The RSEAPI server is the Apache Tomcat server plus RSEAPI specific stuff. If you know how to configure Tomcat, you know most of what you need. The Tomcat customising is documented here.
This post follows on from Getting REST to work into z/OS. I was unclear at first how to correctly specify overrides. I’ve blogged an article Passing parameters to Java program to show how some parameters are specified as RSEAPI_KEYSTORE_FILE=… and other parameters are specified as -Djava.protocol.handler.pkgs=…
See Java Parameters for how I configured RSEAPI to be able to flip configuration options.
Update your level of Java
I had various problems getting TLS to work with RSEAPI.
- TLSv1.3 was not supported on the level of Java V8 I originally had.
- I had to override the /etc/zexpl/java.security file so that it understood keyrings of the format safkeyring://START1/MQRING
When I refreshed the level of Java (to SR8 FP6 dated June 2023), things worked much better. I would recommend getting a level of Java shipped within the last year.
I tested this by changing rseapi.env to include
export JAVA_HOME="/usr/lpp/java/new/J8.0_64" export LIBPATH="$JAVA_HOME/bin:$JAVA_HOME/bin/classic:"$LIBPATH export PATH="$JAVA_HOME/bin:"$PATH
Without this I got various Java problems, such as an unresolved dependency.
Getting RSE to work with TLS was not trivial
The original version of RSEAPI was v1.0.5 (see /usr/lpp/IBM/rseapi/tomcat.base/bin/current_version.txt) Another version is available in GITHUB with a version of v1.1.0 created 7 July 2022 which I worked with.
TLS configuration changes
RSEAPI supports only one port. To use TLS change the procedure to use SECURE=’true’, (or override it at startup).
The RESAPI proc has the location of the configuration files. Mine says /etc/zexpl.
The main file to edit is /etc/zexpl/rseapi.env . The sample has a lot of commented out statements. I added at the bottom
RSEAPI_KEYSTORE_FILE="safkeyring://START1/MQRING " RSEAPI_KEYSTORE_TYPE="JCERACFKS" RSEAPI_KEYSTORE_PASS="password" RSEAPI_USING_ATTLS=false RSEAPI_SSL_ENABLED_PROTOCOLS=TLSv1.2
Which server certificate to use?
By default, the first key read from the keystore will be used. See certificateKeyAlias in Apache Tomcat configuration.
To change this I edited /usr/lpp/IBM/rseapi/tomcat.base/conf/sserver.xml and added
<Connector port="${port.http}" protocol="${http.protocol}"
certificateKeyAlias="${serverCert}"
...
/>
I then edited /etc/zexpl/rseapi.env and added
d3=" -DserverCert=NISTECCTEST"
JAVA_OPTS="$d3 "
CATALINA_OPTS=$JAVA_OPTS
export JAVA_OPTS
export CATALINA_OPTS
Using TLSv1.3
I blogged configuring Java to support TLSV1.3 a separate post TLS 1.3, Java and z/OS.
The additional RSEAPI specific configuration was
RSEAPI_HTTP_PROTOCOL=HTTP/1.1 RSEAPI_SSL_ENABLED_PROTOCOLS=TLSv1.3 RSEAPI_SSL_CIPHERS=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA_POLY1305_SHA256 RSEAPI_KEYSTORE_FILE="safkeyring://START1/MQRING " RSEAPI_KEYSTORE_TYPE="JCERACFKS" RSEAPI_KEYSTORE_PASS="password" RSEAPI_USING_ATTLS=false
You can use RSEAPI_SSL_ENABLED_PROTOCOLS=TLSv1.3,TLSV1.2 to get both TLS 1.2 and 1.3 support.
ClientAuth Support
The web browser (Tomcat) has support for requiring clients to specify a certificate as part of the TLS handshake.
I got this to work by editing /usr/lpp/IBM/rseapi/tomcat.base/conf/sserver.xml, and changing clientAuth=”false” to clientAuth=”{$clientAuth}”
<Connector port="${port.http}" protocol="${http.protocol}"
clientAuth="${clientAuth}" sslProtocol="TLS"
...
>
and setting the value to “required” or specifying the value in the startup options:
d1="-DclientAuth=required" t1=" -Djavax.net.ssl.trustStoreType=JCERACFKS" t2=" -Djavax.net.ssl.trustStore=safkeyring://START1/MQRING" JAVA_OPTS=" $d1 $t1 $t2" CATALINA_OPTS=$JAVA_OPTS export JAVA_OPTS export CATALINA_OPTS
The …trustStoreType and … trustStore provide the defaults if non are specified in the sserver.xml.
Use of keystore and trust store
The use of a trust store to store the CA certificates, and any self signed certificates is recommended. The keystore then contains just the private keys needed by the server. This means you can have one trust store per LPAR, which saves administratio.
If you use a combined trust key and trust store, and this is shared by applications, then applications may get access to private certificates used by other application, so is not as secure.
The tomcat documentation describes the truststore* parameters. These are in the in <Connector…. within file /usr/lpp/IBM/rseapi/tomcat.base/conf/sserver.xml .
For example
<SSLHostConfig
protocols="${ssl.enabled.protocols}">
<Certificate type="EC"
certificateKeyAlias="NISTECCTEST"
certificateKeystoreFile="${keystoreFile}"
certificateKeystorePassword="${keystorePass}"
truststoreType="${trustStoreType}"
truststoreFile="${trustStoreFile}"
truststorePassword="${trustStorePass}"
/>
</SSLHostConfig>
and specify -Dxx where xx is the value in ${xx} such as -DtrustStoreType=”JCERACFKS” . You can hard code the values.
Setup problems
I had a variety of problems. Most were solved by going to a newer level of Java or RSEAPI. For example earlier versions did not support TLSv1.3
Authority issue
I got the message
Caused by: java.lang.IllegalArgumentException: The private key of NEWTECCTEST is not available or no authority to access the private key
This was caused by the certificate belonged to a userid START1, but I was running RSEAPI on userid STCRSE. For userid STCRSE to be able to access the private certificate part of the certificate of another userid’s certificate, the STCRSE userid need UPDATE access to the keyring profile.
My keyring was safkeyring://START1/MQRING. I needed
permit START1.MQRING.LST class(RDATALIB) access(update) id(STCRSE) setropts raclist(rdatalib) refresh
ColinPaice 
One thought on “Configuring RSEAPI on z/OS to use TLS”