Creating AT-TLS rules for secure communication between Data Streamer and data gatherers

To establish secure communication between the Data Streamer and the data gatherers through AT-TLS, you must create a TTLS rule in the Policy Agent.

1. Create a TTLS rule in the Policy Agent. For example,

   TTLSRule                          cdp_streamer_rule           
   {
     LocalAddrGroupRef               cdp_ip_addr_group
     LocalPortRange                  12345                       
     Jobname                         HBODSPRO                    
     Direction                       Inbound
     TTLSGroupActionRef              cdp_group_action
     TTLSEnvironmentActionRef        cdp_streamer_env
   }
   
   TTLSRule                          cdp_gatherer_rule           
   {
     RemoteAddrGroupRef              cdp_ip_addr_group
     RemotePortRange                 12345                       
     Direction                       Outbound
     TTLSGroupActionRef              cdp_group_action
     TTLSEnvironmentActionRef        cdp_gatherer_env
   }
   
   IpAddrGroup cdp_ip_addr_group                                 
   {
     IpAddr
     {
       Addr 9.9.9.9
     }
     IpAddr
     {
       Addr 127.0.0.1
     }
   }
   
   TTLSGroupAction                   cdp_group_action
   {
     TTLSEnabled                     On
     Trace                           3
   }
   
   TTLSEnvironmentAction             cdp_streamer_env
   {
     HandshakeRole                   Server
   
     TTLSKeyringParms
     {
        Keyring                      HBOLGF/Keyring.CDP           
     }
     TTLSCipherParmsRef              cdp_cipher_parms
     TTLSEnvironmentAdvancedParmsRef cdp_env_adv_parms
   }
   
   TTLSEnvironmentAction             cdp_gatherer_env
   {
     HandshakeRole                   Client
     TTLSKeyringParms
     {
        Keyring                      HBOLGF/Keyring.CDP          
     }
     TTLSCipherParmsRef              cdp_cipher_parms
     TTLSEnvironmentAdvancedParmsRef cdp_env_adv_parms
   }
   
   TTLSCipherParms                   cdp_cipher_parms            
   {
     V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites                  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
     V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites                  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     V3CipherSuites                  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     V3CipherSuites                  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
   }
   
   TTLSEnvironmentAdvancedParms      cdp_env_adv_parms             
   {
      SSLv2                          Off
      SSLv3                          Off
      TLSv1                          Off
      TLSv1.1                        Off
      TLSv1.2                        On
   }

   TTLSRule cdp_streamer_rule

   The TTLS rule cdp_streamer_rule defines the inbound connection from the data gatherers to the Data Streamer.

   LocalPortRange 12345

   The port number must be the port number that is specified in the Data Streamer started task JCL.

   Jobname HBODSPRO

   If the Data Streamer does not use the default job name, update the job name.

   TTLSRule cdp_gatherer_rule

   The TTLS rule cdp_gatherer_rule defines the outbound connection from the data gatherers to the Data Steamer.

   RemotePortRange 12345

   The port number must be the port number that is specified in the Data Streamer started task JCL.

   IpAddrGroup cdp_ip_addr_group

   An IP address group is used based on the default configuration of the Data Streamer and the data gatherers. In this section, replace 9.9.9.9 with the primary IP address of the default TCP/IP stack. By default, the System Data Engine connects to the Data Streamer through the primary IP address of the default TCP/IP stack. The Log Forwarder and user applications from which Z Common Data Provider Open Streaming API gathers data connect to the Data Streamer through the loop back IP address (127.0.0.1).

   If you configure the Data Streamer to a specific IP address as described in Binding the Data Streamer to a specific IP address, the IP address group is not required and you can specify the IP address directly in the cdp_streamer_rule statement by using LocalAddr and in the cdp_gatherer_rule statement by using RemoteAddr.

   Keyring HBOLGF/Keyring.CDP

   The key ring name that is specified here is based on the example in Creating a RACF key ring for Data Streamer and data gatherers. The key ring must contain a default server certificate for the Data Streamer. The key ring is used for both the Data Streamer and the data gatherers.

   TTLSCipherParms cdp_cipher_parms

   In this section, specify a set of recommended TLS 1.2 cipher suites. You can specify the list of cipher suits according to your site policy. If your z/OS® is 2.4 or later, you can use the following TLS 1.3 cipher suits:

   V3CipherSuites TLS_AES_256_GCM_SHA384
   V3CipherSuites TLS_AES_128_GCM_SHA256
   V3CipherSuites TLS_CHACHA20_POLY1305_SHA256

   TTLSEnvironmentAdvancedParms cdp_env_adv_parms

   In this section, specify one or more versions of the TLS protocols to be enabled for the communication between the Data Streamer and the data gatherers. If your z/OS is 2.4 or later, you can use TLS 1.3.

2. Run the following REFRESH command to refresh the Policy Agent configuration:

   MODIFY PAGENT,REFRESH