DOCS

Configuring TLS on the Server Side

Depending on the requirements in your environment, you must perform some or all of these tasks to configure a Rochade Server for TLS:

  • Configuring the private key for the server.
  • Configuring the certificate chain for the server.
    • The order of the certificates in the chain is significant. The chain must start with the server certificate. Each certificate must be followed by the certificate of its issuing CA up to the certificate of the root CA.

    Make sure that you have obtained all required certificates from your PKI.

    During the initial TLS handshake, the server sends the entire certificate chain to the connecting client.
  • Configuring the allowed cipher suites for the server.
  • Configuring the supported TLS protocol versions.

    • The configuration procedure and the available settings differ depending on the operating system on which the Rochade Server is installed:

  • For UNIX and z/OS, see Rochade Server (UNIX and z/OS).
  • For Windows, see Rochade Server (Windows).
    • When you set up TLS on the Rochade Server, make sure to include in the server initialization file also the corresponding client settings. RPC clients that run on the Rochade Server typically obtain their settings from the server initialization file. If the file does not contain the TLS client settings, the RPC clients cannot establish a connection to the server. For more information on the relevant settings, see Configuring TLS on the Client Side.

Rochade Server (UNIX and z/OS)

To configure Rochade Server under UNIX and z/OS

  1. Open the server initialization file for editing.
  2. In the <comm_section> section, replace the COMM=TCP entry with this entry:

    3. COMM=TLS

  3. In the <comm_section> section, specify the following TLS settings.
    4. Setting [o]ptional/ [m]andatory Description

    TlsCertFile

    m

    The server’s certificate chain.

    TlsCipherSuites

    o

    The allowed cipher suites.

    TlsKeyFile

    m

    The server’s private key file.

    TlsLogLevel

    o

    The severity level for log entries.

    TlsProtocols

    o

    The supported TLS protocol versions.

    For more information, see Server Settings for TLS Communication.

  4. Save your changes.
  5. Restart the server.

    6. This example shows the TLS configuration in the server initialization file:

    ...

    [RO_CONNECT]

    COMM=TLS

    TlsCertFile=/path/server-certchain.pem

    TlsKeyFile=/path/server-pk.pem

    ...

    The RPC services used with the server must be reconfigured in Rochade. You must edit the settings for RPC communication as explained in Configuring TLS on the Client Side. For z/OS, the section is named as RPCCOM in the <hlq>.ROPROD.ROINI(ROSRV) initialization file.
    The shutdown job uses a separate initialization file such as <hlq>.ROPROD.ROINI(ROSHUT). In this file, the communication section <CLICOM> must be adjusted as explained in Configuring TLS on the Client Side documentation.
    If the certificate files are in PEM format, then they must be encoded in ASCII. When you copy these files to HFS using FTP, you must copy them in binary format to prevent them from automatically decoded in to ebcdic code.

Rochade Server (Windows)

Windows systems provide a system-wide certificate store for managing the certificates and their associated keys. The Rochade Server accesses this certificate store. So, before you start the TLS configuration, install the server’s certificate chain in the store.

To install the server’s certificate chain in the certificate store

  1. Obtain these files from the PKI:
    • The server certificate and the associated private key in PKCS #12 format.
    • The intermediate and root CA certificates in PKCS #12 or CER format.
  2. Open the Start menu, then enter this command in the Search programs and files field:

    3. mmc.exe

    The Microsoft Management Console opens:

  3. Add the Certificates snap-in to the Microsoft Management Console:
    1. Select FileAdd/Remove Snap-in from the main menu.

      2. The Add or Remove Snap-ins dialog opens:

    2. From the Available snap-ins list, select Certificates, then click Add.

      3. The Certificates snap-in dialog opens:

    3. Select the type of account for which you want to install the server certificate, depending on the way the Rochade Server is started:
      4. If you start the server, click My user account.
      If the server is started as a service, click Service account.
      If another user starts the server, click Computer account.
    4. If you clicked My user account in step c, skip to step f.

      5. Or  

      If you clicked Service account or Computer account, click Next.

    5. Click Local computer.
    6. Click Finish.

      7. You are returned to Add or Remove Snap-ins dialog:

    7. Click OK to add the Certificates snap-in to the Microsoft Management Console.
  4. In the Microsoft Management Console, right-click the CertificatesPersonal node, and select All TasksImport from the context menu:

    5. The Certificate Import Wizard opens:

  5. Click Next.

    6. The File to Import page displays:

  6. Click Browse to select the certificate file that you want to import.
  7. Click Next.

    8. The Password page displays:

  8. If required, enter a password for the private key, then click Next.

    9. The Certificate Store page displays:

  9. Leave the settings at their default values, and click Next.
  10. Click Finish.
  11. Repeat step 4 through step 10 for each certificate you want to import.
  12. Move the root CA’s certificate from the PersonalCertificates subnode to the Trusted Root Certification AuthoritiesCertificates subnode (using drag-and-drop).
  13. Close the Microsoft Management Console.

