Sample z/OS IzODA Livy AT-TLS policy rules
The following example shows the sample AT-TLS policies that you can use in you TCPIP_TTLS.policy AT-TLS policy file for z/OS IzODA Livy. This is meant to be used in conjunction with sample AT-TLS policies shown in Sample configuration and AT-TLS policy rules for z/OS Spark client authentication when AT-TLS is used as the Spark client authentication method..
For more information about AT-TLS policies, see z/OS IzODA Livy Installation and Customization. You can find detailed information about the syntax of each AT-TLS policy statement in "AT-TLS policy statements" in z/OS Communications Server: IP Configuration Reference.
AT-TLS policies when AT-TLS is used as the Spark client authentication method
#################################################################
##
## LivyServer_ATTLS is the port the Livy Server listens
## on for connections from external clients. This port
## supports AT-TLS security.
##
## The Livy Server port does not support port range retry.
##
## By default, livy-server binds to the port specified on
## livy.server.port in $LIVY_CONF_DIR/livy.conf.
##
#################################################################
PortRange LivyServer_ATTLS
{
Port 8998
}
#################################################################
##
## KeyRing_Livy defines the keyring that will be used during
## Livy Server AT-TLS authentication.
##
#################################################################
TTLSKeyRingParms KeyRing_Livy
{
Keyring LivyRing
}
#################################################################
##
## LivyServer_ATTLS and LivyClient_ATTLS are the rules that
## encrypt network traffic going into and out of the Livy Server
## port.
##
## The LivyClient_ATTLS rule is necessary only if you are going
## to submit jobs to the Livy Server from either the same LPAR or
## the same Sysplex. It is not needed if you will be only using
## external HTTP clients.
##
#################################################################
TTLSRule LivyServer_ATTLS
{
Direction Inbound
LocalPortRangeRef LivyServer_ATTLS
TTLSGroupActionRef GroupAct_TTLS_On
TTLSEnvironmentActionRef EnvAct_LivyServer_ATTLS
}
TTLSRule LivyClient_ATTLS
{
Direction Outbound
RemotePortRangeRef LivyServer_ATTLS
TTLSGroupActionRef GroupAct_TTLS_On
TTLSEnvironmentActionRef EnvAct_LivyClient_ATTLS
}
#################################################################
##
## EnvAct_LivyServer_ATTLS and EnvAct_LivyClient_ATTLS
## establish the environment for the connections that match the
## corresponding TTLSRules, using the role and keyring specified.
##
## Remove the EnvAct_LivyClient_ATTLS section if the corresponding
## TTLSRule is not present.
##
#################################################################
TTLSEnvironmentAction EnvAct_LivyServer_ATTLS
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSKeyRingParmsRef KeyRing_Livy
TTLSEnvironmentAdvancedParmsRef EnvAdv_TLS
}
TTLSEnvironmentAction EnvAct_LivyClient_ATTLS
{
HandshakeRole Client
EnvironmentUserInstance 0
TTLSKeyRingParmsRef KeyRing_Livy
TTLSEnvironmentAdvancedParmsRef EnvAdv_TLS
}