the region owner ID.
        2. The following example adds SYSIN DD data set of CICS region startup job: 
          KEYRING=USERID
      • Define TCPIPSERVICE resource
        1. Add a TCPIPSERVICE resource definitions, see example below in bold texts. Change the SSL and Certificate attributes. 
          TCpipservice    : EQAHTP8S                                                  
 GROup          : GROUP_NAME                                                     
 DEscription    :                                                           
 Urm            : EQADPAN0           no Analyzer program is used                                                   
 POrtnumber     : 30009              1-65535                                
 STatus         : Open               Open | Closed                          
 PROtocol       : HTTP               Iiop | Http | Eci | User               
 TRansaction    : CWXN                                                      
 Backlog        : 00030              max backlog requests allowed                                
 TSqprefix      :                                                           
 Host           : ANY         
 (Mixed Case)   :             
 Ipaddress      :                                                           
 SOcketclose    : No                 No | 0-240000 (HHMMSS)                 
 Maxdatalen     : 008192             3-524288                               
SECURITY                                                                    
 SSl            : Yes                Yes | No | Clientauth                  
 CErtificate    : USERID-DTCNPLG-CERT                                                          
 (Mixed Case)                                                               
 PRIvacy        : Supported          Notsupported|Required|Supported    
 CIphers        : 050435363738392F303132330A1613100D0915120F0C03060201                                                          
 AUthenticate   : Basic              No|Basic|Certificate|AUTORegister | AUTOMatic | ASserted                 
:I a Realm          :              
 (Mixed Case)                   
 ATtachsec      :                    Local | Verify                         
DNS CONNECTION BALANCING                                                    
 DNsgroup       :                                                           
 GRPcritical    : No                 No | Yes 
DEFINITION SIGNATURE                                   
 DEFinetime     : 02/14/11 18:56:32                    
 CHANGETime     : 03/16/11 14:04:57                    
 CHANGEUsrid    : USERID                                 
 CHANGEAGEnt    : CSDApi             CSDApi | CSDBatch 
 CHANGEAGRel    : 0660

    Client side setup

      To enable SSL communication, complete the following tasks for the client side:
      • Install server certificate
        Because the certificate server generated is not from an authorized certificate authority (CA), to solve this issue, you need to install the certificate to your JDK’s keystore.
        1. Download copy of the certificate in text mode that the server has exported into your workstation directory
        2. Import the downloaded certificate into your JRE’s keystore. The following is an example how to import the certificate into keystore using keytool provided by java 
          Keytool –import –alias myprivateroot –keystore ..\lib\security\cacerts –file dtcnplg.cer

dtcnplg.cer is the downloaded copy of the server certificate. 
The initial password for the cacerts keystore is changeit.

          Note: If you are using CICS Explorer, the keytool utility can be found in the Java installation bin directory, C:\CICS_Explorer_HOME_DIRECTORY\jre\bin.
          If you are using PD Tools Studio, the keytool utility can be found in the Java installation bin directory, C:\PD_Tools_Studio_V121000.32bit_HOME_DIRECTORY\PDT_Studio_plugins_x86\jre\jre\bin

Upon completing the aforementioned steps, follow the steps in this section to establish the connection between the DTCN Profiles view for CICS and your z/OS system.