Enabling TLS/SSL for ADNR
Consider whether to use AT-TLS for security between ADNR and the z/OS® Load Balancing Advisor. AT-TLS provides the ability to authenticate a client, check authorizations, and encrypt data. You must restrict the ability to establish a connection to the Advisor, because sensitive interfaces can be exploited after a connection is accepted by the Load Balancing Advisor. Because ADNR acts as a client to the Load Balancing Advisor SASP port, it must be explicitly authorized to establish its connection to the Load Balancing Advisor.
You can use one or both of the following methods to authorize connection to the z/OS Load Balancing Advisor:
- You can explicitly configure the host_connection_addr keyword on the gwm statement in the ADNR configuration file, and the corresponding lb_id_list statement in the Advisor's configuration file.
- You can establish policies using the z/OS Policy Agent so that ADNR is required to use AT-TLS.
Although the configuration parameters might be sufficient in certain environments where the Load Balancing Advisor and ADNR are inside a secure network (that is, isolated by a firewall and so on), they might not be sufficient in environments in which the network is not considered to be as secure or in which the need to protect against IP address spoofing attacks is important. For more information about using AT-TLS, see Application Transparent Transport Layer Security data protection. For more information about the Advisor, see z/OS Load Balancing Advisor.