Configuring AT-TLS security
You can use Application Transparent Transport Layer Security (AT-TLS) to secure communications between the CAE Server, CAE Agent, and the ISPF Client.
About this task
If you choose not to use AT-TLS, then the CAE Server and the CAE Agent will use RC4 encryption.
The CAE Server supports CAE Agents with AT-TLS and CAE Agents with RC4 simultaneously. AT-TLS is enabled together with RC4 and the CAE Server tries to open a TLS socket on port 3449. It is highly recommended that you use AT-TLS and disable RC4 support after you have migrated all CAE Agents to AT-TLS.
Procedure
-
Create the CAE
Server keystore and import the
certificates.
The CAE Server requires two private certificates:
Table 1. Required private certificates and aliases for CAE Server keystore and AT-TLS configuration Description and purpose Alias (to use when importing) Private certificate for the web server WEBSERVER Private certificate for the TLS socket that listens for CAE Agent connections CAE_AGENT_PORTAL Note: You can customize the TLS socket certificate alias that the CAE Server uses when opening a new TLS socket.If the CAE Server cannot find a private certificate with the alias WEBSERVER, the CAE Server uses the first private certificate in the KeyStore.
If the CAE Server cannot find the private certificate with the alias CAE_AGENT_PORTAL, the CAE Server does not start the TLS socket for the CAE Agent and AT-TLS encryption is not possible.
-
Create the new keystore:
- If the CAE Server is installed on Windows, run the cqm_cert_install.bat script.
- If the CAE Server is installed on USS, run SCQMSAMP member CQMCCERT.
-
Import the certificates into the keystore:
- If the CAE Server is installed on Windows, run the cqm_import_certs.bat script.
- If the CAE Server is installed on USS, run SCQMSAMP member CQMICERT.
-
Create the new keystore:
- To configure AT-TLS policy statements, refer to Configuring AT-TLS policy statements.
-
Export the public certificate from keyring that you created in Step 2 and import it into the default CAE
Server truststore.
-
If the CAE
Server is installed on
Windows:
- Run cqm_export_cert.bat (located in the <cae_install_dir>\bin folder) to export the public certificate.
- Specify the following additional arguments as appropriate:
- -keystore path_to_keystore
- The path to the CAE Server keystore. The default value is cae_install_dir\defaultKeystore.jks.
- -storepass keystore_password
- The password for the CAE Server keystore. The default value is "password".
- -alias alias_name
- (Required) The name of the alias of the certificate to be exported.
For example:
cqm_expoert_cert -alias CAE_AGENT_PORTAL
The successful execution of the cqm_export_cert.bat script, creates the file cae_install_dir\exportedcerts\alias_name.
- Place the certificate you exported into the <cae_install_dir>\certs directory.
- Run cqm_import_certs.bat -importincacerts to import the certificate to <cae_install_dir>\bin\jre\lib\security\cacerts
-
If the CAE
Server is installed on
USS:
- Run SCQMSAMP member CQMECERT to export the public certificate.
- Run SCQMSAMP member CQMICERT to import the certificate into the default CAE Server truststore.
-
If the CAE
Server is installed on
Windows:
-
Edit the CQMCPRMS DD of CAE
Agent job.
- Set ATTLS_ENABLED to Y.
- Set SERVER_PORT to 3449. The CAE Server opens a TLS socket for CAE Agents on this port by default. You can also customize this port using the com.rocketsoft.nm.qm.caeAgent.tlsListenerPort parameter (specified in cqm.server.properties).
- Restart the CAE Server and the CAE Agent.