To configure Rochade Server under Windows

1. Open the server initialization file for editing.
2. In the <comm_section> section, replace the COMM=TCP entry with this entry:

COMM=TLS

3. In the <comm_section> section, specify these TLS settings:
Setting [o]ptional/ [m]andatory Description

TlsCaHostname

m

The server’s host name as specified in the server certificate.

TlsCertFile

o

The account type for which you installed the server certificate in the certificate store.

TlsCipherSuites

o

The allowed cipher suites.

TlsLogLevel

o

The severity level for log entries.

TlsProtocols

o

The supported TLS protocol versions.

For more information, see Server Settings for TLS Communication.

4. Save your changes.
5. Restart the server.

This example shows a sample TLS configuration in the server initialization file:

...

[RO_CONNECT]

COMM=TLS

...

Server Settings for TLS Communication

TlsCaHostname=<host_name>

Section: [<comm_section>]

The TlsCaHostname setting specifies the server’s host name as defined in the CN field of the subject DN (or a subjectAltName extension) of the server certificate.

The Windows certificate store may contain multiple certificate chains. The host name specified in this setting is used to identify the server certificate and, hence, the start of the server certificate chain.

Once TLS is activated, clients must use the host name specified in the server certificate to connect to the server.

TlsCertFile=<cert_chain>

Section: [<comm_section>]

The syntax of <cert_chain> depends on the operating system under which the Rochade Server runs:

For UNIX, <cert_chain> specifies the server certificate chain file in PEM format without passphrase. The server certificate must be the first in the file, followed by the intermediate certificates, up to the root certificate.

For example:

TlsCertFile=/asg/cert.pem

For Windows, <cert_chain> specifies the account type for which you have installed the server certificate in the certificate store. For more information, see step c.

These are the valid account type values:

CURRENT_SERVICE:WINDOWS-MY

The service account that starts the server.
CURRENT_USER:WINDOWS-MY

Default. Your user account.
LOCAL_COMPUTER:WINDOWS-MY

Any user account.

For example:

TlsCertFile=CURRENT_USER:WINDOWS-MY

For z/OS, <cert_chain> specifies either the server certificate chain file in PEM format without passphrase or an RACF keyring.

In an PEM certificate chain file, the server certificate must be the first in the file, followed by the inter mediate certificates, up to the root certificate. For example:

TlsCertFile=/asg/cert.pem

An RACF keyring has this format:

TlsCertFile=<uid_1>/<keyring_name_1>/<label_1> [;<uid_2>/<keyring_name_2>/<label_2>] ...

where

  • <uid_n> is the user ID of the keyring owner.
  • <keyring_namen> is the name of the keyring that contains the certificates.
  • <label> is a name associated with a certificate of the keyring. The first label must contain both the certificate and the private key of the server. All followed labels contain the inter mediate certificates, up to the root certificate.

If you specify an RACF keyring, the TlsKeyFile setting is not required.

For example:

TlsCertFile=ASG/SRVRING/SRV

TlsCipherSuites=<cipher_suites>

Section: [<comm_section>]

The TlsCipherSuites setting specifies the allowed cipher suites for the communication between Rochade Server and its clients.

By default, the setting is empty, which means the server can use any cipher suite that is supported by the server system and that is allowed by the selected version of the TLS protocol. However, if a cipher suite has been compromised (for example, by advances in cryptography), you can use the setting to prevent the server from using that suite.

You must specify the cipher suites as a semicolon-separated list of Internet Assigned Numbers Authority (IANA) cipher suite names. For example:

TlsCipherSuites=TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;

TLS_RSA_WITH_AES_128_CBC_SHA256

You can find a complete list of cipher suite names in the IANA TLS Cipher Suite Registry: http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

TlsKeyFile=<keyfile>

Section: [<comm_section>]

UNIX and z/OS only. The TlsKeyFile setting specifies the server’s private key file in PEM format without passphrase.

For example:

TLSKEYFILE=/asg/key.pem

TlsLogLevel=0 | 1 | 2

Section: [<comm_section>]

The TlsLogLevel setting specifies the maximum severity level of messages to be reported in the server event log or the client RIPFILE:

0

Default. Error
1

Info
2

Debug

TlsProtocols=<version_1>[;<version_2>[...;<version_n>]]

Section: [<comm_section>]

The TlsProtocols setting specifies the allowed TLS protocol versions for the communication between Rochade Server and its clients. The default is TLS 1.3.

ASG recommends that you allow earlier versions of the TLS protocol only to resolve interoperability issues with environments that do not support Version 1.3.

These are the valid protocol values:

TLSv1

TLS Version 1

TLSv1.1

TLS Version 1.1

TLSv1.2

TLS Version 1.2
TLSv1.3

TLS Version 1.3

You can specify multiple protocol versions separated by semicolon. For example:

TlsProtocols=TLSv1;TLSv1.1;TLSv1.2;TLSv1.3

Terms|Privacy Policy|Contact Us
Copyright © 2021 ASG Technologies. All rights reserved