z/OS Installation - Configuration of z/OS System SSL

Universal Agent can use the IBM z/OS System SSL library or the OpenSSL SSL library for its SSL/TLS network communications. The SSL library selection is made with the Universal Agent SSL_IMPLEMENTATION configuration option.

z/OS System SSL requires the IBM System SSL Cryptographic Services base element. In addition, Universal Agent requires Cryptographic Services Security Level 3 element, which includes the cryptographically strong SSL/TLS cipher suites.

SSL Benefits

System SSL provides the following benefits:

• Utilizes any cryptographic hardware features available reducing the amount CPU resources used by Universal Agent.

• Seamless integration with RACF certificate management features.

  info

  If RACF digital certificates are new to you or your site, refer to the following documentation for complete details:

  • • z/OS Security Server RACF Security Administrator's Guide
  • z/OS Security Server RACF Command Language Reference

Required Conditions for Using SSL

In order for Universal Agent to use z/OS System SSL, the following conditions must be met:

1. Universal Agent supports z/OS System SSL on z/OS 1.4 and above.
2. Universal Agent component SSL_IMPLEMENTATION configuration values must be set to system.
3. User profiles with which the Universal Agent component executes must have READ access to the RACF profile IRR.DIGTCERT.LISTRING in the FACILITY class.
4. User profiles with which the Universal Agent component executes must have a certificate key ring associated with them that includes the user's certificate and the CA's certificate.

Additional Information

The following pages provide additional detailed information for Configuration of z/OS System SSL:

• Integrated Cryptographic Service Facility (ICSF)
• Universal Broker Digital Certificate (RACF) Set-up