Using demo certificates for IOAGATE with Control-D

For Control-D/File Transfer Option (FTO), Control-D/Agent provides a DEMO certificate signed by the DEMO CA of Control D . The Control-D for z/OS is also signed by the same DEMO CA.

For SSL setup for Control-D/WebAccess Server, ensure that you have already obtained the keys and certificates using the BYO method.

Note: The sample certificates are for demonstration purposes only and must not be used in a production environment.

To enable SSL on Control-D/Agent file transfer server:

1. In the configuration file, sesmgr.config, <INSTALLATION PATH>/config, set Ssl true to enable the server to listen in SSL mode on the port.
2. Restart Control-D/Agent file transfer server.

To enable SSL on Control-D/Agent file transfer client:

The -ssl command line parameter should be added to the command line to communicate with the host using SSL.

bmc-ctd-sftclient  -h=host -p=port -u -f=input_file -d=output  -ssl

The Control-D file transfer client can send files to Control-D on z/OS via IOAGATE when IOAGATE is configured for Control-D/File Transfer Option support.

To set up Control-D/File Transfer Option or Control-D/WebAccess Server in IOAGATE for SSL:

1. Specify the following parameters in ECAPARM:

   SSL=YES,                                                  

   KEYRING=<IOAGATE's keyring>,                              

   KEYRLAB=<IOAGATE's certificate label>,

   CLIAUTH=NO | YES,

   SSL=YES,

   KEYRING=IOAGATERING,

   KEYRLAB=IOAGATEF,

   CLIAUTH=NO,

2. Use the following members in the SAMPLE library:
   • CERTGATF - DEMO Certificate for IOAGATE with private-public key pair signed by the DEMO certificate authority
   • CERTCAF - DEMO Certificate of the CA with its public key
   • CERTFTOF - Sample job to convert certificates to files that can be used as input to RACDCERT
3. Copy SAMPLE members CERTCAF and CERTGATF to sequential files using sample job CERTFTOF.

   This step is needed because RACSCERT must be provided with the demo certificates in a sequential VB file, with trailing blanks removed.

   Assume that these files will be called IOAQ.Q71MN.CERTCAF.DEMO and IOAQ.Q71MN.CERTGATF.DEMO.

//Q53CER JOB ,OR,CLASS=A,MSGCLASS=X,REGION=0M,NOTIFY=&SYSUID    

//*                                                             

//*                                                             

//    JCLLIB  ORDER=IOAQ.Q71MN.PROCLIB                          

//    INCLUDE MEMBER=IOASET                                     

//COPY1  EXEC PGM=SORT                                          

//SYSOUT DD SYSOUT=*                                            

//SORTIN DD DSN=IOAQ.Q71MN.SAMPLE(CERTCAF),DISP=SHR             

//VBOUT  DD DSN=IOAQ.Q71MN.CERTCAF.DEMO,                        

//      DISP=(NEW,CATLG,DELETE),                                

//      SPACE=(TRK,(1,1),RLSE),                                 

//      VOL=SER=IOAQ31,UNIT=3390,                               

//      DCB=(RECFM=VB,LRECL=68,BLKSIZE=6800)                    

//SYSIN DD *                                                    

  OPTION COPY                                                   

  OUTFIL FNAMES=VBOUT,FTOV,VLTRIM=X'40'                         

/*                                                              

//COPY2  EXEC PGM=SORT                                          

//SYSOUT DD SYSOUT=*                                            

//SORTIN DD DSN=IOAQ.Q71MN.SAMPLE(CERTGATF),DISP=SHR            

//VBOUT  DD DSN=IOAQ.Q71MN.CERTGATF.DEMO,                       

//      DISP=(NEW,CATLG,DELETE),                                

//      SPACE=(TRK,(1,1),RLSE),                                 

//      VOL=SER=IOAQ31,UNIT=3390,                               

//      DCB=(RECFM=VB,LRECL=68,BLKSIZE=6800)                    

//SYSIN DD *                                                    

  OPTION COPY                                                   

  OUTFIL FNAMES=VBOUT,FTOV,VLTRIM=X'40'                         

/*

1. Go to RACF and issue the following RACF commands:
   1. Import the CA certificate:

      RACDCERT CERTAUTH ADD('IOAQ.Q71MN.CERTCAF.DEMO') TRUST WITHLABEL('CACERTF')

   2. Import IOAGATE's certificate:

      RACDCERT ID(STCUSER) ADD('IOAQ.Q71MN.CERTGATF.DEMO') TRUST WITHLABEL('IOAGATEF') PASSWORD('abcd1234')

   3. Define a key ring for IOAGATE:

      RACDCERT ID(STCUSER) ADDRING(IOAGATERING)

   4. Connect the certificates to IOAGE's keyring:

      RACDCERT ID(STCUSER) CONNECT(CERTAUTH LABEL('CACERTF') RING(IOAGATERING) USAGE(CERTAUTH))

      RACDCERT ID(STCUSER) CONNECT(ID(STCUSER) LABEL('IOAGATEF') RING(IOAGATERING))

      • RING according to KEYRING defined in ECAPARM.
   5. Recycle IOAGATE and the application server of Control-D/File Transfer Option.