The Controller Daemon uses a Public / Private key mechanism to ensure component communications are valid and secure. A key pair must be created for the SQDaemon Job System User-ID and the User-ID's of all the Agent Jobs that interact with the Controller Daemon. On z/OS, by default, the private key is stored in SQDATA.NACL.PRIVATE and the public key in SQDATA.NACL.PUBLIC. These two files will be used by the Daemon in association with a sequential file containing a concatenated list of the Public Keys of all the Agents allowed to interact with the Controller Daemon. The Authorized Keys file must contain at a minimum, the public key of the SQDaemon job System User-ID and is usually created with a first node matching the user name running the SQDaemon job, in our example SQDATA.NACL.AUTH.KEYS.
The file must also include the Public key's of Engines running on zOS or other platforms. The Authorized Keys file is usually maintained by an administrator using ISPF.
//NACLKEYS JOB 1,MSGLEVEL=(1,1),MSGCLASS=H,NOTIFY=&SYSUID
//*
//*--------------------------------------------------------------------
//* Generate NACL Public/Private Keys and optionally AKL file
//*--------------------------------------------------------------------
//* Required DDNAME:
//* SQDPUBL DD - File that will contain the generated Public Key
//* SQDPKEY DD - File that will contain the generated private Key
//* ** This file and its contents are not to be shared
//*
//* Required parameters:
//* PARM - keygen *** In lower case ***
//* USER - The system USERID or high level qualifier of the
//* SQDATA libraries IF all Jobs will share Private Key.
//*
//* Notes:
//* 1) This Job generates a new Public/Private Key pair, saves
//* them to their respective files and adds the Public Key
//* to an existing Authorized Key List, allocating a new
//* file for that purpose if necessary.
//*
//* 2) An optional first step deletes the current set of files
//*
//* 3) Change the SET parms below for:
//* HLQ - high level qualifier of the CDC Libraries
//* VER - the 2nd level qualifier of the CDC OBJLIB & LOADLIB
//* USER - the High Level Qualifier of the NACL Datasets
//*--------------------------------------------------------------------
//*
// SET HLQ=SQDATA
// SET VER=V400
// SET USER=&SYSUID
//*
//JOBLIB DD DISP=SHR,DSN=SQDATA..&VER..LOADLIB
//*
//*-------------------------------------------------------------------
//* Optional: Delete Old Instance of the NACL Files
//*-------------------------------------------------------------------
//*DELOLD EXEC PGM=IEFBR14
//*SYSPRINT DD SYSOUT=*
//*OLDPUB DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PUBLIC
//*OLDPVT DD DISP=(OLD,DELETE,DELETE),DSN=&USER..NACL.PRIVATE
//*OLDAUTH DD DISP=(OLD,DELETE,DELETE),DSN=SQDATA.NACL.AUTH.KEYS
//*-------------------------------------------------------------------
//* Allocate Public/Private Key Files and Generate Public/Private Keys
//*-------------------------------------------------------------------
//SQDUTIL EXEC PGM=SQDUTIL
//SQDPUBL DD DSN=&USER..NACL.PUBLIC,
// DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200),
// DISP=(,CATLG,DELETE),UNIT=SYSDA,
// SPACE=(TRK,(1,1))
//SQDPKEY DD DSN=&USER..NACL.PRIVATE,
// DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200),
// DISP=(,CATLG,DELETE),UNIT=SYSDA,
// SPACE=(TRK,(1,1))
//SQDPARMS DD *
keygen
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SQDLOG DD SYSOUT=*
//*SQDLOG8 DD DUMMY
//*-------------------------------------------------------------------
//* Allocate the Authorized Key List File --> Used only by the Daemon
//*-------------------------------------------------------------------
//COPYPUB EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT1 DD DISP=SHR,DSN=&USER..NACL.PUBLIC
//SYSUT2 DD DSN=SQDATA.NACL.AUTH.KEYS,
// DCB=(RECFM=FB,LRECL=80,BLKSIZE=21200),
// DISP=(MOD,CATLG),UNIT=SYSDA,SPACE=(TRK,(5,5))
Notes:
- Since the Daemon and Capture Agents and zOS Apply Engines may be running in the same LPAR/system, they frequently run under the same System User-ID, in that case they would share the same public/private key pair.
- Changes are not known to the Daemon until the configuration files are reloaded, using the SQDmon Utility, or the sqdaemon process is stopped and started.