AT-TLS policy

A TTLS policy describes the desired AT-TLS rules. A TTLS policy allows for a wide range of filters to specify when a rule applies. z/OS® Explorer has two communication streams with a client that must be covered by a TTLS policy rule, one to the RSE daemon and one to the RSE server. Therefore, two rules must be defined. As defined in the Policy Agent configuration file, the TTLS policy is located in /etc/pagent.ttls.conf. The necessary definitions in your security software are covered later.

For more information about TTLS policy keywords, see z/OS Communications Server: IP Configuration Reference (SC27-3651).

The following sample rules can be used to encrypt communication with RSE daemon and RSE server. Here, RSE daemon is a server that listens on port 4035 for incoming connections from clients. This information is captured in the rule_HALGxxx_RSE_daemon section. RSE server is a server that listens on a port in range 8108 through 8117. This information is captured in the rule_HALGxxx_RSE_server section.

Since encrypted communication requires the usage of a server certificate, we specify that the Policy Manager must use the certificates on the FEK.keyring key ring, which is owned by the RSED started task user ID STCRSE. The Policy Manager will use the FEK.cert certificate to identify RSE daemon and RSE server to the client, and restricts which protocols and ciphers can be used. This information is captured in the env_HALGxxx_RSE_for_client section.

Note: Protocol and cipher selection might impose restrictions and additional setup. For example, the usage of Elliptic Curve ciphers requires that z/OS ICSF (Integrated Cryptographic Service Facility) is available. For more information, see z/OS Communications Server: IP Configuration Reference (SC27-3651).

The grp_Production section holds definitions that can be shared across multiple rules.

##
## TCP/IP Policy Agent AT-TLS configuration information.
##
##-----------------------------
TTLSRule                      rule_HALGxxx_RSE_daemon
{
 LocalPortRange           4035
 Direction                Inbound
 TTLSGroupActionRef       grp_Production
 TTLSEnvironmentActionRef env_HALGxxx_RSE_for_client
}
##-----------------------------
TTLSRule                      rule_HALGxxx_RSE_server
{
 LocalPortRange           8108 8117
 Direction                Inbound
 TTLSGroupActionRef       grp_Production
 TTLSEnvironmentActionRef env_HALGxxx_RSE_for_client
}
##-----------------------------
TTLSEnvironmentAction         env_HALGxxx_RSE_for_client
{
 HandshakeRole Server
 TTLSKeyRingParms
 {
  Keyring FEK.keyring   # keyring must be owned by started task ID
 }
 TTLSEnvironmentAdvancedParms
 {
  CertificateLabel FEK.cert
  TLSV1.3 On
  TLSV1.2 Off
  TLSV1.1 Off
  TLSV1   Off
  TTLSCipherParms
  {
   V3CipherSuites4Char 130113021303
  }
 }
}
##-----------------------------
TTLSGroupAction               grp_Production
{
 TTLSEnabled              On
 Trace                    3     # Log Errors to syslogd & IP joblog
#Trace                    254   # Log everything to syslogd
}

For more complex policies, you should use the IBM® Configuration Assistant for z/OS Communications Server. This is a GUI-based tool that provides a guided interface for configuring TCP/IP policy-based networking functions and is available as a task in IBM z/OS Management Facility (z/OSMF), and as a stand-alone workstation application.