IBM z/OS Management Facility (z/OSMF) - Group home

How to configure z/OSMF to use a specific certificate for SSL with a label name

By ZHI LI posted Wed December 08, 2021 02:40 AM

  
When configuring SSL for z/OSMF, you can use a IZUPRM member to specify the keyring name.

KEYRING_NAME('IZUKeyring.IZUDFLT')

If there are more than one certificate in the keyring, you need to provide the label name to z/OSMF so that z/OSMF will use the specified certificate. This could be done on z/OSMF 2.3 above with PH12143 installed. Here are the steps to customize the label name for z/OSMF SSL settings.

Step 1. Create an empty file named server_override.xml in the folder /global/zosmf/configuration, ensure that the server ID (default to IZUSVR) has read access to the server_override.xml file.

Step 2. Copy the contents below and paste it in the server_override.xml, replace labelNameOfTheCertificate with desired label name. The certificate with the label name must exist in the keyring that specified in IZUPRM.

<server>
<ssl id="${izu.ssl.config}" serverKeyAlias="labelNameOfTheCertificate"/>
</server>

Step 3. Save the file, make sure z/OSMF and restart z/OSMF.

To verify if the label name customization works, you can use a browser to connect to z/OSMF. In the browser, verify the certificate being used is updated and is correct.

Disclaimer:
1. This document intends to represent the views of the author rather than IBM.
2. The recommended solutions are not guaranteed, please contact the author lilzhi@cn.ibm.com instead of IBM service for any questions.
0 comments
8 views