I cannot clear up the confusion, other than to tell you to open a Q&A PMR with IBM asking them, however I will tell you we are using SSL(HTTPS).
Maybe some the confusion comes because it uses both. We have sslmode turned on, and a SSL port assigned, and the redirects in httpd.conf all use them. We have not yet converted to the apache http server, and are still on the old Domino http server. It is on our docket to complete as our next step is z/OS 2.2(resumably), and DGW will no longer be available. _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Engineering david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Dazzo, Matt Sent: Thursday, December 04, 2014 10:22 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: PKI Services for z/OS We have zos1.13 zos http server running with no SSL configured. In the PKI Services guide (sa22-7693-13) I think there is conflict about SSL requirement. Below is text from the guide, first one states required, second one says at least non-ssl. Does anyone know for sure? I may not go through the hassle on our sand box is it's not necessary. Thanks Matt pg-12 z/OS HTTP Server must be installed on the same system where PKI Services is installed. SSL-enablement is required. If your HTTP server is SSL-enabled, your key file can be a RACF key ring, or a key file created by another product pg-19 PKI Services requires that you have the z/OS HTTP Server installed and configured for at least non-SSL page retrieval. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jousma, David Sent: Friday, October 31, 2014 7:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: PKI Services for z/OS We use it here extensively. , 1) setup is not horrible, hardest part was getting the HTTP server setup correctly. LDAP is not required. We have 3 or 4 PKI servers on the mainframe due to certificate hierarchies. Each instance has a PKI address space, and two http servers. 2) don't know. 3) don't know 4) don't know, we use IBM PKI services on the mainframe. And, pretty sure it is a no charge item. Ours is architected like this: ROOT server: - root pki daemon - root certificate authority client interface - root certificate authority Admin interface Intermediate server: - Intermediate pki daemon - intermediate cert auth client interface - intermediate cert auth admin interface Intermediate non-prod server: - Intermediate non-prod pki daemon - intermediate non-prod cert auth client interface - intermediate non-prod cert auth admin interface The root server basically creates one cert in its lifetime. Most of the work occurs in the intermediate server. Certs created in the intermediate, are signed by the root certificate. As for the http servers, we tried to combine client and admin interfaces into the same server, but could never get it to work correctly, so we just put up separate instances all of these are on different ports. _________________________________________________________________ Dave Jousma Assistant Vice President, Mainframe Engineering david.jou...@53.com 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Dazzo, Matt Sent: Thursday, October 30, 2014 3:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: PKI Services for z/OS We are starting to look at certificate management, I was wondering how many folks were using PKI Services for z/OS? At this time I do not have any details or security requirements other than web based and runs on z/OS. Hey we are a little biased in getting or keeping applications on z/OS. Following are some additional questions if you have the time. 1. How is the install of PKI and setup to do, I read that LDAP is required how is that to install? 2. Does a vendor product offer simpler installation and setup? 3. Does a vendor product offer more features? 4. What vendor products are most common? Thanks, Matt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
