Create key ring |
Create a client key ring for each client with
necessary certificate authority certificates. If using client authentication,
also attach each client's certificate to their key ring.Tips: - To simplify AT-TLS policy, use the same RACF® key ring name for every client. SystemSSL
will qualify the key ring name with the current user ID when accessed.
- Because a copy of the specified key ring
contents is loaded into TCPIP private storage for each user, keep
a minimal number of certificates connected to the keyring.
|
Create Policy Agent files |
- Create a Policy Agent main configuration file containing a TcpImage
statement for the client stack.
- Create a Policy Agent image configuration file for the client
stack.
- If AT-TLS policies are to be retrieved from the policy server,
create image-specific AT-TLS configuration files, and optionally,
common AT-TLS configuration files, on the policy server.
|
Add AT-TLS configuration |
- For local AT-TLS policies, add a TTLSConfig statement to the Policy
Agent image configuration file, identifying the TTLSConfig policy
file location:
TTLSConfig clientpath
- For remote AT-TLS policies, add a PolicyServer statement to the
policy client image configuration file:
PolicyServer
{
ClientName name
PolicyType TTLS
{
…
}
…
}
Add a DynamicConfigPolicyLoad statement to the policy
server main configuration file: DynamicConfigPolicyLoad clientname
{
PolicyType TTLS
{
PolicyLoad clientpath
}
…
}
|
Add statements to the AT-TLS policy file |
Add the AT-TLS policy statements to the clientpath file: TTLSRule XYZClientRule
{
RemotePortRange 5000
Direction Outbound
TTLSGroupActionRef XYZGroup
TTLSEnvironmentActionRef XYZClientEnvironment
}
TTLSGroupAction XYZGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction XYZClientEnvironment
{
TTLSKeyRingParms
{
Keyring client_key_ring
}
HandshakeRole CLIENT
Trace 7
}
|
Set up InitStack access control |
- Define the EZB.INITSTACK.sysname.tcpname profile
for each AT-TLS stack.
- Permit administrative applications to use the stack before AT-TLS
is initialized.
For examples of the security product commands needed to create
this resource profile name and grant users access to it, see member
EZARACF in sample data set SEZAINST. |
Enable AT-TLS |
Set TCPCONFIG TTLS in PROFILE.TCPIP. |