Contribute in GitHub: |

Network Configuration

Overview

This chapter describes the network port configuration that must be completed before installing any UKO-related components. The network configuration is a prerequisite for all UKO installations.

Review the port requirements table below to identify which ports you need to reserve based on your planned installation scenario.

Port Requirements by Installation

The following table shows which ports are required for each installation component:

Component	Required Ports	Server/Process	Example Values
UKO Base (with Agent)	`${AGENT_PORT}`, `${SERVER_TLS_PORT}`, `${SERVER_NOTLS_PORT}`	UKO Agent + UKO Base Liberty Server	50050, 9443, 9080
UKO Base (without Agent)	`${SERVER_TLS_PORT}`, `${SERVER_NOTLS_PORT}`	UKO Base Liberty Server only	9443, 9080
UKO Agent (standalone)	`${AGENT_PORT}`	UKO Agent	50050
CC	`${SERVER_TLS_PORT}`, `${SERVER_NOTLS_PORT}`	CC Liberty Server	9444, 9081
CC ACSP	`${SERVER_TLS_PORT}`, `${SERVER_NOTLS_PORT}`, `${CONFIGURATION_PORT}`	CC ACSP Server	9444, 9081, 9050
CC CAT	`${SERVER_TLS_PORT}`, `${SERVER_NOTLS_PORT}`	CC Liberty Server	9444, 9081
MSDKE	Both UKO Base and CC Server ports	UKO Base Liberty Server + CC Liberty Server	See UKO Base and CC rows

Notes:

UKO Base Liberty Server and CC Liberty Server are separate server instances and can use different port numbers.
CC CAT and CC run in the CC Liberty Server and share the same server ports. CC ACSP runs as a standalone server.
MSDKE has components in both UKO Base and CC servers, requiring both sets of ports.
The ${CONFIGURATION_PORT} for CC ACSP is used for JMX monitoring.

Port Reservation for UKO Base Installation

This section applies to: UKO Base, MSDKE (UKO Base component)

UKO Agent Port

To reserve the UKO Agent port, update the TCP/IP PROFILE, typically located under SYS1.TCPPARMS(PROFILE):

PORT
${AGENT_PORT} TCP  ${AGENT_STC_NAME}  ; UKO Agent

TCP indicates that the TCP transport layer is used. Replace ${AGENT_PORT} with your selected port number (for example, 50050) and ${AGENT_STC_NAME} with the started task name for the UKO Agent.

UKO Base Liberty Server Ports

To reserve the UKO Base Liberty server ports, add the following statements to the TCP/IP PROFILE:

PORT
${SERVER_NOTLS_PORT}  TCP  ${SERVER_STC_NAME} ; UKO Liberty server HTTP port
${SERVER_TLS_PORT}  TCP  ${SERVER_STC_NAME} ; UKO Liberty server HTTPS port

Replace:

${SERVER_NOTLS_PORT} with your selected HTTP port number (for example, 9080)
${SERVER_TLS_PORT} with your selected HTTPS port number (for example, 9443)
${SERVER_STC_NAME} with the started task name for the UKO Liberty server

Note: While there might be a slight performance difference between HTTP and HTTPS, the security advantages of HTTPS generally outweigh any negligible impact on performance. As a result, it is highly recommended to use HTTPS for secure and encrypted communication and to disable HTTP.

Port Reservation for Crypto Connect Server

This section applies to: Crypto Connect, CC CAT, MSDKE (CC component)

The Crypto Connect Liberty server requires port reservations. CC CAT runs within the CC Liberty server and uses these same ports.

To reserve the CC Liberty server ports, add the following statements to the TCP/IP PROFILE:

PORT
${SERVER_NOTLS_PORT}  TCP  ${SERVER_STC_NAME} ; Crypto Connect Liberty server HTTP port
${SERVER_TLS_PORT}  TCP  ${SERVER_STC_NAME} ; Crypto Connect Liberty server HTTPS port

Replace:

${SERVER_NOTLS_PORT} with your selected HTTP port number (for example, 9081)
${SERVER_TLS_PORT} with your selected HTTPS port number (for example, 9444)
${SERVER_STC_NAME} with the started task name for the Crypto Connect Liberty server

Note: The CC Liberty server is a separate instance from the UKO Base Liberty server and typically uses different port numbers.

Port Reservation for CC ACSP Configuration Port

This section applies to: CC ACSP

The CC ACSP server requires an additional configuration port for JMX monitoring. To reserve this port, add the following statement to the TCP/IP PROFILE:

PORT
${CONFIGURATION_PORT}  TCP  ${SERVER_STC_NAME} ; CC ACSP JMX monitoring port

Replace:

${CONFIGURATION_PORT} with your selected monitoring port number (for example, 9050)
${SERVER_STC_NAME} with the started task name for the CC ACSP server

For more information about configuring the ACSP monitoring port, see CC ACSP server monitoring.

