Setting up server-side TLS/SSL authentication for CWI

To set up server-side TLS authentication for CWI, you should be capable of setting up CWI resources within Enterprise Server and also able to use the CWI APIs.
A typical procedure for setting up server-side TLS authentication for CWI is as follows:
  1. Obtain a server private key and certificate. For development and test purposes, you can use the Demo CA. See Using the Demonstration Certificate Authority for more information. For production use, you must use an organizational or public CA. Put the certificate and private key in separate PEM-format files. The key file must have the same name as the certificate file, with _key appended to it. For example, if the certificate is in srvcert.pem, the key should be in srvcert_key.pem.
  2. Create a TCPIPSERVICE with the following settings:
    • Status: Set to Open
    • Port no: Set to an appropriate port number.
    • SSL: Set to Yes
    • Certificate: Set to the name of your certificate - e.g. srvcert.
  3. Create a URIMAP with the following settings:
    • Usage: Set to Server.
    • Scheme: Set to Https.
    • Path: Set to your chosen URI path, for example: /my/ssl/path.
    • TCPIPService: Set to the name of the TCP service you created in step 2.
    • Decide if you want to offer a static or dynamic response by providing the details of either an HFS file or a Program.
  4. Set the value of the environment variable ES_DFLT_CERTIFICATE_NAME_SERVER to be the label/name of the server certificate that you wish to be used as the default. For example, if your certificate is called srvcert.pem, you should set the environment variable as follows: 
    [ES-Environment]
ES_DFLT_CERTIFICATE_NAME_SERVER=srvcert
  5. Set the value of the environment variable ES_CERTIFICATES_LOCATION to the location of your server certificates.
  6. Modify ESCERTPAS.CBL on the server machine to return the password of the server certificate's keyfile and then compile it. 
    when function upper-case(lk-certificate-name) = 'SRVCERT'       *> Server certificate name
   move 'srvrootpwd'	to lk-passphrase-returned               *> Passphrase for srvcert_key.pem
   move spaces to lk-CARoot-to-be-used                          *> No client authentication
    ESCERTPAS.CBL can be found in $COBDIR
  7. Provide the client with the CA root certificate that was used to sign the server certificate.
    • If the client is a browser, then import the CA root file into the browser.
    • If the client is a CICS program, then modify ESCERTPAS.CBL on the client machine to return the fully-qualified CA root file. For example: 
      when lk-certificate-name = spaces                          *> No client certificate required
  move spaces	to lk-passphrase-returned              
  move ‘C:\my\path\EC_CAcollection.pem’ to lk-CARoot-to-be-used
  8. Start your enterprise server region and client region if using CICS as a client.
  9. From a browser, enter: https:<host>:<port number in TCPIPSERVICE>/my/ssl/path.
  10. If the client is a CICS program then:
    • The WEB OPEN needs to specify:
      • SCHEME(HTTPS)
      • The port number specified in the TCPIPSERVICE.
    • The WEB SEND needs to specify:
      • PATH(WS-PATH) where WS-PATH has a value of '/my/ssl/path'.
  11. See User Certificate Registration for CICS Web Interface Servers for more information on associating client certificates with CICS user IDs.
Parent topic: SSL Support for CICS Web Interface Servers