For SSL communication there are a few files that need to be configured on server and the client. An Enterprise Server region will also need to be configured with an SSL-enabled listener. 

On the server, the DemoCA folder must exist and DemoCA setup must have been run in accordance with the documentation (for Enterprise Developer an install script, "DemoCA_Setup", exists under the %ProgramFiles%\\Micro Focus\\DemoCA folder, where "%ProgramFiles%\\Micro Focus" is the location of the product installation). A server certificate (srvcert.pem) and private key file (srvkey.pem) will need to be generated using create_srv_req. The CA sends srvcert.pem to the server owner to install it in their SSL software for download by the Web users. 

The Client machines will need to trust the server and on the client the CARootcert.pem and CARootcert.cer need to be installed in the DemoCA ‘certs’ subdirectory. The certificate is then added to the browser (on Internet Explorer this is done from the toolbar using Tools -> Internet Options -> Content tab -> Certificates button). 

In the Enterprise Server region you need an SSL-enabled listener. To create one: 

1. Stop the region.

3. Click "Edit", then open up the "Listeners" tab.

4. Add a listener for HTTPS under the Listeners tab:

   A. Name it something meaningful, an example may be "HTTPS Echo".

   B. Set an Endpoint Address; an example would be *.9443, where 9443 is the port (you can use other ports if they are free and open).

   C. Select Custom under Supported Conversation Type and enter http-echo in the field alongside.

   D. Check the box for Secure Sockets Layer. 

5. In the listener configuration, point to the certificate this way: 

A. Edit the Listener. Check the box for "Secure Sockets Layer". Then place the path to the certificate in the "Certificate" box, and the path to the keyfile in the "Keyfile" box. The paths must be complete and fully-qualified, including the file name.

B. Click OK. Go back to the Listeners page; you will see the listener with a padlock next to it. That signifies that it uses SSL. 

6. Set a pass phrase

   A. This can be set either in the mf-server.dat file, to where it is read automatically upon start-up of the region, or entered manually entered once the enterprise server has been started.

To set the pass phrase in a file, add these lines to the mf-server.dat file: 

[HTTPS Echo/SSL/passphrases]

certificate=

keyfile=open sesame 

where "open sesame" is the pass phrase (NOTE: pass phrases, as opposed to passwords, can include spaces) and "HTTPS Echo" is the name used for the listener (this must match exactly). 

To enter it manually: 

Once the server is started, on the Listeners page you will see "Start Pending" in the Status column for the listener. Click on "Authorize" and you will be prompted for the certificate and keyfile passphrases (the pass phrase to use will be the same one used when executing the create_srv_req.cmd to create the public/private key pair on the server). 

If that dialog box does not have entry lines for the pass phrases but rather shows boxes next to "Passphrase set", you can check the boxes to clear them and press enter; you can next return to that page and then enter the pass phrases. 

If there are any problems engaging the listener, you can review the MFCS log file (log.html); it is accessable via Server > Diagnostics > CS Console. 

NOTE: To increase the granularity of the information written to the log file: 

A. Click "Edit" at the left of the server you want to configure.

B. Go to the Listeners page.

C. At the top of the list of listeners, click the Communications Process D. Edit button (not Edit for any of the individual listeners).

E. Add the following to the Configuration Information area: 

   [listeners]

   logging=3 

F. Click OK. 

Once the region is restarted, more detailed information on listener startup will be recorded in the console.log file. 

On the client, the mf-client.dat file will need to be modified. 

Add an [SSL] section to this file and set parameters for the root certificate, the client certificate, the client key file, and the client key file passphrase, as follows: 

   [SSL]

   root=/path/to/root/cert.type

   certificate=/path/to/client/cert.type

   key=/path/to/client/keyfile.type

   passphrase=keyfile passphrase 

Instead of mf-client.dat, you can create a file of any name or location, but you must identify it using the MFC_CONFIG environment variable. 

Once the region and its SSL listener has been configured and is working, and the necessary files created and/or configured, jobs can be submitted securely across the link. 

As an example, a JCL job using the tcpssl option with the -s parameter for cassub can be submitted using the following syntax: 

cassub /stcpssl:{target hostname}:{port number of listener} /j{job.jcl} 

/u{userid} /p{passwd} 

or 

cassub /stcpssl:{IP Address of target hostname}:{port number of listener}/j{job.jcl} /u{userid} /p{passwd} 

This is an example of submitting a job from the command line for a region named “JCLTEST”:

D:\\ES\\JCLTEST\\sys>cassub /stcpssl:localhost:9443 /LSECTRNG /jLOOPER.JCL /uSYSAD /pSYSAD

(the L can be used in place of the r before the region name, should you receive an error about the console daemon not being active).

The job should complete smoothly, with verbiage echoed to the shell indicating the job has been processed.

As an addendum, here is a brief list of the commands that are run when setting a region up for SSL: 

Server side: 

create_srv_req.cmd: Use the create_srv_req.cmd to create the public/private key pair for the server.

sign_srv.cmd: to sign the certificate. 

Here is a brief list of the files that are configured/modified for SSL: 

Client side: 

mf-client.dat - by default this is located at C:{install-dir}/base/bin on Windows and at $COBDIR/etc on Unix/Linux systems. 

Server side: 

mf-server.dat - by default this is located at C:{install-dir}/base/bin on Windows and in $COBDIR/etc on Linux/Unix systems. 

srvcert.pem - created by sign_srv

srvkey.pem - created by create_srv_req 

By default these would be located in the DemoCA directory. DemoCA would by default be located in C:\\Program Files\\Micro Focus on Windows systems and /opt/microfocus on Linux/Unix systems. Also, for security purposes the mf-client.dat files and the mf-server.dat files should be made readable only by the user account (or accounts) under which the enterprise server is started. 

Environment variables that can be set: 

MFC_CONFIG - an Enterprise Server environment variable that is used to override the name/location of the Common Client config file mf-client.dat.

Instead of mf-client.dat, you can create a file of any name or location, but you must identify it using the MFC_CONFIG environment variable.