IBM: TCP/IP for VM

Storing ECuRep-required DigiCert CA Certificates into a z/VM Key Database

To be able to use a z/VM FTP client to connect securely to an IBM problem documentation site (ECuRep or TestCase) , you will need to add these CA certificates to the key database referenced by your SSL servers:

  DigiCert Global Root CA
  Digicert Global Root G2

You can download the certificates directly from this website into a browser:

https://www.digicert.com/digicert-root-certificates.htm

and then copy them yourself into a z/VM key database (using techniques of your own choosing)

Or, follow these steps to get the Base64 encoded versions of these certificate (presented here) loaded into your key database:

Logon the GSKADMIN user ID
Create a CMS file to store the Global Root CA certificate, using the Xedit command:
xedit digicrca crt a

Copy and Paste the following content into the DIGICRCA CRT file (be certain the BEGIN CERTIFICATE and END CERTIFICATE lines are included):

Issue these Xedit commands to save the certificate content:
recfm v file
Create a CMS file to store the Global Root G2 certificate, using the Xedit command:
xedit digicrg2 crt a

Copy and Paste the following content into the DIGICRG2 CRT file (be certain the BEGIN CERTIFICATE and END CERTIFICATE lines are included):

Issue these Xedit commands to save the certificate content:
recfm v file
Issue the following commands to store the new certificate files in the BFS (Byte File System):
openvm put digicrca crt a digicrootca.crt (bfsline nl openvm put digicrg2 crt a digicrootg2.crt (bfsline nl
Open your key database using the gskkyman command and select option 7 to import the new certificates.
Note:
When labels are specified for the root certificates, you can enclose the label text in double quotes, so more descriptive text can be used for certificate identification. For example:
```
  ...
  Enter import file name (press ENTER to return to menu):
  digicrootca.crt
  Enter label (press ENTER to return to menu):
  "DigiCert Global Root CA"
  Certificate imported.
  Press ENTER to continue.
  ...
  ...
  Enter import file name (press ENTER to return to menu):
  digicrootg2.crt
  Enter label (press ENTER to return to menu):
  "Digicert Global Root G2"
  Certificate imported.
  Press ENTER to continue.
  ...
```
If such labels are desired, be certain a CP TERMINAL ESCAPE character is not in effect when gskkyman is used. This can be accomplished by issuing the command CP TERMINAL ESCAPE OFF before gskkyman is invoked.
If the SSL server pool already has been configured for use and is operational, issue the the SSLADMIN REFRESH command, to instruct the SSL server to update internally-maintained key database information:
ssladmin refresh
If the SSL server pool has not been configured for use, this must be done before any ECuRep or TestCase secure connections can be tested and verified. When the SSL server pool is operational, resume with the connection verification steps that follow.
Logoff the GSKADMIN user ID
Logon the TCPMAINT user ID
Test the connection to verify it works and is secure, using the z/VM FTP client.

Issue these commands:
ftp ftps.ecurep.ibm.com (secure {or, ftp testcase.boulder.ibm.com (secure}
{Log in with your IBM Support File Transfer id and password} get welcome.msg quit
After the FTP is command issued, you should see an AUTH TLS command issued which secures the connection. After the FTP command session is ended, a file named WELCOME MSG A should exist that you can view using Xedit.
Note:
If a firewall is being used, make sure the connection is in PASSIVE mode and request that ports 65024-65535 be opened for use. If these ports cannot be made available, then use the FTP CCC (Clear Command Channel) subcommand after credentials are exchanged, to set the control connection to clear text before any commands that will open a secure data connection (for example: ls, dir, get, put) are issued.