Encrypted communication
If the debug client uses encryption to communicate with the Remote System Explorer (RSE) daemon, by default, the client also uses encryption to communicate with the host-based Debug Manager.
The following table shows whether a debug session can be started successfully with encrypted
communication disabled or enabled for RSE and Debug Manager.
DBGMGR encrypted communication enabled1 | DBGMGR encrypted communication disabled | |
---|---|---|
RSE encrypted communication enabled | The debug session starts in secured mode.2 | Ask the user to confirm unsecured connection and then proceed as normal. |
RSE encrypted communication disabled | The debug session cannot be started. | The debug session starts in unsecured mode. |
Notes:
- Unlike RSE daemon, Debug Manager does not have native support for encrypted communication. To enable encryption, create an AT-TLS policy for the port used by Debug Manager.
- Users can starts debug sessions without prompts only when the same certificates as RSE, or different chained certificates of the same CA root are used for Debug Manager. Certificates of different CA roots are considered as untrusted, and users need to take actions before they establish debug connection.
Creating an AT-TLS policy for the port used by Debug Manager
The Debug Manager relies on a TCP/IP service called Application Transparent Transport Layer Security (AT-TLS) for encrypted communication. For a step-by-step setup guide, see Setting up AT-TLS.
To enable encryption, create an AT-TLS policy for the port used by Debug Manager for external
communication, by default 5335. See the following sample
policy.
TTLSRule zOS_Debugger_Debug_Manager
{
LocalPortRange 5335
Direction Inbound
TTLSGroupActionRef grp_Production
TTLSEnvironmentActionRef act_zOS_Debugger_Debug_Manager
}
TTLSEnvironmentAction act_zOS_Debugger_Debug_Manager
{
HandshakeRole Server
TTLSKeyRingParms
{
Keyring dbgmgr.racf # Keyring must be owned by the Debug Manager
}
}
TTLSGroupAction grp_Production
{
TTLSEnabled On
Trace 2
}