AT-TLS policy

Edit online

A TTLS policy describes the desired AT-TLS rules. As defined in the Policy Agent configuration file, the TTLS policy is located in /etc/pagent.ttls.conf. The necessary definitions in your security software are covered later.

This example shows a fairly simple, two-rule policy that disables SSL v3 and enables TLS v1, TLS v1.1, and TLS v1.2 support for both communication paths supported by the z/OS RSE connection, Debug Manager, and Debug Engine-Client. As defined in the Policy Agent configuration file, the TTLS policy is located in /etc/pagent.ttls.conf.

##
## TCP/IP Policy Agent AT-TLS configuration information.
##
##-----------------------------
TTLSRule                      zOS_Debugger_Debug_Manager
{
 LocalPortRange           5335
 Direction                Inbound
 TTLSGroupActionRef       grp_Production
 TTLSEnvironmentActionRef act_zOS_Debugger_Debug_Manager
}
##-----------------------------
TTLSEnvironmentAction         act_zOS_Debugger_Debug_Manager
{
 HandshakeRole Server
 TTLSKeyRingParms
 {
  Keyring dbgmgr.racf      # Keyring must be owned by the Debug Manager
 }
 TTLSEnvironmentAdvancedParms
 {
  ApplicationControlled Off  
  TLSV1.2 On             
  # TLSv1 & TLSv1.1 are on by default
  SSLV3 Off             
  # disable SSLv30
 }
}
##-----------------------------
TTLSGroupAction               grp_Production
{
 TTLSEnabled               On
 Trace                     3     # Log Errors to syslogd & IP joblog
#Trace                     254   # Log everything to syslogd
}

A TTLS policy allows for a wide range of filters to specify when a rule applies.

Debug Manager is a server that listens on port 5335 for incoming connections from Debug Engine. This information is captured in the zOS_Debugger_Debug_Manager rule.

Since encrypted communication requires the usage of a server certificate, you specify that the Policy Manager must use the certificates on the dbgmgr.racf key ring, which is owned by the Debug Manager started task user ID. By default, TLS v1.2 support is disabled, so this policy explicitly enables it. SSLv3.0 is explicitly disabled due to known vulnerabilities in this protocol.

Note: For more complex policies, you should use the IBM® Configuration Assistant for z/OS® Communications Server. This is a GUI-based tool that provides a guided interface for configuring TCP/IP policy-based networking functions and is available as a task in IBM z/OS Management Facility (z/OSMF), and as a stand-alone workstation application.

AT-TLS policy in the sysplex environment

Similar to AT-TLS rules for configuring the communication between Debug Manager and the client via the external port, communication between Debug Manager instances running on different LPARs in the sysplex environment can also be configured with AT-TLS policies.

The primary node can use a configuration identical to the example above. A secondary node is acting as a client that connects to primary_node_ip:5337 in this communication. The example below shows outbound policy that disables SSL v3 and enables TLS v1, TLS v1.1, and TLS v1.2 support. The group action reference grp_Production is identical to the one above and thus not shown here.

##
## TCP/IP Policy Agent AT-TLS configuration information.
##
##-----------------------------
TTLSRule                      zOS_Debugger_DBM_SN
{
 RemoteAddr               primary_node_ip
 RemotePortRange          5337
 Direction                Outbound
 TTLSGroupActionRef       grp_Production
 TTLSEnvironmentActionRef act_zOS_Debugger_DBM_SN
}

##-----------------------------
TTLSEnvironmentAction         act_zOS_Debugger_DBM_SN
{
 HandshakeRole Client
 TTLSKeyRingParms
 {
  Keyring dbgmgr.racf      # Keyring must be owned by the Debug Manager
 }
 TTLSEnvironmentAdvancedParms
 {
  ApplicationControlled Off   
  TLSV1.2 On             
  # TLSv1 & TLSv1.1 are on by default
  SSLV3 Off             
  # disable SSLv3
 }
}