Setting up server-side SSL authentication for CWI

To set up server-side SSL authentication for CWI, you should be capable of setting up CWI resources within Enterprise Server and also able to use the CWI APIs.
A typical procedure for setting up server-side SSL authentication for CWI is as follows:
  1. Create a server certificate and sign it using the Demo CA. For details of how to do this, refer to Using the Demonstration Certificate Authority. Note that the generated keyfile should be renamed to have the same name as the certificate, with the characters _key appended, but retaining the file's original extension. For example, if the certificate and key files are srvcert.pem and srvkey.pem respectively, you should rename srvkey.pem to srvcert_key.pem.
  2. Create a TCPIPSERVICE with the following settings:
    • Status: Set to Open
    • Port no: Set to an appropriate port number.
    • SSL: Set to Yes
    • Certificate: Set to the name of your certificate - e.g. srvcert.
  3. Create a URIMAP with the following settings:
    • Usage: Set to Server.
    • Scheme: Set to Https.
    • Path: Set to your chosen URI path, for example: /my/ssl/path.
    • TCPIPService: Set to the name of the TCP service you created in step 2.
    • Decide if you want to offer a static or dynamic response by providing the details of either an HFS file or a Program.
  4. Set the value of the environment variable ES_DFLT_CERTIFICATE_NAME_SERVER to be the label/name of the server certificate that you wish to be used as the default. For example, if your certificate is called srvcert.pem, you should set the environment variable like this:
    [ES-Environment]
    ES_DFLT_CERTIFICATE_NAME_SERVER=srvcert
  5. Set the value of the environment variable ES_CERTIFICATES_LOCATION to the location of your server certificates.
  6. Modify ESCERTPAS.CBL on the server machine to return the password of the server certificate's keyfile and then compile it.
    when function upper-case(lk-certificate-name) = 'SRVCERT'       *> Server certificate name
       move 'srvrootpwd'	to lk-passphrase-returned               *> Passphrase for srvcert_key.pem
       move spaces to lk-CARoot-to-be-used                          *> No client authentication
  7. Provide the client with the CA root certificate that was used to sign the server certificate.
    • If the client is a browser, then import the CA root file into the browser.
    • If the client is a CICS program, then modify ESCERTPAS.CBL on the client machine to return the fully-qualified CA root file. For example:
      when lk-certificate-name = spaces                          *> No client certificate required
        move spaces	to lk-passphrase-returned              
        move ‘C:\my\path\CARootcert.pem’ to lk-CARoot-to-be-used
  8. Start your server region (and client region if using CICS as a client).
  9. From a browser, enter: https:<host>:<port number in TCPIPSERVICE>/my/ssl/path.
    Note: The host name should match the Common Name in the server certificate exactly.
  10. If the client is a CICS program then:
    • The WEB OPEN needs to specify:
      • SCHEME(HTTPS)
      • The port number specified in the TCPIPSERVICE.
    • The WEB SEND needs to specify:
      • PATH(WS-PATH) where WS-PATH has a value of '/my/ssl/path'.
  11. For information on associating client certificates with CICS user IDs, refer to User Certificate Registration for CICS Web Interface Servers.