If you have an existing certificate or want to generate the certificate yourself, set this in the source configuration file inside of the Source Directory:
TcpIpServerConfiguration: TlsConfiguration:
AutoGenerateCertificate: false
And specify the paths for this:
TcpIpServerConfiguration: TlsConfiguration :
PathToCertificateFile:
<path to the server.crt file>
TcpIpServerConfiguration: TlsConfiguration : PathToKeyFile:
<path to the server.key file>
openssl genrsa -out server.key 2048
openssl ecparam -genkey -name secp384r1 -out server.key
openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650
Then, use this command to generate the certification cacert.pem which can be imported to mainframe key database and used by Hub.
openssl x509 -in server.crt -out cacert.pem -outform PEM
If Hub is configured to use TLS and the IBM Z agent is not using TLS, then this will be logged as an error and no data will be processed. Conversely, if a TLS client sends data to Hub and Hub is not configured to use TLS, then this will also be logged as a warning without data being processed.