NaCL key pair generation - aws_mainframe_modernization_service - connect_cdc_sqdata - Latest

Connect CDC (SQData) Installation for IBM z/OS

Product type
Software
Portfolio
Integrate
Product family
Connect
Product
Connect > Connect CDC (SQData)
Version
Latest
Language
English
Product name
Connect CDC (SQData)
Title
Connect CDC (SQData) Installation for IBM z/OS
Copyright
2024
First publish date
2000
Last edition
2024-07-30
Last publish date
2024-07-30T20:05:59.183648

All Agents must have access to the public/private key files. If the files created below are named with the same high-level qualifiers as the other Connect CDC (SQData) SQD system libraries, they will be in sync with the RACF sample.

The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the SQDaemon Job System User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On z/OS, by default, the private key is stored in SQDATA.NACL.PRIVATE and the public key in SQDATA.NACL.PUBLIC. These two files will be used by the Daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the SQDaemon job System User-ID and is usually created with a first node matching the user name running the SQDaemon job, in our example SQDATA.NACL.AUTH.KEYS.

The file must also include the Public key's of Engines running on zOS or other platforms. The Authorized Keys file is usually maintained by an administrator using ISPF.

JCL similar to sample member NACLKEYS included in the distribution executes the SQDutil utility program using the keygen command and should be used to generate the necessary keys and create the Authorized Key List file. The JCL should be edited to conform to the operating environment and the job must be run under the user-id that will be used when the Controller Daemon job is run.
//NACLKEYS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID 
//* 
//*-------------------------------------------------------------------
//* Generate NACL Public/Private Keys and optionally AKL file 
//*-------------------------------------------------------------------
//* Required DDNAME: 
//* SQDPUBL DD -File that will contain the generated Public Key 
//* SQDPKEY DD -File that will contain the generated private Key 
//*             ** This file and its contents are not to be shared 
//* 
//* Required parameters: 
//* PARM -keygen *** In lower case *** 
//* USER -The system USERID or high level qualifier of the 
//* SQDATA libraries IF all Jobs will share Private Key. 
//* 
//* Notes: 
//* 1) This Job generates a new Public/Private Key pair, saves 
//* them to their respective files and adds the Public Key 
//* to an existing Authorized Key List, allocating a new 
//* file for that purpose if necessary.
//* 
//* 2) An optional first step deletes the current set of files 
//* 
//* 3) Change the SET parms below for: //* HLQ -high level qualifier of the CDC Libraries 
//* VER -the 2nd level qualifier of the CDC OBJLIB & LOADLIB 
//* USER -the High Level Qualifier of the NACL Datasets 
//*-------------------------------------------------------------------//* 
// SET HLQ=SQDATA
 // SET VER=V400 
 // SET USER=&SYSUID 
 //* 
 //JOBLIB DD DISP=SHR,DSN=SQDATA..&VER..LOADLIB 
 //* 
 //*------------------------------------------------------------------
 //* Optional: Delete Old Instance of the NACL Files 
 //*------------------------------------------------------------------
 //*DELOLD EXEC PGM=IEFBR14 //*SYSPRINT DD SYSOUT=* 
 //*OLDPUB DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PUBLIC 
 //*OLDPVT DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PRIVATE 
 //*OLDAUTH DD DISP=(OLD,DELETE,DELETE),DSN=SQDATA.NACL.AUTH.KEYS 
 //*------------------------------------------------------------------
 //* Allocate Public/Private Key Files and Generate Public/Private Keys 
 //*------------------------------------------------------------------
 //SQDUTIL EXEC PGM=SQDUTIL //SQDPUBL DD DSN=&USER..NACL.PUBLIC, 
 // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), 
 // DISP=(,CATLG,DELETE),UNIT=SYSDA, 
 // SPACE=(TRK,(1,1)) 
 //SQDPKEY DD DSN=&USER..NACL.PRIVATE, 
 // DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), 
 // DISP=(,CATLG,DELETE),UNIT=SYSDA, 
 // SPACE=(TRK,(1,1)) 
 //SQDPARMS DD *
keygen
//SYSPRINT DD SYSOUT=* 
//SYSOUT DD SYSOUT=* 
//SQDLOG DD SYSOUT=* 
//*SQDLOG8 DD DUMMY 
//*------------------------------------------------------------------
//* Allocate the Authorized Key List File --> Used only by the Daemon /
/*------------------------------------------------------------------
//COPYPUB EXEC PGM=IEBGENER 
//SYSPRINT DD SYSOUT=* 
//SYSIN DD DUMMY 
//SYSUT1 DD DISP=SHR,DSN=&USER..NACL.PUBLIC 
//SYSUT2 DD DSN=SQDATA.NACL.AUTH.KEYS, 
// DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200), 
// DISP=(MOD,CATLG),UNIT=SYSDA,SPACE=(TRK,(5,5))
Note:
  • Since the Daemon and Capture Agents and zOS Apply Engines may be running in the same LPAR/system, they frequently run under the same System User-ID, in that case they would share the same public/private key pair.
  • Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started.