Step 11: Enabling AT-TLS for secured connections (Optional)

Enabling AT-TLS is the recommended configuration to ensure secure connections. To provide a secure connection for the STC, use the IBM z/OS Communications Server TTLS feature as an Application Transparent Transport Layer Security (AT-TLS) basic application. STC is unaware of AT-TLS encrypted TCP/IP connection details.

About this task

Steps to set up AT-TLS for the STC are as follows:

Procedure

  1. Perform required steps to enable AT-TLS for TCP/IP. For more information on AT-TLS, see
  2. Create a new server certificate for the STC or an existing certificate can also be used.
  3. If RACF keyring is used, create a keyring for the STC userid and connect server certificate to this keyring.
  4. Create AT-TLS policy rules for the STC. For more information, see below example.
  5. Grant required permissions for the STC userid to access keyrings and certificates, ICSF functions, and other resources to be able to use AT-TLS policy rules.
    Example of AT-TLS policy rules:
    
    <USERID> - Userid which is used to run STC 
    <STCNAME> - Name of STC
    <PORT> - Secure port. PORTNUM parm in STC parameter
    <KEYRING> - Name of RACF keyring which belongs to <USERID> with server certificate. 
    
    TTLSRule Server@Rule                          
    {                                                      
      Userid                   <USERID>                     
      Jobname                  <STCNAME>
      LocalPortRange           <PORT>
      Direction                Inbound                     
      Priority                 10                          
      TTLSGroupActionRef       Server@GrpAct              
      TTLSEnvironmentActionRef Server@Env         
    }                                                      
    TTLSEnvironmentAction Server@Env              
    {                                                      
      HandshakeRole                     Server             
      TTLSCipherParmsRef                ServerCipherParams
      TTLSKeyRingParms                                     
      {                                                    
        Keyring <KEYRING>                                  
      }                                                    
      TTLSEnvironmentAdvancedParms                         
      {                                                    
        ApplicationControlled           Off                
        TLSv1.2                         On                 
        TLSv1.3                         On                 
      }                                                    
    }
    TTLSGroupAction Server@GrpAct
    { 
     TTLSEnabled On 
     Trace 2 
    } 
    TTLSCipherParms ServerCipherParams
    {                                                       
      V3CipherSuites TLS_AES_128_GCM_SHA256                 
      V3CipherSuites TLS_AES_256_GCM_SHA384                 
      V3CipherSuites TLS_CHACHA20_POLY1305_SHA256           
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA   
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
      V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA     
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  
      V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  
      V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256    
      V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384    
      V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA       
      V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA       
      V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256    
      V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256    
    }