To set up server-side TLS authentication for CWI, you should be capable of setting up CWI resources within
Enterprise Server and also able to use the CWI APIs.
A typical procedure for setting up server-side TLS authentication for CWI is as follows:
-
Obtain a server private key and certificate. For development and test purposes, you can use the Demo CA. See
Using the Demonstration Certificate Authority for more information. For production use, you must use an organizational or public CA.
Put the certificate and private key in separate PEM-format files. The key file must have the same name as the certificate
file, with
_key appended to it. For example, if the certificate is in
srvcert.pem, the key should be in
srvcert_key.pem.
-
Create a TCPIPSERVICE with the following settings:
- Status: Set to
Open
- Port no: Set to an appropriate port number.
- SSL: Set to
Yes
- Certificate: Set to the name of your certificate - e.g.
srvcert.
-
Create a URIMAP with the following settings:
- Usage: Set to
Server.
- Scheme: Set to
Https.
- Path: Set to your chosen URI path, for example:
/my/ssl/path.
- TCPIPService: Set to the name of the TCP service you created in step 2.
- Decide if you want to offer a static or dynamic response by providing the details of either an HFS file or a Program.
-
Set the value of the environment variable
ES_DFLT_CERTIFICATE_NAME_SERVER to be the label/name of the server certificate that you wish to be used as the default. For example, if your certificate
is called
srvcert.pem, you should set the environment variable as follows:
[ES-Environment]
ES_DFLT_CERTIFICATE_NAME_SERVER=srvcert
-
Set the value of the environment variable
ES_CERTIFICATES_LOCATION to the location of your server certificates.
-
Modify
ESCERTPAS.CBL on the server machine to return the password of the server certificate's keyfile and then compile it.
when function upper-case(lk-certificate-name) = 'SRVCERT' *> Server certificate name
move 'srvrootpwd' to lk-passphrase-returned *> Passphrase for srvcert_key.pem
move spaces to lk-CARoot-to-be-used *> No client authentication
ESCERTPAS.CBL can be found in
%ProgramFiles(x86)%\Micro Focus\Enterprise Developer\src\base\source
(Windows) and/or
$COBDIR/copylib (UNIX).
-
Provide the client with the CA root certificate that was used to sign the server certificate.
-
Start your
enterprise server region and client
region if using CICS as a client.
-
From a browser, enter:
https:<host>:<port number in TCPIPSERVICE>/my/ssl/path.
-
If the client is a CICS program then:
- The
WEB OPEN needs to specify:
- SCHEME(HTTPS)
- The port number specified in the
TCPIPSERVICE.
- The
WEB SEND needs to specify:
- PATH(WS-PATH) where WS-PATH has a value of '/my/ssl/path'.
-
See
User Certificate Registration for CICS Web Interface Servers for more information on associating client certificates with CICS user IDs.