How should I configure CA XCOM for z/OS for a managed PKI infrastructure

Document ID:  TEC1987631
Last Modified Date:  06/12/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA XCOM Data Transport

Releases

  • CA XCOM Data Transport:Release:11.6
  • CA XCOM Data Transport:Release:12.0

Components

  • CA XCOM Data Transport for z/OS:XCMVS
Introduction:

The Mainframe team would like to migrate the CA XCOM for z/OS 12.0 certificates to mainframe security from its current configuration in local USS datasets. 

Environment:
OpenSSL SystemSSL
Instructions:

You may use self-signed certificates or those supplied by a Certificate Authority. 

They can be stored in a keyring that is maintained by CA ACF2, IBM RACF or CA Top Secret. The XCOM server or batch job must run with authority to use the appropriate KEYRING to which the certificates have been loaded. In this case, the required KEYRING is referenced in the [KEYRING] section in the configssl.cnf member. If a certificate other than the default is to be used, specify the certificate label in the configssl.cnf section [LABLCERT]. 

Please see: Using Certificates with your product in the CA XCOM Data Transport for z/OS - 12.0 online documentation.

Also see a sample configssl.cnf file for configuring for a keyring in the CA XCOM Data Transport for z/OS - 12.0 online documentation.

The requirement is (and has always been) that the root certificate (cassl.pem and casslkey.pem files) be the same on both partners. 

Regarding a managed PKI infrastructure, the way certificate handling works today, you MUST have your certificates either
1) in local USS datasets or
2) in your security package's keyring handler. 

Making calls to retrieve certificates is not a function of XCOM. Locating and loading of certificates is done by either OpenSSL or IBM's SystemSSL - depending on which you are using. 

That said, there is no ability nor configuration for XCOM to use certificates in any manner other than what is currently documented. 

Additional Information:
  • For CA Top Secret, see Digital Certificates in the CA Top Secret® for z/OS - 16.0 documentation
  • For CA ACF2, see Digital Certificate Support in the CA ACF2™ for z/OS - 15.0 & 16.0 documentation
  • For IBM RACF, see IBM's z/OS Security Server RACF Security Administrator's Guide.

Documentation for CA XCOM Data Transport for z/OS 12.0
Click here if you need to open a CA Support Case.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing