IBM z/OS Management Facility (z/OSMF) - Group home

How to configure z/OSMF to use a specific certificate for SSL with a label name

By ZHI LI posted Wed December 08, 2021 02:40 AM

When configuring SSL for z/OSMF, you can use a IZUPRM member to specify the keyring name.


If there are more than one certificate in the keyring, you need to provide the label name to z/OSMF so that z/OSMF will use the specified certificate. This could be done on z/OSMF 2.3 above with PH12143 installed. Here are the steps to customize the label name for z/OSMF SSL settings.

Step 1. Create an empty file named server_override.xml in the folder /global/zosmf/configuration, ensure that the server ID (default to IZUSVR) has read access to the server_override.xml file.

Step 2. Copy the contents below and paste it in the server_override.xml, replace labelNameOfTheCertificate with desired label name. The certificate with the label name must exist in the keyring that specified in IZUPRM.

<ssl id="${izu.ssl.config}" serverKeyAlias="labelNameOfTheCertificate"/>

Step 3. Save the file, make sure z/OSMF and restart z/OSMF.

To verify if the label name customization works, you can use a browser to connect to z/OSMF. In the browser, verify the certificate being used is updated and is correct.

1. This document intends to represent the views of the author rather than IBM.
2. The recommended solutions are not guaranteed, please contact the author instead of IBM service for any questions.