Application
Transparent Transport Layer Security (AT-TLS) is a service that is provided by the z/OS
Communication Server Policy Agent (PAGENT) and the TCP/IP stack. The AT-TLS service manages
connections on behalf of applications that are running on the z/OS operating system. You create the
AT-TLS policy file, install the configuration files, and upload them to the necessary z/OS system,
for a host connection.
About this task
The following steps assume that you have AT-TLS already up and running
successfully on your system and the policy agent is configured and activated. See the
IBM z/OS V2R2 Communications Server: IP Configuration Guide (SC27-3650-06) and the IBM z/OS V2R2 Communications Server: IP
Configuration Reference (SC27-3651-06) for more
information.
The AT-TLS (ttlsPol.txt) policy file is
produced by the IBM Configuration Assistant. You can use the IBM Configuration Assistant to create
the file and modify it if necessary. You can also modify the one that was produced by Configuration
Assistant with a text editor, or create the file with a text editor. A sample policy file is
provided at the end of this task procedure.
The preferred way to create the
policy file is to use the IBM Configuration Assistant, or now the IBM z/OS Management Facility
(z/OSMF).
Use these steps to create a policy file:
Procedure
- Download and install IBM Configuration Assistant for z/OS Communications Server, V1.13 or
later. You create an AT-TLS policy file by using the Configuration Assistant GUI.
Note: Starting with z/OS Version 1 Release 1, the IBM Configuration Assistant is replaced by dialogs in
the z/OS Management Facility (z/OSMF).
- Start the configuration assistant by clicking Start
> All Programs > IBM Programs > IBM Configuration Assistant for z/OS
> Configuration Assistant V1R13.
- From the Perspective menu, select AT-TLS.
- In the AT-TLS Perspective window, click Add a New z/OS
Image.
- In the New z/OS Image window, enter information in the z/OS
image name, Description, z/OS release and
Key ring fields, and then click OK.
This key ring name must be the same name that you used when you first generated a key ring. See
Configuring a secure communication between HyperSwap and the client.
- In the Proceed to the Next Step window, click Yes
to add a TCP/IP stack to the z/OS image.
- In the New TCP/IP Stack Information window, type a stack name in the
TCP/IP stack name field, add information to the
Description field, and then click OK.
- In the AT-TLS Perspective window, click Add to
create a connectivity rule.
- In the New Connectivity Rule wizard, click
Next.
- Identify the data endpoints by completing the following
fields:
- In the Connectivity rule name field, enter a suffix for a name of the
rule.
- In the Local data endpoint field,
select ALL_IP_Addresses.
- In the Remote data endpoint field,
select ALL_IP_Addresses.
- Click Next.
A generic rule facilitates testing.
- Click Traffic Descriptor.
- Click Add to add a traffic descriptor.
- In the New Traffic Descriptor page, enter information in the
Name and Description fields. Click
Add.
In the New Traffic Type notebook, use the Details tab
to specify the port configuration for the HyperSwap side of the port.
- In the New Traffic Type notebook, click the Key
Ring tab and specify the certificate label for your key ring and click
OK. Click OK again, and then click
Close.
- In the New Connectivity Rule-Select Requirement Map page, click
Create a new requirement map. Verify that this new map includes the traffic descriptor that you created in
step 12.
- In the Name field, enter the name of the requirement map.
- Click Security Levels and add a security level.
The security level that you select needs to support
TLSv1.2.
- Click Next.
- Click Advanced to add any other
necessary stacks, if not, then click Finish.
- Select the enabled rule from the list and click Apply Changes.
- On the Image Information tab, review the pertinent information and click
Application Setup Tasks. Complete the initial setup tasks, including RACF directives and start procedures.
- In the Application Setup Tasks window, click Display All
Instructions to see more detailed information. The Task Configure Installation Setup window opens.
- In the Task Configure Installation Setup window, click Location
Information to input the installation setup. The Installation Location Setup window opens.
- Click Instructions to see the documentation that comes bundled with the
application.
- In the Installation Location Setup window, enter your correct FTP
information to upload the policy file. Click OK. After the file transfer, refresh or restart the policy agent (PAGENT).
- In the AT-TLS Perspective window, click Install Configuration
Files. The generated policy files are installed for the z/OS image. The List of
Configuration Files window opens.
- In
an OMVS session, edit the /etc/pagent/conf.txt file by adding the following
lines:
LogLevel=255
CommonTTLSConfig /etc/pagent/ttlsPol.txt
TTLSConfig/etc/pagent/ttlsPol.txt
- In an OMVS session, edit the /etc/pagent/env.txt file by adding the
following lines:
PAGENT_CONFIG_FILE=/etc/pagent/conf.txt
PAGENT_LOG_FILE=/tmp/pagent2.log
- If
the member PAGENT does not already exist in SYS1.PROCLIB,
copy the sample JCL PAGENT in the TCPIP.SEZAINST library
to the system procedure library (for example, SYS1.PROCLIB). Then edit the
following line in SYS1.PROCLIB(PAGENT):
//STDENV DD PATH='/etc/pagent/env.txt',PATHOPTS=(ORDONLY)
- In the List of Configuration files window, view the configuration files
and click Install.
- In the Install Files to Remote host window, confirm the credentials and
the FTP logon information. Verify that the file location is /etc/pagent/ttlsPol.txt, and then, click Go. The policy file is installed.
- Create a data set, datasetname with the following contents:
TCPCONFIG TTLS
- Issue the following command:
V TCPIP,TCPIP,OBEYFILE,datasetname
- If PAGENT has not already been started, it needs to be started.
START PAGENT
- Then cancel, and restart HSIB.
START HSIB
Results
The policy file is created and deployed.
Example: AT-TLS policy file
##
## AT-TLS Policy Agent Configuration file for:
## Image: SC30
## Stack: TCPIP
##
## Created by the IBM Configuration Assistant for z/OS Communications Server
## Version 2 Release 2
## Backing Store = CSM_STORE
## Install History:
## 2017-01-24 20:40:01 : lascu to 9.12.4.211
##
## End of Configuration Assistant information
TTLSRule HS_test~1
{
LocalAddrSetRef addr1
RemoteAddrSetRef addr1
LocalPortRangeRef portR1
Direction Both
Priority 255
TTLSGroupActionRef gAct1~Basic_HS
TTLSEnvironmentActionRef eAct1~Basic_HS
TTLSConnectionActionRef cAct1~Basic_HS
}
TTLSGroupAction gAct1~Basic_HS
{
TTLSEnabled On
}
TTLSEnvironmentAction eAct1~Basic_HS
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~SC30
}
TTLSConnectionAction cAct1~Basic_HS
{
HandshakeRole Server
TTLSCipherParmsRef cipher1~AT-TLS__Silver
TTLSConnectionAdvancedParmsRef cAdv1~Basic_HS
CtraceClearText Off
Trace 2
}
TTLSConnectionAdvancedParms cAdv1~Basic_HS
{
TLSv1.2 On
HandshakeTimeout 30
SecondaryMap Off
}
TTLSKeyringParms keyR~SC30
{
Keyring csmkeyring
}
TTLSCipherParms cipher1~AT-TLS__Silver
{
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
}
IpAddrSet addr1
{
Prefix 0.0.0.0/0
}
PortRange portR1
{
Port 5858
}