Sample z/OS IzODA Livy AT-TLS policy rules

The following example shows the sample AT-TLS policies that you can use in you TCPIP_TTLS.policy AT-TLS policy file for z/OS IzODA Livy. This is meant to be used in conjunction with sample AT-TLS policies shown in Sample configuration and AT-TLS policy rules for z/OS Spark client authentication when AT-TLS is used as the Spark client authentication method..

For more information about AT-TLS policies, see z/OS IzODA Livy Installation and Customization. You can find detailed information about the syntax of each AT-TLS policy statement in "AT-TLS policy statements" in z/OS Communications Server: IP Configuration Reference.

AT-TLS policies when AT-TLS is used as the Spark client authentication method

#################################################################
##
## LivyServer_ATTLS is the port the Livy Server listens
## on for connections from external clients. This port
## supports AT-TLS security.
##
## The Livy Server port does not support port range retry.
##
## By default, livy-server binds to the port specified on
## livy.server.port in $LIVY_CONF_DIR/livy.conf.
##
#################################################################
PortRange                       LivyServer_ATTLS
{
Port                            8998
}
#################################################################
##
## KeyRing_Livy defines the keyring that will be used during
## Livy Server AT-TLS authentication.
##
#################################################################
TTLSKeyRingParms                KeyRing_Livy
{
Keyring                         LivyRing
}
#################################################################
##
## LivyServer_ATTLS and LivyClient_ATTLS are the rules that
## encrypt network traffic going into and out of the Livy Server
## port.
##
## The LivyClient_ATTLS rule is necessary only if you are going
## to submit jobs to the Livy Server from either the same LPAR or
## the same Sysplex.  It is not needed if you will be only using 
## external HTTP clients.
##
#################################################################
TTLSRule                        LivyServer_ATTLS
{
Direction                       Inbound
LocalPortRangeRef               LivyServer_ATTLS
TTLSGroupActionRef              GroupAct_TTLS_On
TTLSEnvironmentActionRef        EnvAct_LivyServer_ATTLS
}
TTLSRule                        LivyClient_ATTLS
{
Direction                       Outbound
RemotePortRangeRef               LivyServer_ATTLS
TTLSGroupActionRef              GroupAct_TTLS_On
TTLSEnvironmentActionRef        EnvAct_LivyClient_ATTLS
}
#################################################################
##
## EnvAct_LivyServer_ATTLS and EnvAct_LivyClient_ATTLS
## establish the environment for the connections that match the 
## corresponding TTLSRules, using the role and keyring specified.
##
## Remove the EnvAct_LivyClient_ATTLS section if the corresponding 
## TTLSRule is not present.
##
#################################################################
TTLSEnvironmentAction           EnvAct_LivyServer_ATTLS
{
HandshakeRole                   ServerWithClientAuth
EnvironmentUserInstance         0
TTLSKeyRingParmsRef             KeyRing_Livy
TTLSEnvironmentAdvancedParmsRef EnvAdv_TLS
}
TTLSEnvironmentAction           EnvAct_LivyClient_ATTLS
{
HandshakeRole                   Client
EnvironmentUserInstance         0
TTLSKeyRingParmsRef             KeyRing_Livy
TTLSEnvironmentAdvancedParmsRef EnvAdv_TLS
}