z/OS® Communications Server stores all
configuration settings for AT-TLS in a central component called the Policy Agent. As the name
suggests, this agent executes a policy, which is a set of configurable instructions. You must adapt
the policy for encrypted network traffic between a client LPAR and Db2 Data
Gate.
Important: Configuring the Policy Agent requires the OpenShift® route hostname and the IP address and route port of the
Db2 Data
Gate instance. If you have not yet
created a Db2 Data
Gate instance, you can still configure the Policy Agent as described here with proper planning
for the hostname, IP address, and port. If the
Db2 Data
Gate instance is already created, the route hostname
and route port are listed on the
Db2 Data
Gate
instance page (in
My instances). The IP address of the
Db2 Data
Gate instance can be determined using the ping
command.
About this task
The following steps show how to configure the Policy Agent for a single client LPAR and a
Db2 Data
Gate instance. It is a walk-through based
on examples. The following IP addresses, user ID, and key ring are used in the examples:
Db2 Data
Gate IP address |
9.30.198.104 |
route hostname |
dg01.apps.dgsvt2.os.fyre.ibm.com |
route port |
443 |
TSO user ID of key ring owner |
ID of Db2 started task user, for example
DB2USER |
Key ring |
DB2AKEYRING |
-
Use TSO to log on to the z/OS client LPAR that connects
to the Db2 Data
Gate instance.
- Open the Policy Agent configuration file in an editor, such as ISPF.
- Add a TTLSCipherParms element that specifies the encryption algorithms to be used for the
TLS connection.
Specify the following CIPHERS:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Note: AES 128 is faster, but AES 256 is more secure. You can enforce the use of a specific
cipher by specifying one cipher only. By default, AES 128 is used if you specify both.
The
following example uses the V3CipherSuites4Char
keyword to specify these ciphers by
using a combination of two 4-digit hexadecimal
numbers:
TTLSCipherParms StunnelParms
{
V3CipherSuites4Char C02FC030
}
Alternatively, you can specify the ciphers in the following way:
TTLSCipherParms StunnelParms
{
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
}
Important: Only use the ciphers listed in the example above. Do not specify
other ciphers.
- Add a TLS group action that enables AT-TLS security:
TTLSGroupAction StunnelGroup
{
TTLSEnabled On
}
- Specify a TLS environment that includes the following information:
- The key ring containing the root certificate
- Use of TLS version 1.2 as the only supported protocol
- Client authentication pass-thru (optional)
- ClientHandshakeSNI is required and specifies the route hostname in ClientHandshakeSNIList
CLIENT
as the handshake role
- The
TTLSCipherParms
element defined before
- The trace level (use different trace levels for production (
0
) and problem
diagnosis (7
or 255
)
According to the example, this results in the following specification:
TTLSEnvironmentAction StunnelClientEnvironment
{
TTLSKeyRingParms
{
Keyring DB2USER/DB2AKEYRING
}
TTLSEnvironmentAdvancedParms
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
ClientAuthType PassThru
CLIENTHANDSHAKESNI REQUIRED
CLIENTHANDSHAKESNIMATCH OPTIONAL
CLIENTHANDSHAKESNILIST dg01.apps.dgsvt2.os.fyre.ibm.com
}
HandshakeRole CLIENT
TTLSCipherParmsRef StunnelParms
Trace 7
}
- Add an outbound TTLS rule that combines the remote address, the port range, the TTLS
group action, and the TTLS environment action.
For the current example, this rule looks
similar to the following:
TTLSRule StunnelDWP1Sim148
{
REMOTEPORTRANGE 443
REMOTEADDR 9.30.198.104
Direction Outbound
TTLSGroupActionRef StunnelGroup
TTLSEnvironmentActionRef StunnelClientEnvironment
}
- Activate the changed AT-TLS policy by refreshing the Policy Agent with the following TSO
command: