Tips for using HTTPS to connect to MSM with RACF using an ICSF keystore.

Document ID : KB000030464
Last Modified Date : 14/02/2018
Show Technical Document Details

This tip is related to this part of the documentation in the  CA Chorus Software Manager Administration Guide.

When using ICSF with a Crypto-HW as a keystore:

  • Copy the coding example from the manual.
  • Set the keystoreType to be equal to “JCECCARACFKS” in server.xml.
  • Verify that the parameters for sslprotocols fit the side requirements.
  • When running into java.io.IOException: no such provider: IBMJCE4758.

Verify that the file $JAVA_HOME/lib/security/java.security was updated to include the ICSF hardware provider, based on IBM’s web site you need to change that file to have the following as the first provider: 

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA 

Note: You need to change the other providers already in the list to a later sequence.

  1. Add the following RACF privileges with READ access to the MSM STC userid:
    CSFIQF CL(CSFSERV )
    CSFDSV CL(CSFSERV )
    CSFRNGL CL(CSFSERV )
    CSFDSG CL(CSFSERV )
    CSFPKE CL(CSFSERV )
    Note: For a detail description of these functions, see the "IBM z/OS ICSF Administrators Guide."
  2. Verify that in the server.xml the "Connector port=" for https matches the "redirectPort=" in the part before for non-SSL HTTP/1.1.