Step 11: Enabling AT-TLS for secured connections (Optional)
Enabling AT-TLS is the recommended configuration to ensure secure connections. To provide a secure connection for the STC, use the IBM z/OS Communications Server TTLS feature as an Application Transparent Transport Layer Security (AT-TLS) basic application. STC is unaware of AT-TLS encrypted TCP/IP connection details.
About this task
Procedure
- Perform required steps to enable AT-TLS for TCP/IP. For more information on AT-TLS, see
- Create a new server certificate for the STC or an existing certificate can also be used.
- If RACF keyring is used, create a keyring for the STC userid and connect server certificate to this keyring.
- Create AT-TLS policy rules for the STC. For more information, see below example.
-
Grant required permissions for the STC userid to access keyrings and certificates, ICSF
functions, and other resources to be able to use AT-TLS policy rules.
Example of AT-TLS policy rules:
<USERID> - Userid which is used to run STC <STCNAME> - Name of STC <PORT> - Secure port. PORTNUM parm in STC parameter <KEYRING> - Name of RACF keyring which belongs to <USERID> with server certificate. TTLSRule Server@Rule { Userid <USERID> Jobname <STCNAME> LocalPortRange <PORT> Direction Inbound Priority 10 TTLSGroupActionRef Server@GrpAct TTLSEnvironmentActionRef Server@Env } TTLSEnvironmentAction Server@Env { HandshakeRole Server TTLSCipherParmsRef ServerCipherParams TTLSKeyRingParms { Keyring <KEYRING> } TTLSEnvironmentAdvancedParms { ApplicationControlled Off TLSv1.2 On TLSv1.3 On } } TTLSGroupAction Server@GrpAct { TTLSEnabled On Trace 2 } TTLSCipherParms ServerCipherParams { V3CipherSuites TLS_AES_128_GCM_SHA256 V3CipherSuites TLS_AES_256_GCM_SHA384 V3CipherSuites TLS_CHACHA20_POLY1305_SHA256 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 }