Configuring AT-TLS policy statements

As part of configuring AT-TLS security for CAE, you must configure the AT-TLS rules for inbound and outbound connections to handle communications between the CAE agent, the CAE server, and the ISPF client.

Before you begin

Ensure that the following prerequisites are met:

  • You must define AT-TLS policy rules on each z/OSĀ® system where the CAE agent is supposed to be running. The exact location of the AT-TLS policy file depends on the policy agent configuration. For more information, see AT-TLS policy configuration (z/OS 3.1 documentation).
  • You must generate the keyring manually to define keyringCaeAgentInboundRule.

The following notation is used in the examples in this procedure:

  • $AGENT_KEYRING_INBOUND is the inbound keyring name in format {keyring_owner}/{inbound_keyring_name}
  • $AGENT_KEYRING_OUTBOUND is the outbound keyring name in format {keyring_owner}/{outbound_keyring_name}
  • $CAE_SERVER_ADDRESS is the IP-address of the CAE server
  • $CAE_AGENT_LISTENER_PORTS is the LISTENER_PORTS parameter values specified in the CAE agent CQMCPRMS
  • $CAE_AGENT_JOB_NAME is the name of the CAE Agent started task

Procedure

To configure AT-TLS policy statements:
  1. To verify that the inbound keyring exists on a z/OS system and contains the proper certificate alias, issue the following TSO command , where keyring_owner_ID is the keyring owner: 
    TSO RACDCERT LISTRING(*) ID(keyring_owner_ID)
  2. Define an inbound AT-TLS rule to handle incoming connections between the CAE agent and CAE server.

    For example:

    # ----------------INBOUND RULES----------------

TTLSRule CaeAgentInboundRule
{
    LocalAddr ALL
    RemoteAddr $CAE_SERVER_ADDRESS
    LocalPortRange $CAE_AGENT_LISTENER_PORTS
    Jobname $CAE_AGENT_JOB_NAME
    Direction Inbound
    TTLSGroupActionRef groupCaeAgentInboundRule
    TTLSEnvironmentActionRef envCaeAgentInboundRule
    TTLSConnectionActionRef connectionCaeAgentInboundRule
}
TTLSGroupAction groupCaeAgentInboundRule
{
    TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentInboundRule
{
    HandshakeRole Server
    TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentInboundRule
    TTLSKeyringParmsRef keyringCaeAgentInboundRule
}
TTLSKeyringParms keyringCaeAgentInboundRule
{
    Keyring $AGENT_KEYRING_INBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentInboundRule
{
    ApplicationControlled           Off
 
    TLSv1.2                         On
    TLSv1.3                         On
}
TTLSConnectionAction connectionCaeAgentInboundRule
{
    HandshakeRole Server
    TTLSCipherParmsRef cipherCaeAgentInboundRule
    TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentInboundRule
    CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentInboundRule
{
    ApplicationControlled Off
    SecondaryMap Off
}
TTLSCipherParms cipherCaeAgentInboundRule
{
    V3CipherSuites TLS_AES_128_GCM_SHA256
    V3CipherSuites TLS_AES_256_GCM_SHA384
    V3CipherSuites TLS_CHACHA20_POLY1305_SHA256
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
    V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
}

    The keyring for the inbound rule should contain at least a server type certificate.

  3. Define an outbound AT-TLS rule to handle outgoing connections between the CAE agent and CAE server.
    For example:
    # ----------------OUTBOUND RULES----------------

TTLSRule CaeAgentOutboundRule
{
    LocalAddr ALL
    RemoteAddr $CAE_SERVER_ADDRESS
    Jobname $CAE_AGENT_JOB_NAME
    Direction Outbound
    TTLSGroupActionRef groupCaeAgentOutboundRule
    TTLSEnvironmentActionRef envCaeAgentOutboundRule
    TTLSConnectionActionRef connectionCaeAgentOutboundRule
}
TTLSGroupAction groupCaeAgentOutboundRule
{
    TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentOutboundRule
{
    HandshakeRole Client
    TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentOutboundRule
    TTLSKeyringParmsRef keyringCaeAgentOutboundRule
}
TTLSKeyringParms keyringCaeAgentOutboundRule
{
    Keyring $AGENT_KEYRING_OUTBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentOutboundRule
{
    ClientAuthType Required
    ApplicationControlled           Off
 
    TLSv1.2                         On
    TLSv1.3                         On
}
TTLSConnectionAction connectionCaeAgentOutboundRule
{
    HandshakeRole Client
    TTLSCipherParmsRef cipherCaeAgentOutboundRule
    TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentOutboundRule
    CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentOutboundRule
{
    ApplicationControlled Off
    SecondaryMap Off
    HandshakeTimeout 120
}
TTLSCipherParms cipherCaeAgentOutboundRule
{
    V3CipherSuites TLS_AES_128_GCM_SHA256
    V3CipherSuites TLS_AES_256_GCM_SHA384 
    V3CipherSuites TLS_CHACHA20_POLY1305_SHA256 
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
}

    The keyring for the outbound rule should contain CA-certificates to trust certificates of servers where it is connecting.

  4. After modifying the AT-TLS policy, you must refresh the policy agent to apply the policy changes. To perform this refresh, execute the following z/OS system command: 
    F PAGENT,REFRESH

    Check PAGENT messages and logs to make sure that the policy is applied.