This section describes how to configure SSL for this adapter, including:
Use the following steps to connect RACF resource adapters to a Telnet/TN3270 server using SSL/TLS.
Obtain the Telnet/TN3270 server’s certificate in the PKCS #12 file format. Use hod as the password for this file. Consult your server’s documentation on how to export the server’s certificate. The procedure Generating a PKCS #12 File provides some general guidelines.
Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of HOD, use the following command to do this.
..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip; ../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12 hod CustomizedCAs.class
Place the CustomizedCAs.class file somewhere in the Identity Manager server’s classpath, such as $WSHOME/WEB-INF/classes.
If a resource attribute named Session Properties does not already exist for the resource, then use the [Please define the IDMIDE text entity] or debug pages to add the attribute to the resource object. Add the following definition in the <ResourceAttributes> section:
<ResourceAttribute name=’Session Properties’ displayName=’Session Properties’ description=’Session Properties’ multi=’true’> </ResourceAttribute>
Go to the Resource Parameters page for the resource and add values to the Session Properties resource attribute:
The following procedure provides a general description of generating a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer to the HOD documentation for detailed information about performing this task.
If you get a message that is similar to “error adding key to the certificate database” when you are creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be expired. Check the IBM website to obtain up-to-date certificates.
Export that private certificate as Base64 ASCII into a cert.arm file.
Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod as the password for this file.
You can enable tracing of the HACL by adding the following to the Session Properties resource attribute:
SESSION_TRACE ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3
The trace parameters should be listed without any new line characters. It is acceptable if the parameters wrap in the text box.
The Telnet/TN3270 server should have logs that may help as well.