[z/OS]

Daemon Secure Sockets Layer

Use the administrative console panel to modify the port and Secure Sockets Layer (SSL) port settings and to specify the SSL settings (the SSL repertoire). The default repertoire is the same one used for the server, which is a SystemSSL IIOP repertoire. During daemon initialization the SSL usage initialization is attempted if security is enabled and a valid repertoire is found. In order to turn off the daemon SSL port a cell-level WebSphere® variable (DAEMON_security_disable_daemon_ssl) must be created and set to 1. The default for this variable is 0.

SSL can be used to protect locations in the SSL daemon using the Location Service Daemon if:
  • Administrative security is enabled
  • A daemon SSL repertoire is configured in the administrative console (the daemon SSL repertoire refers to a valid RACF® keyring that is owned by the MVS™ user ID associated with the daemon process)
  • A certificate and keyring have been defined
On the administrative console, click System administration > Node groups > sysplex_node_group_name. Under Additional properties, click z/OS® location service.
Location service daemon

This panel specifies the configuration settings for the location service daemon for this cell.  
Changes made to these settings to the entire cell and to the location service daemon instance 
on each node in the cell.

Job Name          BBODMNC                           Specifies z/OS jobname of location
                                                    service daemon.
Host Name         BOSSXXXX.PLEX1.L2.IBM.COM         Specifies host name to be used when 
                                                    contacting location service daemon.
Port              5755                              Specifies port location service daemon
                                                    listens on for unencrypted communication.
SSL Port          5756                              Specifies port location service daemon
                                                    listens on for encrypted communication.
SSL Setting       PLEX1Manager/DefaultIIOPSSL       Specifies a list of predefined SSL 
                                                    settings to choose from for connections.
                                                    These are configured at the SSL repertoire
                                                    panel.
The SSL and TLS protocols can be set in the z/OS Daemon using the following WebSphere variables. Setting the variable to 1 enables the protocol, while 0 disables it.
DAEMON_com_ibm_DAEMON_protocol_TLSv1_enabled    //* default 1
DAEMON_com_ibm_DAEMON_protocol_TLSv1_1_enabled  //* default 0
DAEMON_com_ibm_DAEMON_protocol_TLSv1_2_enabled  //* default 0
                                                             
DAEMON_com_ibm_DAEMON_protocol_SSLv2_enabled    //* default 0
DAEMON_com_ibm_DAEMON_protocol_SSLv3_enabled    //* default 1
You can use the WebSphere z/OS Profile Management Tool or the zpmt command to specify authentication information, including the daemon's user ID, UID, and SSL port. RACF commands are generated to create a keyring for server use (the default is WASKeyring). The z/OS Profile Management Tool or the zpmt command generates the daemon keyring and the certificate. To generate the daemon keyring and certificate using the z/OS Profile Management Tool, select Security Domain > SSL Customization > Enable SSL on the Location Service Daemon. If you type Y next to this option, the RACF commands are generated to do the following tasks:
  • Create a daemon keyring and certificate
  • Connect the certificate and certificate authority (CA) certificates to the keyring.
Important: This option does not control the use of the daemon SSL.
This is appropriate if the user IDs are the same, but if the daemon has a separate user ID, see Setting up a Keyring for use by WebSphere Application Server for z/OS. The values selected are picked up by the administrative console.

If the daemon process is assigned the same MVS user ID assigned to a secure WebSphere Application Server, the keyring you use to secure WebSphere Application Server can also be used to secure daemon requests. If the daemon process is not assigned the same MVS user ID assigned to a secure WebSphere Application Server, it is recommended that you perform the daemon SSL setup similarly to the setup for your WebSphere Application Server. Modify the customization job commands generated in BBOCBRAK (or HLQ.DATA(BBODBRAK) on WebSphere Application Server, Network Deployment) to perform the steps in Setting up a Keyring for use by WebSphere Application Server for z/OS.


Ícone que indica o tipo de tópico Tópico de Conceito



Ícone de registro de data e hora Última atualização: July 9, 2016 7:50
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=csec_daemonssl
Nome do arquivo: csec_daemonssl.html