Configuring AT-TLS encryption

You can use Application Transparent Transport Layer Security (AT-TLS) to secure communications between the OMEGAMON Db2 Collector PE Server subtasks and Performance Expert Client (PE Client).

Before you begin

It is highly recommended that you enable end-to-end encryption for PE Client communication with the OMEGAMON Db2 Collector PE Server on z/OS.

Important: When an instance of a PE Client is configured for encryption, it is assumed that all of the connections to the OMEGAMON Db2 Collectors on z/OS are encrypted. It is not possible to configure encryption for only a subset of OMEGAMON Db2 Collectors or selected Db2 subsystems that an instance of a PE Client wants to connect to.

The configuration consists of two parts:

z/OS Communication Server side
Implement AT-TLS policy, generate server certificates for the OMEGAMON Db2 Collector, and assign a keyring to the OMEGAMON Db2 Collector STC.
PE Client side
Create a Java keystore (JKS) containing the certification authority (CA) certificate, which is used in the certification chain for the OMEGAMON Db2 Collector server certificate (or alternatively containing the self-signed server certificate).

Procedure

  1. Create a public/private key pair (private key plus certificate) for the OMEGAMON Db2 Collectors. The OMEGAMON Db2 Collectors present this server certificate in the TLS handshake process to the PE Client requesting a connection to the OMEGAMON Db2 Collector.
    • The certificate can be self-signed or signed by a CA according to your company's standards and rules. You can create and sign the certificate on z/OS with RACF or equivalent security products, or outside of z/OS. If a certificate is created outside of z/OS you must import it into z/OS.
    • Create a SAF keyring on z/OS or a file-based keystore on z/OS, and import the server certificate into it. Assign the keyring to the owner of the OMEGAMON Db2 Collector STC.
    • If you created a self-signed certificate, export it in text format and make it available to the client computers on which PE Client is running. If your server certificate is signed by a CA, make sure that the root CA or the certification chain is available at the client computers on which PE Client is running.
  2. Create an AT-TLS policy for encryption. To manage encrypted connections between the PE Client and the OMEGAMON Db2 Collector, it is necessary to create AT-TLS rules on every LPAR on which OMEGAMON Db2 Collectors are running. Define policy rules with the following characteristics:
    • Direction is “Inbound”
    • The port range needs to cover the TCP/IP ports on which the OMEGAMON Db2 Collector is listening for incoming requests from PE Clients
    • Allow TLSv1.2 and TLSv1.3 connections
    • Specify the name of the SAF keyring you created in the previous task
    • When the server certificate you created for the OMEGAMON Db2 Collector is not the default certificate for the STC user, specify the label of the certificate which AT-TLS should use for the TLS handshake.
    Refer to IBM “z/OS Communications Server: IP Configuration Guide” for set up instructions.
  3. On the PE Client side, a Java truststore is required that must contain the server certificates (if you are working with self-signed certificates), or the root CA certificate or the certificate chain, if you signed the server certificate.
    You can use Java keytool to create a password protected truststore and import certificates into it.
    Important: The truststore must contain the certificates for all LPARs you want to monitor with that instance of the PE Client.
    Continue to the PE Client for setup.
  4. Start the PE Client and proceed to the Monitor > Configurations menu and select the Encryption tab.
  5. In this screen, select the Enable end-to-end encryption checkbox to enable TLS encryption for the PE Client. Specify the truststore location and the password for the truststore.
  6. Verify that all of the information provided is correct, and click Apply. Restart the PE Client. If there are no errors, all communication between the PE Client and z/OS is now encrypted. If the information provided is invalid (for example an incorrect truststore, or an incorrect password, or both), the Configuration window will not close and the information will not be saved.