PQ78086: CLARIFICATIONS FOR CONFIGURING SSL TO WEBSPHERE FOR Z/OS FROM DISTRIBUTED CLIENTS. | |||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||
APAR status Closed as documentation error. Error description The customer copied the J2EEClient_NT.zip file which is distributed with WebSphere for z/OS onto a workstation, and installed it. There was insufficient information in the WebSphere for z/OS publications to explain how to set up SSL connections between java clients running on the workstation and the WebSphere for z/OS J2EE server.Local fix details to be provided.Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * V4.0.1 for z/OS and OS/390 * **************************************************************** * PROBLEM DESCRIPTION: The WebSphere for z/OS: Installation an * * Customization publication should be upd * * to document how to set up SSL connectio * * between Java clients running on the * * workstation and the WebSphere for z/OS * * server. * **************************************************************** * RECOMMENDATION: * **************************************************************** The WebSphere for z/OS: Installation and Customization publication needs new information to document how to set up SSL connections between Java clients running on the workstation and the WebSphere for z/OS J2EE server. This is demonstrated in a new section, "Setting up SSL connections for Java clients."Problem conclusion A change to V4.0.1 WebSphere for z/OS: Installation and Customization, GA22-7834-07, will be available in the next refresh of the documentation. To access the latest online documentation, go to the product library page at: www.ibm.com/software/webservers/appserv/zos_os390/library/ The change is to page 229, where the section "Using certificates to set up secure HTTPS Transport Handler connections" will move out from under the section "Defining SSL security for clients and servers" to under the section "Setting up SSL security for WebSphere for z/OS." The change is also to page 249 (new section within "Setting up SSL security for WebSphere for z/OS" section), which will read as follows: Steps for setting up SSL connections from WebSphere Application Server distributed clients Before you begin: 1. Ensure that WebSphere for z/OS is configured to allow SSLType1 security so that you can establish an SSL connection over which you can send an MVS user ID and password for authentication. 2. Ensure that the WebSphere Application Server Java client (or server acting as a client) can access WebSphere for z/OS. - For a Java client: When a user ID and password prompt is issued with a realm name that corresponds to a WebSphere for z/OS server, you are required to enter a valid MVS user ID and password. - For a server acting as a client: In order to use interoperable security from WebSphere Application Server to WebSphere for z/OS Version 4, you must run as system and map the WebSphere Application Server server's identity to a sidefile. See the WebSphere Application Server Version 4 article "Interoperating with the Security Authentication Service and WebSphere Application Server for z/OS" for more information. Perform the following steps to configure SSL for use between Java clients running on the workstation and the WebSphere for z/OS J2EE server: 1. Determine which SSL Keyring the server is using. (For example, "WASKeyring".) 2. Determine which user ID is running on the control region of the server. (For example, "WASCR1".) 3. Export, into an MVS data set, the public certificate of the Certificate Authority that issued the server's certificate from RACF. Example: RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA')) DSN('IBMUSER.WAS.CA') FORMAT(CERTDER) where "WebSphereCA" is the name of the aforementioned public certificate. Note: See "Using certificates to set up secure HTTPS Transport Handler connections" for more information on setting up secure HTTPS Transport Handler connections using client certificates signed by an internal CA. 4. Move the file to a temporary directory on the workstation. Note: Ensure you use binary mode for the FTP transfer. 5. Add the certificate to the TrustStore that the client uses. Example: DummyClientTrustFile.jks file: keytool -import -file c:\tmp\IBMUSER.WAS.CA -keystore DummyClientTrustFile.jksTemporary fix Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ78086
IBM Group: Software Group
Modified date: Dec 16, 2003
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.