AT-TLS policy

A TTLS policy describes the desired AT-TLS rules. A TTLS policy allows for a wide range of filters to specify when a rule applies. As defined in the Policy Agent configuration file, the TTLS policy is located in /etc/pagent.ttls.conf. The necessary definitions in your security software are covered later.

For more information about TTLS policy keywords, see z/OS Communications Server: IP Configuration Reference (SC27-3651).

The following sample rule can be used to encrypt communication with a client. Here, RSE API is a server that listens on port 6800 for incoming connections from clients. This information is captured in the rule_HAMAxxx_RSEAPI_server section.

Since encrypted communication requires the usage of a server certificate, we specify that the Policy Manager must use the certificates on the SAF.keyring key ring, which is owned by the RSE API server user ID STCAPI. The Policy Manager will use the HUH.cert certificate to identify RSE API to the client, and restricts which protocols and ciphers can be used. This information is captured in the env_HAMAxxx_RSEAPI_server section.

Note: Protocol and cipher selection might impose restrictions and additional setup. For example, the usage of Elliptic Curve ciphers requires that z/OS® ICSF (Integrated Cryptographic Service Facility) is available. For more information, see z/OS Communications Server: IP Configuration Reference (SC27-3651).

The grp_Production section holds definitions that can be shared across multiple rules.

##
## TCP/IP Policy Agent AT-TLS configuration information.
##
##-----------------------------
TTLSRule                      _rule_HAMAxxx_RSEAPI_server
{
 LocalPortRange           6800
 Direction                Inbound
 TTLSGroupActionRef       grp_Production
 TTLSEnvironmentActionRef env_HAMAxxx_RSEAPI_server
}
##-----------------------------
TTLSEnvironmentAction         env_HAMAxxx_RSEAPI_server
{
 HandshakeRole Server
 TTLSKeyRingParms
 {
  Keyring SAF.keyring   # keyring must be owned by started task ID
 }
 TTLSEnvironmentAdvancedParms
 {
  CertificateLabel HUH.cert
  TLSV1.3 On
  TLSV1.2 Off
  TLSV1.1 Off
  TLSV1   Off
  TTLSCipherParms
  {
   V3CipherSuites4Char 130113021303
  }
 }
}
##-----------------------------
TTLSGroupAction               grp_Production
{
 TTLSEnabled              On
 Trace                    3     # Log Errors to syslogd & IP joblog
#Trace                    254   # Log everything to syslogd
}

For more complex policies, you should use the IBM® Configuration Assistant for z/OS Communications Server. This is a GUI-based tool that provides a guided interface for configuring TCP/IP policy-based networking functions and is available as a task in IBM z/OS Management Facility (z/OSMF), and as a stand-alone workstation application.