Enabling secure ODBC communications using AT-TLS and RACF

Document ID : KB000124467
Last Modified Date : 14/01/2019
Show Technical Document Details
This document describes how to use RACF to generate SSL certificates for ODBC connections using AT-TLS.
Enabling SSL security is a somewhat complex process requiring configuration changes in multiple locations within your environment.
In this article we provide step-by-step guidance to perform this task using the RACF Security Manager to generate and house your Certificates.

While this configuration does not include support for SSL Client Authentication, the same process can be extended to also generate certificates for that functionality as well.

AT-TLS Policy Modification

SSL enablement on the mainframe is performed using Application Transparent, Transport Layer Security, or AT-TLS. AT-TLS is a component of IBM's z/OS Communications Server product. It is configured using what's called the "Policy Agent", or PAGENT.  PAGENT policies identify which traffic on the mainframe stack should be secured using SSL.  A sample set of 'Policy Rules' used for the securing of the IDMS ODBC/JDBC Listener port has been provided for your reference, under file name ZM17 Pagent.conf.txt in the attached file samples.zip.  The contents of this file should be tailored to your site-specific environment and added to your PAGENT configuration.

CA IDMS/Server, all supported releases.
Certificate Generation

The attached file, samples.zip, also contains four sample JCL streams.
They are samples for generating the SSL certificates.
The jobs must be tailored for your use and be run by your mainframe security administrator on the LPAR where the IDMS CV runs and PAGENT is configured.

RACFIDM1.JCL.txt - Create and export the certificates
RACFIDM2.JCL.txt - Create a new Key Ring and add the certificates to it
RACFIDM3.JCL.txt - List the Key Ring

RACFIDM0.JCL.txt - this job can be used to undo and restart the entire process in the event of any problems or if you decide to start over for any reason.

ODBC Client Configuration

Once the new Key Ring has been created and the Certificates are in place, download (in binary) the exported Certificate, which was given a template name of: 'uuuuuuuu.JSRVCERT.PKC12DER'.
Next, on the Windows client, convert the Certificate into PEM format.
Assuming the Certificate was brought downloaded with file name 'JSRVCERT.PKC12DER' to a directory called 'temp', the command to do that is:
openssl pkcs12 -in C:\temp\JSRVCERT.PKC12DER -out C:\temp\JSRVCERT.PEM

Finally, configure your IDMS ODBC Data Source such that the 'Server Certificate' on the SSL tab of the Data Source points to the PEM file created above (JSRVCERT.PEM).

Additional Information:
Configuring Secure Sockets
Application Transparent Transport Layer Security (AT-TLS)
File Attachments: