Configuring secure communications between z/OS components and Z APM Connect Distributed Gateway Linux machine
If you install the Z APM Connect DG with Docker standalone, you can secure connection between the Z APM Connect Distributed Gateway (Z APM Connect DG) Machine on Linux® and the various components on z/OS® that communicate to it by using the Transport Layer Security (TLS, sometimes called SSL) protocol.
A complete configuration example is provided to enable secure communications between the Z APM Connect DG machine and MVS host, using RACF as the Security Server. For more information, see (Docker) Security enablement example.
1. Importing certificates on the Z APM Connect Distributed Gateway machine
2. Creating a key ring and certificate on z/OS components
4. Updating the policy agent (PAGENT) AT-TLS policy
5. Updating the Linux truststore
1. Importing certificates on the Z APM Connect Distributed Gateway machine
Procedure
The Z APM Connect DG machine on Linux serve as
the TLS server. To set up security for this Linux machine,
use the ./zapmctl configure security
command.
2. Creating a key ring and certificate on z/OS components
About this task
The z/OS components machine serves as the TLS client. For each started task that generates transactional tracking information, additional security setup is needed.
The started tasks include the Z APM Connect Base proc (AGMAPROC by default), and may include the z/OS Connect EE server or CICS® TG server, depending on the type of transactions to be tracked. The user ID under which each started task runs must have a key ring that contains its personal certificate and private key, its own trust chain, and, if the server certificate is signed by a different authority, the server's CA certificate.
Procedure
In the following command examples:
- RACF® commands are used to create a key ring. For more information about RACF command, see RACF command syntax.
- IBMUSER owns the proc.
- Commands use a key ring owned by IBMUSER. For more information about creating a key ring, see RACDCERT ADDRING.
- - is the continuation character.
3. Transferring certificates from Z APM Connect Distributed Gateway machine to z/OS components machine
Procedure
4. Updating the policy agent (PAGENT) AT-TLS policy
About this task
In the PAGENT AT-TLS policy, the TTLSEnvironmentAction needs to be updated to reference the key ring.
The TTLSRule needs to reference the IP Address of the Linux machine on which Z APM Connect is installed and the port to be used. The port for the CICS TG and z/OS Connect EE Server is 30090 and the port for the Z APM Connect Base is 30455.
The PAGENT proc needs to be restarted or refreshed to implement these changes.
Example
Policy agent configuration file:
TTLSRule <TTLS rule Name>
{
RemotePortRange <port>
RemoteAddr <ip addr>
Direction Outbound
TTLSGroupActionRef <Grp Action name>
TTLSEnvironmentActionRef <Env Action name>
}
TTLSEnvironmentAction <Env Action name>
{
HandshakeRole Client
TTLSKeyRingParms
{
Keyring <user ID>/<keyring name>
}
...
}
TTLSGroupAction <Grp Action name>
{
...
}
5. Updating the Linux truststore
Procedure
Export the z/OS personal certificate for the key ring's owning user ID and add it to the Linux truststore.
6. Recycle the Z APM Connect DG
Procedure
sudo ./zapmctl stop
command and then run the sudo ./zapmctl
start
command from the <install-dir>/ directory. For more
information about how to use the commands, see ../configuration/ttg/zapm_dg_command_start.html.