The short answer is yes. The IBM manual titled IBM HTTP Server on z/OS - Migrating from Domino-powered to Apache-powered contains a section titled ‘Configuring SSL support’ that details the configuration requirements. Both native z/OS key management (gskkyman key database) and SAF keyrings are supported.
An additional LoadModule statement and virtual host definition are needed in the httpd.conf file to enable ssl support in the Apache server.
The example below uses the default ssl port of 443 and specifies a gskkyman key database as the key store.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
SSLDisable
KeyFile /users/apache/keys.kdb
This example uses a SAF keyring instead of a gskkyman key database. The SSLServerCert refers to the label name defined on the certificate when it was created. The /saf value on the KeyFile statement is a required literal when a SAF keyring is to be used. The keyring name follows the /saf literal.
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
SSLEnable
SSLServerCert spoolwebssl
</VirtualHost>
KeyFile /saf WEBRING
SSLDisable
The http.conf updates documented in the CA Spool documentation in the section titled ‘Install the Web Interface on z/OS 2.2’ are still required but they do not require any changes when ssl is added.