Or it may already be installed, or they may be willing to supply it to you.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gibney, Dave Sent: Monday, August 31, 2020 12:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL If the certificate they present is signed by a recognized CA, you should be able to get root and any required intermediates from the signing CA's site. > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On > Behalf Of Brian Westerman > Sent: Sunday, August 30, 2020 11:55 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: setting up CSSMTP to use TLS-SSL > > Hi, > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward > the email to a target email server that only supports TLS-SSL? > > I see the steps in the CSSMTP configuration "Steps for using Transport Layer > Security for CSSMTP", but it's unclear to me where I get the certificate. > > Step 2(a) says: > > a. Create the key ring. > The client key ring needs the root certification used to sign the server > certificates. For a TLS/SSL primer and some step-by-step examples, see > TLS/SSL security. For more information about managing key rings and > certificates with RACF® and the RACDCERT command, see z/OS Security > Server RACF Security Administrator's Guide. For more information about > managing key rings and certificates with gskkyman, see z/OS > Cryptographic Services System SSL Programming. > > How do I get the root certification used to sign the server certificates? Is > that > something that the people that take care of the server are supposed to > supply to me? > > then 2(c) is 5 steps and says: > c. Configure the client system to use TLS with AT-TLS policies as follows: > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > the client stack. For information about the TCPCONFIG statement, see > z/OS Communications Server: IP Configuration Reference. > (I understand this one) > > 2) Block the ability of applications to open a socket before AT-TLS policy is > loaded into the TCP/IP stack by setting up > EZB.INITSTACK.sysname.tcpname for the client stack. > (this seems like a optional step) > > 3) Create a main Policy Agent configuration file containing a TcpImage > statement for the client stack, and create a TcpImage policy file for the > client stack. > (this seems pretty simple, but where does it go?) > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify the > TTLSConfig policy file location: > TTLSConfig clientPath > (I am assuming that the clientPath is some USS file I create that > indicates > the information to find the keyring from 2(a) above, is that correct?) (Where > does the TcpImage policy file go? i.e. how do I define it?) > > 5) Add the AT-TLS policy statements to the clientPath file > (they have an example for this step right in the manual so that's pretty > easy to follow) > > Thanks for your help, any examples of a working configuration would be > really helpful. > > Brian > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
