Configuring AT-TLS security

You can use Application Transparent Transport Layer Security (AT-TLS) to secure communications between the CAE Server, CAE Agent, and the ISPF Client.

About this task

If you choose not to use AT-TLS, then the CAE Server and the CAE Agent will use RC4 encryption.

The CAE Server supports CAE Agents with AT-TLS and CAE Agents with RC4 simultaneously. AT-TLS is enabled together with RC4 and the CAE Server tries to open a TLS socket on port 3449. It is highly recommended that you use AT-TLS and disable RC4 support after you have migrated all CAE Agents to AT-TLS.

Procedure

  1. Create the CAE Server keystore and import the certificates.
    The CAE Server requires two private certificates:
    Table 1. Required private certificates and aliases for CAE Server keystore and AT-TLS configuration
    Description and purpose Alias (to use when importing)
    Private certificate for the web server WEBSERVER
    Private certificate for the TLS socket that listens for CAE Agent connections CAE_AGENT_PORTAL
    Note: You can customize the TLS socket certificate alias that the CAE Server uses when opening a new TLS socket.

    If the CAE Server cannot find a private certificate with the alias WEBSERVER, the CAE Server uses the first private certificate in the KeyStore.

    If the CAE Server cannot find the private certificate with the alias CAE_AGENT_PORTAL, the CAE Server does not start the TLS socket for the CAE Agent and AT-TLS encryption is not possible.

    1. Create the new keystore:
      • If the CAE Server is installed on Windows, run the cqm_cert_install.bat script.
      • If the CAE Server is installed on USS, run SCQMSAMP member CQMCCERT.
    2. Import the certificates into the keystore:
      • If the CAE Server is installed on Windows, run the cqm_import_certs.bat script.
      • If the CAE Server is installed on USS, run SCQMSAMP member CQMICERT.
  2. To configure AT-TLS policy statements, refer to Configuring AT-TLS policy statements.
  3. Export the public certificate from keyring that you created in Step 2 and import it into the default CAE Server truststore.
    1. If the CAE Server is installed on Windows:
      • Run cqm_export_cert.bat (located in the <cae_install_dir>\bin folder) to export the public certificate.
      • Specify the following additional arguments as appropriate:
        -keystore path_to_keystore
        The path to the CAE Server keystore. The default value is cae_install_dir\defaultKeystore.jks.
        -storepass keystore_password
        The password for the CAE Server keystore. The default value is "password".
        -alias alias_name
        (Required) The name of the alias of the certificate to be exported.

        For example: cqm_expoert_cert -alias CAE_AGENT_PORTAL

        The successful execution of the cqm_export_cert.bat script, creates the file cae_install_dir\exportedcerts\alias_name.

      • Place the certificate you exported into the <cae_install_dir>\certs directory.
      • Run cqm_import_certs.bat -importincacerts to import the certificate to <cae_install_dir>\bin\jre\lib\security\cacerts
    2. If the CAE Server is installed on USS:
      • Run SCQMSAMP member CQMECERT to export the public certificate.
      • Run SCQMSAMP member CQMICERT to import the certificate into the default CAE Server truststore.
  4. Edit the CQMCPRMS DD of CAE Agent job.
    1. Set ATTLS_ENABLED to Y.
    2. Set SERVER_PORT to 3449. The CAE Server opens a TLS socket for CAE Agents on this port by default. You can also customize this port using the com.rocketsoft.nm.qm.caeAgent.tlsListenerPort parameter (specified in cqm.server.properties).
  5. Restart the CAE Server and the CAE Agent.