SSL Configuration with Host On Demand

This section describes how to configure SSL for this adapter, including:

• Connecting the Adapter to a Telnet/TN3270 Server using SSL or TLS

• Generating a PKCS #12 File

• Troubleshooting

Connecting the Adapter to a Telnet/TN3270 Server using SSL or TLS

Use the following steps to connect RACF resource adapters to a Telnet/TN3270 server using SSL/TLS.

Connecting RACF Adapters to Telnet/TN3270 Servers

1. Obtain the Telnet/TN3270 server’s certificate in the PKCS #12 file format. Use hod as the password for this file. Consult your server’s documentation on how to export the server’s certificate. The procedure Generating a PKCS #12 File provides some general guidelines.

2. Create a CustomizedCAs.class file from the PKCS #12 file. If you are using a recent version of HOD, use the following command to do this.

   ..\hod_jre\jre\bin\java -cp ../lib/ssliteV2.zip; ../lib/sm.zip com.ibm.eNetwork.HOD.convert.CVT2SSLIGHT CustomizedCAs.p12 hod CustomizedCAs.class

3. Place the CustomizedCAs.class file somewhere in the Identity Manager server’s classpath, such as $WSHOME/WEB-INF/classes.

4. If a resource attribute named Session Properties does not already exist for the resource, then use the [Please define the IDMIDE text entity] or debug pages to add the attribute to the resource object. Add the following definition in the <ResourceAttributes> section:

   <ResourceAttribute name=’Session Properties’ displayName=’Session Properties’ description=’Session Properties’ multi=’true’> </ResourceAttribute>

5. Go to the Resource Parameters page for the resource and add values to the Session Properties resource attribute:

   SESSION_SSL true

Generating a PKCS #12 File

The following procedure provides a general description of generating a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer to the HOD documentation for detailed information about performing this task.

Generating a PKCS #12 File: General Steps

1. Create a new HODServerKeyDb.kdb file using the IBM Certificate Management tool. As part of that file, create a new self-signed certificate as the default private certificate.

   If you get a message that is similar to “error adding key to the certificate database” when you are creating the HODServerKeyDb.kdb file, one or more of the Trusted CA certificates may be expired. Check the IBM website to obtain up-to-date certificates.

2. Export that private certificate as Base64 ASCII into a cert.arm file.

3. Create a new PKCS #12 file named CustomizedCAs.p12 with the IBM Certificate Management tool by adding the exported certificate from the cert.arm file to the Signer Certificates. Use hod as the password for this file.

Troubleshooting

You can enable tracing of the HACL by adding the following to the Session Properties resource attribute:

SESSION_TRACE
ECLSession=3 ECLPS=3 ECLCommEvent=3 ECLErr=3 DataStream=3 Transport=3 ECLPSEvent=3

The trace parameters should be listed without any new line characters. It is acceptable if the parameters wrap in the text box.

The Telnet/TN3270 server should have logs that may help as well.