Defining TTLS rules

Follow the examples in the steps below to define TTLS rules. A TTLS rule is required for each connection that is used by the IBM Integrated Synchronization process. TTLS rules are picked up by the Policy Agent (PAGENT). They specify the port numbers, network directions, key rings (certificates), and the encryption algorithms a connection can use.

Procedure

  1. Rules for the Policy Agent are defined in the main TCP/IP configuration file. So you have to find this file first.
    1. Open the JCL job for the TCPIP started task.
    2. Locate the PROFILE DD card in this job.
    3. Check if AT-TLS is enabled by looking at the TCPCONFIG statement.
      It needs to contain the following entries:
      TCPCONFIG
          TTLS                     ; Enable AT-TLS Function
          INTERVAL 5               ; Send KeepAlive every 5 minutes
          .
          TCPMAXRCVBUFRSIZE  2097152
          TCPMAXSENDBUFRSIZE 2097152
      
    4. If AT-TLS has been enabled, you can identify the relevant TCP/IP configuration file by checking the Policy Agent started task.
    5. Locate the PARM option in the JCL job for the Policy Agent started task.
      It refers to a configuration file, which in turn refers to the AT-TLS configuration file by means of the TTLSConfig statement:
      TTLSConfig  //'SYS1.TCPPARMS(TTLS)'

      So in this case, the name of the AT-TLS configuration file is SYS1.TCPPARMS(TTLS).

  2. Open the AT-TLS configuration file identified in the previous step and add the required settings for IBM Integrated Synchronization.
    Connections to the distributed data facility (DDF) for IBM Integrated Synchronization must be encrypted. So each connection used for this purpose requires a TTLS rule. Connections are identified by their IP addresses, port numbers, and started task names.

    The AT-TLS configuration file contains many blocks of settings, which are identified by a unique name. Each unique name can be used to refer to a shared set of settings from other rules. You can add new definitions to the end of the configuration file. Just make sure that the chosen identifiers (names) are unique.

    1. A connection for IBM Integrated Synchronization between a single Db2 subsystem and an accelerator requires a TTLS rule as shown in the following example:
      ##############################################
      # Rules for SSL access to Db2 DDF
      ###############################################
      TTLSRule DB11Rule15111
      {
         LocalPortRange           15111
         JobName                  DB11DIST
         Direction                Inbound
         TTLSGroupActionRef       Db2SslGroup
         TTLSEnvironmentActionRef DB11SslEnv
      }
      

      This rule refers to a standalone Db2 subsystem with the name DB11. The DDF listens to incoming connections on secure port 15111. The name of the Db2 subsystem is reflected in the address space name of the DDF, which is DB11DIST.

      Important: A rule for a data sharing group is slightly different. However, most of the steps in this section also apply to the rule for a data sharing group. See the next section for instructions on how to make the necessary changes for a data sharing group.

      The rule contains two references to other definition blocks within the AT-TLS configuration file:

      • TTLSGroupActionRef Db2SslGroup
      • TTLSEnvironmentActionRef DB11SslEnv

      This is a common way of referring to TTLS configuration options, which allows a reuse of the same options in other rules by just specifying the unique name of the block or section.

    2. A suitable definition block for the TTLSGroupActionRef looks as follows:
      TTLSGroupAction Db2SslGroup
      {
         TTLSEnabled       On
         CtraceClearText   On
      }
      

      This definition block enables TTLS and sets a specific trace option.

    3. The other reference, TTLSEnvironmentActionRef points to a definition block that specifies the key ring to be accessed by the connection, the security protocol, the role in the TTLS handshaking process, and the encryption algorithms that can be used by the connection. Enable only the security protocol TLSv1.2 or an even higher protocol version. Older protocols are considered to be unsafe, and their use is deprecated.
      A suitable definition block for this reference looks like this:
      TTLSEnvironmentAction DB11SslEnv
      {
         TTLSKeyRingParms
         {
             Keyring           DB11KEYRING
         }
         TTLSEnvironmentAdvancedParms                                             
         {                                                                        
             TLSv1             Off
             TLSv1.1           Off
             TLSv1.2           On
             ClientAuthType    PassThru
         }       
         HandShakeRole         Server
         TTLSCipherParmsRef    Db2SslCipherParms
      }
      

      The key ring referred to is DB11KEYRING; the handshake role must be set to Server. The encryption algorithms are defined in a separate block, so again, you find a reference here. This reference points to a block named Db2SslCipherParms.

    4. The following example shows what the Db2SslCipherParms block might look like:
      TTLSCipherParms Db2SslCipherParms
      {     
          V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      }
      
  3. Save your AT-TLS configuration file when your rule definitions are complete.
  4. To let the changes take effect, refresh the address space of the Policy Agent from the console:
    /f PAGENT,REFRESH