Enabling AT-TLS Secure Connectivity to the RMF Distributed Data Server (DDS)

If you have configured IBM® Z OMEGAMON AI for z/OS to use RMF data collection, secure connectivity to the RMF Distributed Data Server (DDS) using AT-TLS is the recommended configuration. Starting with z/OS v2r4, the RMF DDS default setting for GPMSERVE is HTTPS(ATTLS) which requires a secure AT-TLS connection to the server.

This configuration requires server and client RACF keyring and Policy Agent policy changes to enable the AT-TLS connection. The client policy agent changes that are described below must be done for each LPAR that is running an IBM Z OMEGAMON AI for z/OS monitoring agent.

Once the policy agent and RACF Keyring changes are done for the RMF Distributed Data Server, all client connections to it (including those from other applications) must be via a secure AT-TLS connection. For this reason, a recommended approach is to try out the configuration changes first on a test Sysplex with a limited number of LPARs.

Before you begin:

Ensure that the basic setup for the Policy Agent is done. For information about policy-based networking and data protection, in z/OS Communications Server: IP Configuration Reference.
Ensure that the basic certificate setup is complete. For information about handling certificates for secure communications with RACF, see the topic on digital certificates in z/OS Security Server RACF Security Administrator's Guide.
To enable AT-TLS and encrypted communication with the RMF DDS server, you need the following:
- Valid server certificate and the associated server private key
- Certificate from a trusted Certificate Authority (CA).
  The example in Figure 1 uses a key ring that is named DDSServerKeyring to store these credentials. This key ring must be accessible by the DDS server user ID (for example, GPMSERVE), and the server certificate must be the default certificate.
To enable secure communication for the IBM Z OMEGAMON AI for z/OS monitoring agents, you need a certificate from a trusted Certificate Authority (CA). The example in Figure 2 uses a key ring that is named DDSClientKeyring to store the credentials. This key ring must be accessible to the user IDs for the Remote TEMs and Hub TEMs started tasks that are running on z/OS where your IBM Z OMEGAMON AI for z/OS monitoring agents run.

For a sample setup that uses RACF, see "RACF and digital certificates" in z/OS Security Server RACF Security Administrator's Guide, specifically "Implementation Scenario 1" and "Implementation Scenario 2."

For other security management products, refer to the other product documentation for information about handling certificates and key rings.

Procedure

Configure the Policy Agent to allow secure communication with the RMF DDS server.

Enable the Policy Agent for AT-TLS.For information about AT-TLS data protection, see z/OS Communications Server: IP Configuration Reference.

Configure the Policy Agent to specify secure communication for the DDS server.For a sample policy, see Figure 1.

 #-------------------------------------------------#   
 #  TYQ: Created this file for the pagent          #   
 #  configuration for the GPMSERVE server.         #   
 #-------------------------------------------------#   
                                                       
  # RMF DDS SERVER RULE                                
  TTLSRule                          DDSServerRule      
  {                                                    
    LocalPortRange                  8803               
    Jobname                         GPMSERVE           
    Direction                       Inbound            
    TTLSGroupActionRef              DDSServerGRP       
    TTLSEnvironmentActionRef        DDSServerENV       
  }                                                    
  TTLSGroupAction                   DDSServerGRP       
  {                                                    
    TTLSEnabled                     On                 
    Trace                           255                
  }                                                    
  TTLSEnvironmentAction             DDSServerENV       
  {                                                    
    HandshakeRole                   Server             
    TTLSKeyringParms                                   
    {                                                  
      Keyring                       DDSServerKeyring   
    }                                                  
  }

Where the AT-TLS policy properties are set, as follows:

TTLSRule: Jobname: Identifies the program for which this rule applies, which is the RMF DDS server in this example (GPMSERVE). If you set the property as shown, the policy affects GPMSERVE only; it does not affect other programs that are running on the system.
TTLSRule: LocalPortRange: Specifies the port of the RMF DDS server, which is 8803 in the example.
TTLSRule: Direction: Specifies the direction from which a connection must be initiated for this rule's action to be performed. In the example, Inbound is specified, which means that the rule applies to connection requests that arrive inbound to the local host. An application must issue an accept request to service this connection.
TTLSKeyringParms: Keyring: Specifies the key ring name of the RMF DDS server, which is DDSServerKeyring in the example. The key ring must contain the server certificate, the associated server private key, and the certificate of the trusted Certificate Authority (CA).

Configure the Policy Agent to require secure communication for the TEMS Server started tasks.

For an example of a Policy Agent policy for setting up simple TLS protection for the TEMS Server started tasks, see Figure 2.

#-------------------------------------------------#     
                                                         
  TTLSRule                          DDSClientRule        
  {                                                      
    RemotePortRange                 8803 
    RemoteAddr                      9.xxx.yyy.zzz
    Direction                       Outbound             
    TTLSGroupActionRef              DDSClientGroup       
    TTLSEnvironmentActionRef        DDSClientEnvironment 
  }                                                      
  TTLSGroupAction                   DDSClientGroup       
  {                                                      
    TTLSEnabled                     On                   
    Trace                           255                  
  }                                                      
  TTLSEnvironmentAction             DDSClientEnvironment 
  {                                                      
    TTLSKeyRingParms                                     
    {                                                    
      Keyring                       DDSClientKeyring     
    }                                                    
    HandshakeRole                   Client               
    Trace                           255                  
  }

Where the AT-TLS policy properties are set, as follows:

TTLSRule: RemoteAddr: Specifies the remote IP address for which this rule's action is to be performed. In the example, it is the IP address of the remote RMF DDS server (9.xxx.yyy.zzz).
TTLSRule: RemotePortRange: Specifies the port of the remote RMF DDS server, which is 8803 in the example.
TTLSRule: Direction: Specifies the direction from which a connection must be initiated for this rule's action to be performed. In the example, Outbound is specified, which means that the rule applies to connection requests that are issued from the local host. An application must issue a connect request to initiate a connection.
TTLSKeyringParms: Keyring: Specifies the key ring name of the TEMS Server started task, which is DDSClientKeyring in the example. The key ring must contain the certificate of the trusted Certificate Authority (CA) that issued the server certificate.

Refresh the Policy Agent to have your changes take effect.
You can use the following command to refresh the Policy Agent:
```
F PAGENT,REFRESH
```