Thanks, easier said than done, but does answer that part. On Mon, 31 Aug 2020 07:12:07 +0000, Gibney, Dave <gib...@wsu.edu> wrote:
>If the certificate they present is signed by a recognized CA, you should be >able to get root and any required intermediates from the signing CA's site. > >> -----Original Message----- >> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On >> Behalf Of Brian Westerman >> Sent: Sunday, August 30, 2020 11:55 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: setting up CSSMTP to use TLS-SSL >> >> Hi, >> >> Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward >> the email to a target email server that only supports TLS-SSL? >> >> I see the steps in the CSSMTP configuration "Steps for using Transport Layer >> Security for CSSMTP", but it's unclear to me where I get the certificate. >> >> Step 2(a) says: >> >> a. Create the key ring. >> The client key ring needs the root certification used to sign the server >> certificates. For a TLS/SSL primer and some step-by-step examples, see >> TLS/SSL security. For more information about managing key rings and >> certificates with RACF® and the RACDCERT command, see z/OS Security >> Server RACF Security Administrator's Guide. For more information about >> managing key rings and certificates with gskkyman, see z/OS >> Cryptographic Services System SSL Programming. >> >> How do I get the root certification used to sign the server certificates? >> Is that >> something that the people that take care of the server are supposed to >> supply to me? >> >> then 2(c) is 5 steps and says: >> c. Configure the client system to use TLS with AT-TLS policies as follows: >> >> 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for >> the client stack. For information about the TCPCONFIG statement, see >> z/OS Communications Server: IP Configuration Reference. >> (I understand this one) >> >> 2) Block the ability of applications to open a socket before AT-TLS policy is >> loaded into the TCP/IP stack by setting up >> EZB.INITSTACK.sysname.tcpname for the client stack. >> (this seems like a optional step) >> >> 3) Create a main Policy Agent configuration file containing a TcpImage >> statement for the client stack, and create a TcpImage policy file for the >> client stack. >> (this seems pretty simple, but where does it go?) >> >> 4) Add a TTLSConfig statement to each TcpImage policy file to identify the >> TTLSConfig policy file location: >> TTLSConfig clientPath >> (I am assuming that the clientPath is some USS file I create that >> indicates >> the information to find the keyring from 2(a) above, is that correct?) >> (Where >> does the TcpImage policy file go? i.e. how do I define it?) >> >> 5) Add the AT-TLS policy statements to the clientPath file >> (they have an example for this step right in the manual so that's pretty >> easy to follow) >> >> Thanks for your help, any examples of a working configuration would be >> really helpful. >> >> Brian >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
