Configuring the client systems

On each z/OS® system where you run the client application, see Table 1 for the tasks needed to configure the client.

Table 1. AT-TLS configuration for the client system
Task Specification
Create key ring Create a client key ring for each client with necessary certificate authority certificates. If using client authentication, also attach each client's certificate to their key ring.
Tips:
  • To simplify AT-TLS policy, use the same RACF® key ring name for every client. SystemSSL will qualify the key ring name with the current user ID when accessed.
  • Because a copy of the specified key ring contents is loaded into TCPIP private storage for each user, keep a minimal number of certificates connected to the keyring.
Create Policy Agent files
  1. Create a Policy Agent main configuration file containing a TcpImage statement for the client stack.
  2. Create a Policy Agent image configuration file for the client stack.
  3. If AT-TLS policies are to be retrieved from the policy server, create image-specific AT-TLS configuration files, and optionally, common AT-TLS configuration files, on the policy server.
Add AT-TLS configuration
  1. For local AT-TLS policies, add a TTLSConfig statement to the Policy Agent image configuration file, identifying the TTLSConfig policy file location: 
    TTLSConfig	clientpath
  2. For remote AT-TLS policies, add a PolicyServer statement to the policy client image configuration file: 
    PolicyServer
{
   ClientName  name
   PolicyType  TTLS
   {
      …
   }
   …
}
    Add a DynamicConfigPolicyLoad statement to the policy server main configuration file: 
    DynamicConfigPolicyLoad  clientname
{
   PolicyType TTLS
   {
      PolicyLoad  clientpath
   }
   …
}
Add statements to the AT-TLS policy file Add the AT-TLS policy statements to the clientpath file: 
TTLSRule                     XYZClientRule
{ 
       RemotePortRange                   5000	
       Direction                         Outbound
       TTLSGroupActionRef                XYZGroup
       TTLSEnvironmentActionRef          XYZClientEnvironment
}
TTLSGroupAction              XYZGroup
{
       TTLSEnabled                       On
}

TTLSEnvironmentAction        XYZClientEnvironment
{
       TTLSKeyRingParms
         {
           Keyring                       client_key_ring
         }
       HandshakeRole                     CLIENT
       Trace                             7
}
Set up InitStack access control
  1. Define the EZB.INITSTACK.sysname.tcpname profile for each AT-TLS stack.
  2. Permit administrative applications to use the stack before AT-TLS is initialized.
For examples of the security product commands needed to create this resource profile name and grant users access to it, see member EZARACF in sample data set SEZAINST.
Enable AT-TLS Set TCPCONFIG TTLS in PROFILE.TCPIP.
Parent topic: Getting started with AT-TLS