AT-TLS policy
A TTLS policy describes the desired AT-TLS rules. As defined in the Policy Agent configuration
file, the TTLS policy is located in /etc/pagent.ttls.conf
. The necessary
definitions in your security software are covered later.
/etc/pagent.ttls.conf
.##
## TCP/IP Policy Agent AT-TLS configuration information.
##
##-----------------------------
TTLSRule zOS_Debugger_Debug_Manager
{
LocalPortRange 5335
Direction Inbound
TTLSGroupActionRef grp_Production
TTLSEnvironmentActionRef act_zOS_Debugger_Debug_Manager
}
##-----------------------------
TTLSEnvironmentAction act_zOS_Debugger_Debug_Manager
{
HandshakeRole Server
TTLSKeyRingParms
{
Keyring dbgmgr.racf # Keyring must be owned by the Debug Manager
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled Off
## TLSV1.2 only for z/OS 2.1 and higher
# TLSV1.2 On # TLSv1 & TLSv1.1 are on by default
SSLV3 Off # disable SSLv3
}
##-----------------------------
TTLSGroupAction grp_Production
{
TTLSEnabled On
## TLSv1.2zOS1.13 only for z/OS 1.13
TTLSGroupAdvancedParmsRef TLSv1.2zOS1.13
Trace 3 # Log Errors to syslogd & IP joblog
#Trace 254 # Log everything to syslogd
}
##-----------------------------
TTLSGroupAdvancedParms TLSv1.2zOS1.13
{
Envfile /etc/pagent.ttls.TLS1.2zOS1.13.env
}
A TTLS policy allows for a wide range of filters to specify when a rule applies.
Debug Manager is a server that listens on port 5335
for incoming connections
from Debug Engine. This information is captured in the zOS_Debugger_Debug_Manager
rule.
Since encrypted communication requires the usage of a server certificate, you specify that the
Policy Manager must use the certificates on the dbgmgr.racf
key ring, which is
owned by the Debug Manager started task user ID. By default, TLS v1.2 support is disabled, so this
policy explicitly enables it. SSLv3.0 is explicitly disabled due to known vulnerabilities in this
protocol.