Developer for System z v7510 maintenance note

X.509 Certificate support is added in v7510 of Rational Developer for System z. This maintenance level also introduces a new directive to ssl.properties:
server_keystore_type={JKS | JCERACFKS}

If the server_keystore_type value equals JKS (the default), a key store, created by the Java keytool program, is used to store the RSE server certificate.

If the server_keystore_type value equals JCERACFKS, a key ring, created by your security product, is used to store the RSE server certificate.

The RSE server certificate is the certificate RSE server uses to authenticate itself to the client. When using a key ring to store the certificate, the RSE server certificate can be the same as the RSE daemon certificate, thus simplifying the setup.

Note that using a key ring to store the RSE server certificate is currently not described in the Rational Developer for System z Host Configuration Guide (SC23-7658). The publication only describes the Java key store method for RSE server. However, the actions needed to use a key ring are described in the RSE daemon section of the SSL setup, as this one supported key rings before. It is also briefly documented below, in Sample setup for supporting X.509 certificate logons.

Notes:
  1. RSE daemon also supports the usage of a gskkyman key database to store certificates. This is NOT supported for the RSE server.
  2. The RSE server certificate MUST be the first certificate in the Java key store or SAF key ring, and the CA certificate(s) must be added afterwards. This is due to current limitations where RSE server is unable to select a specific certificate. RSE server always pulls the first certificate. The System SSL validation routines used by RSE daemon are able to access all the certificates.