Encrypting outbound network traffic from Db2 for z/OS to Data Gate on Cloud
To encrypt network traffic between Db2® for z/OS® and a Data Gate on Cloud instance on Red Hat® OpenShift®, specific software components are required.
On Red Hat OpenShift, Data Gate on Cloud will define an OpenShift load balancer service when the service is provisioned. This load balancer exposes the Data Gate on Cloud service externally using a network load balancer on AWS, which is in turn exposed by an endpoint service.
On z/OS, various components of the z/OS Communications Server must be configured. z/OS makes use of AT-TLS. In addition, a certificate and an RSA key pair are required.
- Software
- The following software components on the z/OS (LPAR) side must be operational:
- Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
- Optional: SYSLOG daemon (SYSLOGD)
- Certificate and keys
-
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
- An RSA key pair
- Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format
The certificate is stored in a keyring on the LPAR. The keyring contains all credentials used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the keyring (in PKCS#12 format), are required on the Data Gate on Cloud instance on Red Hat OpenShift.
If more than one Data Gate on Cloud instance is involved: Each Data Gate on Cloud instance needs a dedicated private key signed with a certificate that was issued by the certificate authority (CA). All Data Gate on Cloud instance attached to a specific LPAR require certificates that were signed by the same CA.