Enabling an SSL port to access RACF certificates versus JKS

Issues and Questions related to running Apache Tomcat on z/OS
Post Reply
dwaneos
Posts: 1
Joined: Mon Aug 18, 2008 4:06 am

Enabling an SSL port to access RACF certificates versus JKS

Post by dwaneos »

Does anyone have any experience in enabled an SSL port on tomcat(running on z/OS) so that the keystore and truststore are those of a RACF keyring versus a java keystore?

I know tomcat is packaged up with it's util.jar which manages the SSLSocket connections, and that IBMJCE is the provider that deals with RACF keyrings. I've everything configured to use RACF but tomcat still looks for a file(assuming jks file) versus the safkeyring url.

Has anyone had any experience in doing this before? If so, how do i go about making tomcat look for a keyring versus a file?
ForceRs
Posts: 4
Joined: Thu Jul 14, 2005 8:45 am

Re: Enabling an SSL port to access RACF certificates versus JKS

Post by ForceRs »

In realize that I'm resurrecting a 7 year old post.

Was this ever addressed? We have a need to allow for smart card log-ins via web page. We have enabled "clientAuth=true" in Tomcat Connector. This forces secure connections to Tomcat, but we must point tomcat to a truststoreFile. Can the truststoreFile be configured somehow to use RACF's key ring?
dovetail
Site Admin
Posts: 2022
Joined: Thu Jul 29, 2004 12:12 pm

Re: Enabling an SSL port to access RACF certificates versus JKS

Post by dovetail »

Tomcat uses the standard Java provider frameworks (JCE and JSSE).
So, using SAF/RACF certs in Key Rings is a matter of configuring the providers properly - just like with WAS.
Have you tried this?

Here is an FAQ: http://www-03.ibm.com/systems/z/os/zos/ ... tyfaq.html
ForceRs
Posts: 4
Joined: Thu Jul 14, 2005 8:45 am

Re: Enabling an SSL port to access RACF certificates versus JKS

Post by ForceRs »

To have tomcat use a trust store in RACF as opposed to one spinning on disk, define your tomcat connector as follows:
<Connector
port="443"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="true"
useSendfile="false"
truststoreType="JCERACFKS"
truststoreFile="safkeyring://USERID/Racf_Name"
truststorePass=""
keystoreType="JKS"
keystoreFile="your/dir/web_bin/.keystore"
keystorePass="passwordOfKeystore"
/>
Note that truststorePass is blank. This is correct; it must be blank; or simply remove the entire truststorePass line.
You MUST add the following export to your tomcat startup:
-Djava.protocol.handler.pkgs=com.ibm.crypto.provider
This instructs the JVM to use com.ibm.crypto.provider when it encounters a key store or trust store whose name is provided in URL format (like safkeyring://USERID/Racf_Name).
The example above shows a key store spinning on disk in JKS format, but it could be in RACF, too, of course; just change the keystoreType to JCERACFKS and the keystoreFile to be in safkeyring format.
By the way, the useSendFile="false" above is to circumvent a bug when running under USS that causes web pages to stall for long periods of time when serving files larger than (I think) 62K.

I'm the Java guy and not the z/OS guy, so the following is provided as a best guess as to how to get the certs from Windows to z/OS and into RACF:
Here is sample JCL to make a RACF keyring:
1. "bin" transfer cert(s) from windows file to MVS data set with attributes: PS, VB, lrecl 84
2. Import or Add Root and Intermediate certs to RACF:
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ADD('A.CERTCHAIN.FILE') -
PASSWORD('password') -
ID(USERID)
3. Define Keyring and Connect Root and Intermediate Certs:
//STEP1 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
RACDCERT ID(USERID) ADDRING(Racf_Name)

RACDCERT ID(USERID) CONNECT( CERTAUTH RING(Racf_Name) -
LABEL('LABEL00000005') /* Root CA */ -
USAGE(CERTAUTH) DEFAULT)

RACDCERT ID(USERID) CONNECT( CERTAUTH RING(Racf_Name) -
LABEL('LABEL00000006') /* Intermediate CA */ -
USAGE(CERTAUTH) DEFAULT)

Note that if the root and intermediate certs are placed in separate
windows files, they could be imported to RACF individually with meaningful
labels specified. For example, the following statement could be added to
the RACDCERT ADD to assign a label to the root: WITHLABEL('USERID_Root')
Post Reply