Configuring AT-TLS

You must configure your Application Transparent Transport Layer Security (AT-TLS) Policy Agent to provide secure TLS (HTTPS) communication for the components that support the Realtime Dataset Metrics Web (RDM) user interface. Configuring AT-TLS involves creating certificates or keyrings and customizing the parameters.

About this task

The syntax for referring to specific properties of specific rules in this procedure uses a ‘dot’ notation: <rule name>.<property> as in the following example TTLS rule. The port number can be any available port between 1 and 65535 inclusive. In this example, the LocalPortRange value is 12345 and the LocalPortRange property of this specific rule is referred as KS3_RDM.LocalPortRange. The rule names in the sample AT-TLS rules file is unique to prevent conflict with any exisiting rule names. If you can keep the same rule names in your AT-TLS parameters, then you can relate the steps with your AT-TLS rules.

Procedure

  1. Create a keyring named KS3TRNG and generate or obtain a 'cryptographic identity' (private key and corresponding certificate) and place it in that keyring.
    The App Server and OM Storage TEMS address spaces must run under the same user id (for example, KS3STC), and the user id needs access to the new keyring.
  2. Optional: To use a different keyring name, you must adjust the following parameter : keyring~KS3.Keyring
  3. Change the *.priority value to fit in with the priority numbering for your site.
    These rules are specific, so you can set the Priority as 'high', for example, 128. The example TLS Rules to follow are based on the default configuration values shipped with the product in the KS3AINIT parm member (RKANPARU). If you do not change the default values, then you can use the existing example TLS Rules.
  4. Optional: To make configuration changes, adjust the following required and optional TLS parameters values:
    Required parameters
    • KS3_RDM.LocalPortRange RDM_PORT in KS3AINIT
    • KS3_RDM.Jobname OM Storage TEMS job name defined by PARMGEN
    • KS3_APPSRV_TO_RDM.RemotePortRange RDM_PORT in KS3AINIT
    • KS3_APPSRV.LocalPortRange AS_PORT in KS3AINIT
    • KS3_APPSRV_TO_APPSRV.RemotePortRange AS_PORT in KS3AINIT
    Optional parameters
    Note:

    Change these optional default values in KS3AINIT and in the corresponding TLS configuration only when you receive instruction from support:

    • KS3_APPSRV_TO_RDM.RemoteAddr RDM_LISTENER_ADDR in KS3AINIT
    • KS3_RDM.LocalAddr RDM_LISTENER_ADDR in KS3AINIT
    • KS3_APPSRV_TO_APPSRV.RemoteAddr Change only to account for special network configurations on the host system

Example

The port range values in this example are samples. The port numbers can be any available port between 1 and 65535 inclusive.
TTLSRule                          KS3_RDM
{
  LocalAddr                       127.0.0.1
  LocalPortRange                  12345
  Direction                       Inbound
  Jobname                         S3TMS95D
  Priority                        4
  TTLSGroupActionRef              gAct1~KS3
  TTLSEnvironmentActionRef        eAct1~KS3_SRV
  TTLSConnectionActionRef         cAct1~KS3_SRV
}
TTLSRule                          KS3_APPSRV_TO_RDM
{
  RemoteAddr                      127.0.0.1
  RemotePortRange                 12345
  Direction                       Outbound
  Priority                        4
  TTLSGroupActionRef              gAct1~KS3
  TTLSEnvironmentActionRef        eAct1~KS3_CLIENT
  TTLSConnectionActionRef         cAct1~KS3_CLIENT
}
TTLSRule                          KS3_APPSRV
{
  LocalPortRange                  48700
  Direction                       Inbound
  Priority                        4
  TTLSGroupActionRef              gAct1~KS3
  TTLSEnvironmentActionRef        eAct1~KS3_SRV
  TTLSConnectionActionRef         cAct1~KS3_SRV
}
TTLSRule                          KS3_APPSRV_TO_APPSRV
{
  RemoteAddr                      127.0.0.1
  RemotePortRange                 48700
  Direction                       Outbound
  Priority                        4
  TTLSGroupActionRef              gAct1~KS3
  TTLSEnvironmentActionRef        eAct1~KS3_CLIENT
  TTLSConnectionActionRef         cAct1~KS3_CLIENT
}
TTLSGroupAction                   gAct1~KS3
{
  TTLSEnabled                     On
  Trace                           4
}
TTLSEnvironmentAction             eAct1~KS3_CLIENT
{
  HandshakeRole                   Client
  EnvironmentUserInstance         0
  TTLSEnvironmentAdvancedParmsRef eAdv1~KS3
  TTLSKeyringParmsRef             keyring~KS3
  Trace                           4
}
TTLSEnvironmentAction             eAct1~KS3_SRV
{
  HandshakeRole                   Server
  EnvironmentUserInstance         0
  TTLSEnvironmentAdvancedParmsRef eAdv1~KS3
  TTLSKeyringParmsRef             keyring~KS3
  Trace                           4
}
TTLSConnectionAction              cAct1~KS3_SRV
{
  HandshakeRole                   Server
  TTLSCipherParmsRef              cipher-KS3
  TTLSConnectionAdvancedParmsRef  cAdv1~KS3
  CtraceClearText                 On
  Trace                           4
}
TTLSConnectionAction              cAct1~KS3_CLIENT
{
  HandshakeRole                   Client
  TTLSCipherParmsRef              cipher-KS3
  TTLSConnectionAdvancedParmsRef  cAdv1~KS3
  CtraceClearText                 On
  Trace                           4
}
TTLSConnectionAdvancedParms       cAdv1~KS3
{
  ResetCipherTimer                0
  SecondaryMap                    Off
}
TTLSKeyringParms                  keyring~KS3
{
  Keyring                         S3STC/KS3TRNG
}
TTLSEnvironmentAdvancedParms      eAdv1~KS3
{
  ClientAuthType                  PassThru
  ApplicationControlled           Off
  SSLv2                           Off
  SSLv3                           Off
  TLSv1                           Off
  TLSv1.1                         Off
  TLSv1.2                         On
}
TTLSCipherParms                   cipher-KS3
{
  V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}

What to do next

Prevent AT-TLS connection failure with RDM and Application server encryption.