To set up server-side SSL authentication for CWI, you should be capable of setting up CWI resources within
Enterprise Server and also able to use the CWI APIs.
A typical procedure for setting up server-side SSL authentication for CWI is as follows:
-
Create a server certificate and sign it using the Demo CA. For details of how to do this, refer to
Using the Demonstration Certificate Authority.
Note that the generated keyfile should be renamed to have the same name as the certificate, with the characters
_key appended, but retaining the file's original extension. For example, if the certificate and key files are
srvcert.pem and
srvkey.pem respectively, you should rename
srvkey.pem to
srvcert_key.pem.
-
Create a TCPIPSERVICE with the following settings:
- Status: Set to
Open
- Port no: Set to an appropriate port number.
- SSL: Set to
Yes
- Certificate: Set to the name of your certificate - e.g.
srvcert.
-
Create a URIMAP with the following settings:
- Usage: Set to
Server.
- Scheme: Set to
Https.
- Path: Set to your chosen URI path, for example:
/my/ssl/path.
- TCPIPService: Set to the name of the TCP service you created in step 2.
- Decide if you want to offer a static or dynamic response by providing the details of either an HFS file or a Program.
-
Set the value of the environment variable
ES_DFLT_CERTIFICATE_NAME_SERVER to be the label/name of the server certificate that you wish to be used as the default. For example, if your certificate
is called
srvcert.pem, you should set the environment variable like this:
[ES-Environment]
ES_DFLT_CERTIFICATE_NAME_SERVER=srvcert
-
Set the value of the environment variable
ES_CERTIFICATES_LOCATION to the location of your server certificates.
-
Modify
ESCERTPAS.CBL on the server machine to return the password of the server certificate's keyfile and then compile it.
when function upper-case(lk-certificate-name) = 'SRVCERT' *> Server certificate name
move 'srvrootpwd' to lk-passphrase-returned *> Passphrase for srvcert_key.pem
move spaces to lk-CARoot-to-be-used *> No client authentication
ESCERTPAS.CBL can be found in
$COBDIR
-
Provide the client with the CA root certificate that was used to sign the server certificate.
-
Start your server region (and client region if using CICS as a client).
-
From a browser, enter:
https:<host>:<port number in TCPIPSERVICE>/my/ssl/path.
Note: The host name should match the Common Name in the server certificate exactly.
-
If the client is a CICS program then:
- The
WEB OPEN needs to specify:
- SCHEME(HTTPS)
- The port number specified in the
TCPIPSERVICE.
- The
WEB SEND needs to specify:
- PATH(WS-PATH) where WS-PATH has a value of '/my/ssl/path'.
-
For information on associating client certificates with CICS user IDs, refer to
User Certificate Registration for CICS Web Interface Servers.