How to acquire and explore/correlate a CA Top Secret (TSS) 12.0 endpoint using SSL?

Document ID : KB000052461
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

After importing CA certificate into JXplorer store, customer can acquire TSS 12.0 endpoint using a proxy admin ID (that has permissions on TSS) but unable to connect to it in order to do an explore/correlate. Get "FAILURE: External Explore (eTTSSAcidContainerName=Accounts), msg::ETA_E_0024<EXX>, Object 'Accounts' exploration failed:" error on etatrans log. Tested adding extra TLSCACertificateFile line to IM_PS as well as appending the certificate to the existing et2_cacert.pem file with no success.

Solution:

The following steps allow SSL access for LDAP on Z/OS:

On the endpoint dialog in the Manager:

  • Make sure that the "User Server-side SSL" checkbox is checked.

  • For the "LDAP Port" enter the non-SSL port for the LDAP process on the mainframe. After the connection is made, it will become an SSL connection if SSL is supported.

In the im_ps.conf file on the IM server, find the entry for "TLSCACertificateFile". This should reference a *.pem file. If the local copy of this file is not the same exact binary file that is in use on z/OS, then the z/OS file should be copied to the local system and combined with the file references in the im_ps.conf file.

Combining 2 *.pem files.

If the certificates from multiple *.pem files are needed, it is recommended that they combined into a single new *.pem file, rather than appending to an existing file. This will make it easier to update the file in the future if one of the certificates expires.

On Unix or z/OS, use a command similar to:

cat infile1 infile2 infile3 >outfile.pem

On Windows, use a command similar to:

copy /b infile1+infile2+infile3 outfile.pem

After combining the files into a new *.pem file, update the entry in im_ps.conf to reference the new *.pem file. The "CA Identity Manger -Provisioning Server" service needs to be restarted for these changes to take effect.

If SSL is in use, then the LDAP log on z/OS will show message containing the string "TLS trace: SSL_accept".

The following steps will allow SSL connections between IM and z/OS:

On the IM server, acquire the TSS endpoint using a non-SSL connection, and check the "User Server-side SSL".

For the LDAP server running on z/OS, specify "security tls=1" within the slapd.conf file for the specific database definition you would like to allow exclusive SSL connections to. By specifying this parameter on the backend database only SSL connections will be allowed. Connections from Identity Manager that do not have the "Use Server-side SSL" checkbox checked will be denied access.