MF-GTW CLIv2 supports TLS 1.2 using IBM’s System SSL library.
Configuration Variables
- SSLMODE
- SYSSSL_KEYRING_FILE
- SYSSSL_KEYRING_STASH
- SYSSSL_KEYRING_PW
These configuration variables can be specified as environment variables or through CLI’s clispb.dat configuration. This is described here:
SSLMODE={disable | allow | prefer | require | verify-ca | verify-full}
disable: unencrypted connection using non-TLS port.
allow: attempt unencrypted connection using non-TLS port first, then try encrypted connection using TLS port.
prefer: attempt encrypted connection using TLS port first, then try unencrypted connection using non-TLS port.
require/verify-ca: encrypted connection using TLS port. Verify the certificate chain.
verify-full: similar to verify-ca, but additionally performs host name verification.
For more information about each SSLMODE, see How to Secure Connections using TLS.
- SYSSSL_KEYRING_FILE: filename of the key database file.
- SYSSSL_KEYRING_STASH: name of the key database password stash file
- SYSSSL_KEYRING_PW: password for the key database file
- SAF key Ring
- Key database file
- PKCS#11 token
- SYSSSL_KEYRING_FILE: filename of the key database file.
- SYSSSL_KEYRING_STASH: name of the key database password stash file
- SYSSSL_KEYRING_PW: password for the key database file
- SYSSSL_KEYRING_FILE and SYSSSL_KEYRING_STASH
- SYSSSL_KEYRING_FILE and SYSSSL_KEYRING_PW
However, SYSSSL_KEYRING_STASH is recommended for security purpose.
When using a SAF key ring or PKCS#11 token, specifying SYSSSL_KEYRING_FILE is sufficient and neither SYSSSL_KEYRING_STASH nor SYSSSL_KEYRING_PW are required.
- For a self-signed certificate added to system’s SITE key ring
- SYSSSL_KEYRING_FILE=*SITE*/*
- For a signed certificate with certificate authority chain added to system’s CERTAUTH key ring
- SYSSSL_KEYRING_FILE=*AUTH*/*
- For certificate(s) added to the user’s KEY ring (substitute accordingly)
- SYSSSL_KEYRING_FILE=<keyring_user>/<keyring_name>
- SYSSSL_KEYRING_FILE=*TOKEN*/<tokenname>
In general, a bundle certificate (server certificate + intermediate CA certificate + root CA certificate) is installed in the server as follows: /opt/teradata/tdat/tgtw/site/tls/certs/gtwcert.pem
-----BEGIN CERTIFICATE----- <server certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <intermediate CA certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <root CA certificate> -----END CERTIFICATE-----
Specifying TLS Configuration Details as Environment Variables
These environment variables can be specified in either JCL or clispb.dat. If an environment variable is specified in both JCL and clispb.dat, the value from the JCL overrides the value from the clispb.dat.
Example in JCL:
//ENVFILE DD * SSLMODE=verify-full SYSSSL_KEYRING_FILE=/home/myuserid/sample.kdb SYSSSL_KEYRING_STASH=/home/myuserid/sample.sth /* //CEEOPTS DD * ENVAR("_CEE_ENVFILE_S=DD:ENVFILE") /*
Example in clispb.dat:
SSLMODE=verify-full SYSSSL_KEYRING_FILE=/home/myuserid/sample.kdb SYSSSL_KEYRING_STASH=/home/myuserid/sample.sth