Has anyone successfully implemented TLS for RACF Source? The documentation seems unclear and leaves several steps open to interpretation. Here are my questions for clarification:
Regarding enabling Mutual TLS Authentication, Step 3 requires keystore information, but it’s unclear whether this refers to a custom keystore that needs to be created or the default keystore.jks file, which only the root user can access.
Furthermore, in Step 5, the documentation mentions exporting a certificate from VA, but it doesn’t specify which certificate this refers to or how to export it. (In VA we dont have the Keytool to export this.Also we dont have the password needed for the keystore.jks to start the exporting of certificate)
I have checked this answer, but I don’t think it matches how the documentation describes the steps to configure.
Please correct me if I am wrong here, but I think the encryptionKey and custom keystore file need to be generated by the implementer on the Connector Gateway only.
This is what the documentation says:
The keystorePath variable is the location for a keystore.jks file which has been generated using the keytool utility, specifically on the Connector Gateway machine.
The keystorePassword and keyPassword are encrypted by the Connector Gateway while updating the init.xml file. An encryption key can be defined specific to the site and used to encrypt the data.
I ran into the same problem setting up TLS for RACF and SailPoint document was not helpful. It took many searches and exploration to finally make that work. I have laid out the steps that I followed to enable TLS for RACF:
AT-TLS policy configured on Mainframe RACF to allow communication on both ports. In my instance it was 2470 and 2471.
Generate a self signed certificate (.cer) on RACF and import or copy (not install) this to the server where connector gateway is installed.
if the connector Gateway is installed on a Windows server, create a JAVA Keystore on that server and import the certificate from RACF to this keystore. Make a note of the keystorePass and the keyPass (they can both be set to be the same).
the keystore setup process will ask about 7 questions during setup, provide answers that are meaningful and during the last step it will generate a string which will need to be noted down for use later. Eg: CN=sailpoint, OU=IAM, O=XYZCo, L=Miami, ST=FL, C=US
Start an Admin PowerShell session (command prompt didn’t work for me) and from PowerShell, navigate to the Connector Gateway folder and execute this command to edit the init.xml file: java -jar ConnectorGateway.jar -trustStore “<path to truststore>” –disableHostnameVerification “true” -enableCGtoAgentTLS “true” -enableCGtoPE2TLS “true” -keyStore <path to keystore> -keyStorePass “<password>” -keyPass “<password>”
(Note that trustStore can be the same as keyStore. trustStore is generally cacerts. if you wish to use trustStore like I did, make sure to import the RACF cert to the cacerts as well).
Login to the Virtual appliances to perform the next few steps.
From the VA execute this command to import the cert from port 2470 (we need to perform this since the keystore process generates a self signed certificate on the windows server. this certificate is used by Connector Gateway to authenticate the VA’s): openssl s_client -connect <Hostname/IP>:<Port>
Copy the portion of the output beginning with “-----BEGIN CERTIFICATE-----” to “-----END CERTIFICATE-----” and save as “.cer” on the VA. If you have multiple VA’s you need to copy this certificate to all of them.
Install the certificate on the VA’s by moving the certificate to the “certificates” folder and restarting CCG.
In IDN UI, edit the RACF source configuration and enable TLS, enter the “CN” portion of your certificate string generated from the keyStore process i.e. “sailpoint” in the Certificate Subject field.
Now save and test connection. If you performed all the steps correctly it should successfully connect.
Please see the sample init.xml file after I made all the changes: init.xml (1.1 KB)
Please note that I have a few other attributes on the xml file i.e. TLS Version which may be required based on Mainframe version. Also its really important to stop the Connector Gateway server before making any changes to init.xml and start after changes are complete.