A self-signed certificate *is* a root certificate -- the two terms are essentially synonymous (although they are used with different implications). If the SMTP server is presenting a self-signed certificate then it effectively is its own CA certificate, and you will have to install it in RACF.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Roberto Halais Sent: Monday, August 31, 2020 1:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL Do you get a root if it’s a self signed certificate? On Mon, Aug 31, 2020 at 3:12 AM Gibney, Dave <gib...@wsu.edu> wrote: > If the certificate they present is signed by a recognized CA, you should > be able to get root and any required intermediates from the signing CA's > site. > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > > > Behalf Of Brian Westerman > > > Sent: Sunday, August 30, 2020 11:55 PM > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > Subject: setting up CSSMTP to use TLS-SSL > > > > > > Hi, > > > > > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to > forward > > > the email to a target email server that only supports TLS-SSL? > > > > > > I see the steps in the CSSMTP configuration "Steps for using Transport > Layer > > > Security for CSSMTP", but it's unclear to me where I get the certificate. > > > > > > Step 2(a) says: > > > > > > a. Create the key ring. > > > The client key ring needs the root certification used to sign the server > > > certificates. For a TLS/SSL primer and some step-by-step examples, see > > > TLS/SSL security. For more information about managing key rings and > > > certificates with RACF® and the RACDCERT command, see z/OS Security > > > Server RACF Security Administrator's Guide. For more information about > > > managing key rings and certificates with gskkyman, see z/OS > > > Cryptographic Services System SSL Programming. > > > > > > How do I get the root certification used to sign the server > certificates? Is that > > > something that the people that take care of the server are supposed to > > > supply to me? > > > > > > then 2(c) is 5 steps and says: > > > c. Configure the client system to use TLS with AT-TLS policies as > follows: > > > > > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > > > the client stack. For information about the TCPCONFIG statement, see > > > z/OS Communications Server: IP Configuration Reference. > > > (I understand this one) > > > > > > 2) Block the ability of applications to open a socket before AT-TLS > policy is > > > loaded into the TCP/IP stack by setting up > > > EZB.INITSTACK.sysname.tcpname for the client stack. > > > (this seems like a optional step) > > > > > > 3) Create a main Policy Agent configuration file containing a TcpImage > > > statement for the client stack, and create a TcpImage policy file for the > > > client stack. > > > (this seems pretty simple, but where does it go?) > > > > > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify > the > > > TTLSConfig policy file location: > > > TTLSConfig clientPath > > > (I am assuming that the clientPath is some USS file I create that > indicates > > > the information to find the keyring from 2(a) above, is that correct?) > (Where > > > does the TcpImage policy file go? i.e. how do I define it?) > > > > > > 5) Add the AT-TLS policy statements to the clientPath file > > > (they have an example for this step right in the manual so that's > pretty > > > easy to follow) > > > > > > Thanks for your help, any examples of a working configuration would be > > > really helpful. > > > > > > Brian > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- Politics: Poli (many) - tics (blood sucking parasites) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN