Setting up AT-TLS

This section is provided to assist you with some common problems that you might encounter when setting up Application Transparent Transport Layer Security (AT-TLS), or during checking or modifying an existing setup.

The Transport Layer Security (TLS) protocol defined in RFC 2246 provides communications privacy over the internet. Similar to its predecessor Secure Socket Layer (SSL), the protocol enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. Application Transparent Transport Layer Security (AT-TLS) consolidates TLS implementation for z/OS-based applications in one location, allowing all applications to support TLS-based encryption without knowledge of the TLS protocol. For more information on AT-TLS, See Communications Server IP Configuration Guide (SC31-8775).

The information in this section shows how to set up the TCP/IP Policy Agent that manages AT-TLS and define a policy for usage by DBGMGR on a z/OS® 1.13 system, with support for TLS v1.2.
  1. Setting up syslogd
  2. AT-TLS configuration in PROFILE.TCPIP
  3. Policy Agent started task
  4. Policy Agent configuration
  5. AT-TLS policy
  6. AT-TLS security updates
  7. AT-TLS policy activation
Throughout this section, a uniform naming convention is used:
  • Debug Manager port for external communication: 5335
  • Debug Manager user ID: stcdbm
  • Policy agent user ID: pagent
  • Certificate: dbgmgr
  • Key and certificate storage: dbgmgr.racf

Some tasks described in the following sections expect you to be active in z/OS UNIX. This can be done by issuing the TSO command OMVS. Use the oedit command to edit files in z/OS UNIX. Use the exit command to return to TSO.