AT-TLS Setup (Optional)

This section applies to: All components (optional configuration)

Application Transparent Transport Layer Security (AT-TLS) is a capability of z/OS Communications Server that can create a secure session on behalf of UKO (or other z/OS applications). Instead of implementing TLS in UKO, AT-TLS provides encryption and decryption of data based on policy statements that are coded in the Policy Agent. UKO sends and receives cleartext (unencrypted data) as usual while AT-TLS encrypts and decrypts data at the TCP transport layer.

AT-TLS is activated by specifying the TTLS option in the TCPCONFIG statement block in the TCP/IP profile data. For more information on AT-TLS, see Application Transparent Transport Layer Security data protection in the z/OS Communications Server documentation.

Agent AT-TLS Setup

The UKO Agent cannot by itself connect through TLS. However, by creating a TCP/IP policy agent TTLSRule you can ensure that only TLS connections are accepted for the UKO Agent port without the UKO Agent itself being aware of it. All the steps for setting up proprietary Session Link Encryption still apply. The proprietary protocol for the UKO Agent will just additionally be wrapped by TLS.

Example of defining a UKO Agent AT-TLS rule:

## ----------------------------------------------------------------
# UKO Agent TLS setup 
## ----------------------------------------------------------------
TTLSRule UKO_agent_50050
{
LocalPortRange 50050
LocalAddr ALL
Jobname EKMF
Userid EKMF
Direction INBOUND
TTLSGroupActionRef UKO-AGENT-TLS-GRPACTION
TTLSEnvironmentActionRef UKO-AGENT-TLS-ENVACTION
}
## ----------------------------------------------------------------
# UKO Agent group action
## ----------------------------------------------------------------
TTLSGroupAction UKO-AGENT-TLS-GRPACTION
{
TTLSEnabled On 
Trace 255
}
## ---------------------------------------------------------------
# UKO Agent environment action
## ---------------------------------------------------------------
TTLSEnvironmentAction UKO-AGENT-TLS-ENVACTION
{
TTLSKeyRingParms
{
Keyring TLS-ACCESS
}
TTLSEnvironmentAdvancedParms
{
 ApplicationControlled  Off
 SecondaryMap Off
 TLSV1 Off
 TLSV1.1 Off
 TLSV1.2 Off
 TLSV1.3 On
 SSLV3 Off
}
TTLSCipherParms
{
V3CipherSuites TLS_AES_256_GCM_SHA384
}
HandShakeRole Server
}

Note that ApplicationControlled is set to Off and HandShakeRole is Server. You must have a server certificate with private key in the specified Keyring and normally its CA. The UKO server that connects to the UKO Agent must then have this CA certificate that is defined as a CA in its own trust key ring (specified in TLS_TRUST_STORE_KEY_RING located in the server.env file)

Server AT-TLS Setup

AT-TLS supports different types of application:

An unaware application is unaware that AT-TLS is performing encryption or decryption of data.
An aware application is aware of AT-TLS and can query information such as AT-TLS status and the partner certificate.
A controlling application is aware of AT-TLS and can control the secure session.

UKO is an unaware AT-TLS application and therefore does not have access to the partner certificate. This means that a z/OS subsystem cannot use a client certificate to authenticate with UKO when the connection between the z/OS subsystem and UKO is secured by using AT-TLS.

For more information about AT-TLS and AT-TLS policy setup, refer to the z/OS Communications Server documentation.

Database AT-TLS Setup

Refer to the Db2 for z/OS documentation for instructions on how Db2 uses the AT-TLS support.

IPv6 Setup (Optional)

This section applies to: All components (optional configuration)

Initializing a TCP stack for use with both IPv4 and IPv6 addresses.

To enable TCP/IP for IPv4/IPv6 dual-mode stack:

Modify the BPXPRMxx member to define two NETWORK statements, one for AF_INET, and another for AF_INET6.

The following example shows two NETWORK statements in the BPXPRMxx member:

FILESYSTYPE TYPE(INET) ENTRYPOINT(EZBPFINI)
NETWORK DOMAINNAME(AF_INET)
        DOMAINNUMBER(2)
        MAXSOCKETS(12000)
        TYPE(INET)
NETWORK DOMAINNAME(AF_INET6)
        DOMAINNUMBER(19)
        MAXSOCKETS(13000)
        TYPE(INET)
SUBFILESYSTYPE NAME(TCPIP) ENTRYPOINT(EZBPFINI)
        TYPE(INET)

To verify that TCP/IP is configured to support a dual-mode environment, enter a d tcpip,,netstat,home command on the z/OS® console. Look for the INTFNAME field that has a value of LOOPBACK6 and verify that the associated ADDRESS field has a compressed colon-hexadecimal IPv6 address of ::1.

The following example shows that TCP/IP is configured to support both IPv4 and IPv6:

d tcpip,,netstat,home
  EZD0101I NETSTAT CS V1R5 TCPIP 034
  HOME ADDRESS LIST:
  LINKNAME: CTC1LINK
    ADDRESS: 9.30.115.135
      FLAGS: PRIMARY
  LINKNAME: LOOPBACK
    ADDRESS: 127.0.0.1
      FLAGS:
  INTFNAME: LOOPBACK6
    ADDRESS: ::1
      TYPE: LOOPBACK
      FLAGS:
  3 OF 3 RECORDS DISPLAYED