PQ78086: CLARIFICATIONS FOR CONFIGURING SSL TO WEBSPHERE FOR Z/OS FROM DISTRIBUTED CLIENTS.

APAR status
Closed as documentation error.

Error description
The customer copied the J2EEClient_NT.zip file which is
distributed with WebSphere for z/OS onto a workstation, and
installed it. There was insufficient information in the
WebSphere for z/OS publications to explain how to set up SSL
connections between java clients running on the workstation and
the WebSphere for z/OS J2EE server.
Local fix
details to be provided.
Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 V4.0.1 for z/OS and OS/390                   *
****************************************************************
* PROBLEM DESCRIPTION: The WebSphere for z/OS: Installation an *
*                      Customization publication should be upd *
*                      to document how to set up SSL connectio *
*                      between Java clients running on the     *
*                      workstation and the WebSphere for z/OS  *
*                      server.                                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The WebSphere for z/OS: Installation and Customization
publication needs new information to document how to set up
SSL connections between Java clients running on the workstation
and the WebSphere for z/OS J2EE server. This is demonstrated in
a new section, "Setting up SSL connections for Java clients."
Problem conclusion
A change to V4.0.1 WebSphere for z/OS: Installation and
Customization, GA22-7834-07, will be available in the next
refresh of the documentation. To access the latest online
documentation, go to the product library page at:

www.ibm.com/software/webservers/appserv/zos_os390/library/

The change is to page 229, where the section "Using certificates
to set up secure HTTPS Transport Handler connections" will move
out from under the section "Defining SSL security for clients
and servers" to under the section "Setting up SSL security for
WebSphere for z/OS."

The change is also to page 249 (new section within "Setting up
SSL security for WebSphere for z/OS" section), which will read
as follows:

Steps for setting up SSL connections from WebSphere Application
Server distributed clients

Before you begin:

1. Ensure that WebSphere for z/OS is configured to allow
   SSLType1 security so that you can establish an SSL connection
   over    which you can send an MVS user ID and password for
   authentication.

2. Ensure that the WebSphere Application Server Java client (or
   server acting as a client) can access WebSphere for z/OS.
   - For a Java client: When a user ID and password prompt is
     issued with a realm name that corresponds to a WebSphere
     for z/OS server, you are required to enter a valid MVS user
     ID and password.
   - For a server acting as a client: In order to use
     interoperable security from WebSphere Application Server to
     WebSphere for z/OS Version 4, you must run as system and
     map the WebSphere Application Server server's identity to a
     sidefile. See the WebSphere Application Server Version 4
     article "Interoperating with the Security Authentication
     Service and WebSphere Application Server for z/OS" for more
     information.

Perform the following steps to configure SSL for use between
Java clients running on the workstation and the WebSphere for
z/OS J2EE server:

1. Determine which SSL Keyring the server is using. (For
   example, "WASKeyring".)

2. Determine which user ID is running on the control region of
   the server. (For example, "WASCR1".)

3. Export, into an MVS data set, the public certificate of the
   Certificate Authority that issued the server's certificate
   from RACF.

   Example:
   RACDCERT CERTAUTH EXPORT(LABEL('WebSphereCA'))
   DSN('IBMUSER.WAS.CA') FORMAT(CERTDER)

   where "WebSphereCA" is the name of the aforementioned public
   certificate.

   Note: See "Using certificates to set up secure HTTPS
   Transport Handler connections" for more information on
   setting up secure HTTPS Transport Handler connections using
   client certificates signed by an internal CA.

4. Move the file to a temporary directory on the workstation.
   Note: Ensure you use binary mode for the FTP transfer.

5. Add the certificate to the TrustStore that the client uses.

   Example:
   DummyClientTrustFile.jks file: keytool -import -file
   c:\tmp\IBMUSER.WAS.CA -keystore DummyClientTrustFile.jks
Temporary fix Comments
APAR information
APAR number PQ78086
Reported component name WASKBASE
Reported component ID 5655A9801
Reported release 401
Status CLOSED DOC
PE NoPE
HIPER NoHIPER
Submitted date 2003-09-04
Closed date 2003-12-16
Last modified date 2003-12-16

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Applicable component levels


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS
Operating system(s):
Software version: 401
Software edition:
Reference #: PQ78086
IBM Group: Software Group
Modified date: Dec 16, 2003