SSL is available for providing secure communication for IOAGATE. Procedures for implementing SSL are described in this section (refer to the following table). The steps required for implementing SSL can be performed on the mainframe, externally, or partially on the mainframe and partially externally. You can use Control‑M Configuration Manager for implementing SSL, as described in detailed in the Control-M SSL Guide.
Note: SSL encryption is not supported in the communication between the Control-M/JCL Verify monitors or between Control-O monitors.
Table 171 Various SSL operations for INCONTROL components
Operation |
---|
Creating keys and certificates for IOAGATE for use with Control-M and Control-D |
IOAGATE supports Security Access Facility (SAF) (for example, RACF) as the key database. Various settings for IOAGATE and the corresponding SSL security levels are indicated in the following table.
Table 172 SSL security levels supported by IOAGATE
SSL support level |
Setting in the ECAPARM |
Keys |
CA Certificate |
---|---|---|---|
None |
SSL=No |
N/A |
N/A |
Server (IOAGATE) authentication only |
SSL=Yes CLIAUTH=No (Default when SSL=Yes) |
IOAGATE requires a private/public key pair and a certificate signed by a CA. This certificate must be defined in SAF and added to the keyring defined for IOAGATE by the KEYRING parameter in the ECAPARM member. |
The certificate of the CA that has signed IOAGATE's certificate must be added to the key database on the peer side using sslcmd or the Java keytool utility. |
Both Server (IOAGATE) and Client authentication |
SSL=Yes CLIAUTH=Yes |
In addition to the IOAGATE’s keys, the client must have a private/public key pair and a certificate signed by a CA. These items must be added to the client’s local key database. |
In addition to the signed IOAGATE certificate, the certificate of the CA, which signed the client's certificate, must be added to the keyring defined for IOAGATE by the KEYRING parameter in the ECAPARM member. |
Note: The following commands allow access to the RACF RACDCERT command by user ID admin:
RDEFINE FACILITY IRR.DIGTCERT.* UACC(NONE)
PERMIT IRR.DIGTCERT.* CLASS(FACILITY) ID(admin) ACCESS(Control)
SETROPTS RACLIST(FACILITY) REFRESH
Control-D/Agent client 3.7.00 (or later) can transfer files to Control-D on an MVS using IOAGATE and the Control-D/File Transfer Option application server.
For a background on SSL refer to the internet. For documentation of SSL support by Control-M/EM and Control-M Configuration Manager, refer to the Control-M SSL Guide. For documentation of SSL support by Control-D/Agent client refer to Control‑D/Agent User Guide version 3.7.00 (or later).
Parent Topic |