CICS Transaction Gateway V5 The WebSphere ... - IBM Redbooks

Tip: We found it difficult to tell the difference between the CICS TG version of
iKeyman and the JSSE version. The only differences we could spot were the
blue icon on the toolbar of the JSSE iKeyman, which allowed a new provider to
be added, and the JSSE version did not have a Recreate Request button on
the Personal Certificates window.
8.2.3 Configuring the CICS TG for SSL
We had to configure our CICS TG to enable System SSL and JSSE SSL.
System SSL configuration
We performed the following steps to configure our CICS TG to be able to use our
SystemSSL server certificate:
1. When using System SSL, binaries and data sets for the product code must be
marked as program controlled, as must any key database file (.kdb). We
performed this using the following extattr commands:
extattr +p /usr/lpp/gskssl/lib/*
extattr +p /usr/lpp/gskssl/bin/*
extattr +p /web/scsctg5/systemssl.kdb
Before issuing extattr commands, we required Resource Access Control
Facility (RACF) access to the BPX.FILEATTR.PROGCTL profile. This was
obtained by using the following command:
PERMIT BPX.FILEATTR.PROGCTL CLASS(FACILITY) ID(CICSRS3) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
We verified that the files were program controlled using the ls -E command
from OMVS. The second set of attributes are the extended ones. The second
column of these should contain the character “p”.
2. We modified our CICS TG configuration file (/ctg/scsctg5/CTG.INI) to activate
the SystemSSL protocol handler to use our SystemSSL server certificate, as
shown in Example 8-9.
Example 8-9 Enabling the SystemSSL protocol handler
protocol@systemssl_ssl.handler=com.ibm.ctg.server.GskSslHandler
protocol@systemssl_ssl.parameters=port=8052;sotimeout=1000;\
connecttimeout=2000;idletimeout=600000;pingfrequency=60000;\
keyring=/ctg/scsctg5/systemssl.kdb;keyringpw=default;clientauth=off;
Chapter 8. SSL connections to the Gateway daemon on z/OS 201