Hi,
Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward the
email to a target email server that only supports TLS-SSL?
I see the steps in the CSSMTP configuration "Steps for using Transport Layer
Security for CSSMTP", but it's unclear to me where I get the certificate.
Step 2(a) says:
a. Create the key ring.
The client key ring needs the root certification used to sign the server
certificates. For a TLS/SSL primer and some step-by-step examples, see
TLS/SSL security. For more information about managing key rings and
certificates with RACF® and the RACDCERT command, see z/OS Security
Server RACF Security Administrator's Guide. For more information about
managing key rings and certificates with gskkyman, see z/OS
Cryptographic Services System SSL Programming.
How do I get the root certification used to sign the server certificates? Is
that something that the people that take care of the server are supposed to
supply to me?
then 2(c) is 5 steps and says:
c. Configure the client system to use TLS with AT-TLS policies as follows:
1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
the client stack. For information about the TCPCONFIG statement, see
z/OS Communications Server: IP Configuration Reference.
(I understand this one)
2) Block the ability of applications to open a socket before AT-TLS policy is
loaded into the TCP/IP stack by setting up
EZB.INITSTACK.sysname.tcpname for the client stack.
(this seems like a optional step)
3) Create a main Policy Agent configuration file containing a TcpImage
statement for the client stack, and create a TcpImage policy file for the
client stack.
(this seems pretty simple, but where does it go?)
4) Add a TTLSConfig statement to each TcpImage policy file to identify the
TTLSConfig policy file location:
TTLSConfig clientPath
(I am assuming that the clientPath is some USS file I create that indicates
the information to find the keyring from 2(a) above, is that correct?) (Where
does the TcpImage policy file go? i.e. how do I define it?)
5) Add the AT-TLS policy statements to the clientPath file
(they have an example for this step right in the manual so that's pretty
easy to follow)
Thanks for your help, any examples of a working configuration would be really
helpful.
Brian
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
