Setup AT-TLS (optional)
If you want to encrypt ICSF's communications with a regional cryptographic server or servers, you need
to configure the z/OS Communications Server for AT-TLS. You will also
need to configure each related regional cryptographic
server to perform the server role for TLS.
Note: ICSF is the client.
The steps to do this are specific to the regional cryptographic
server. See the vendor provided documentation associated with the regional cryptographic server for more information.
At a minimum, the regional cryptographic server
needs to be provisioned with a TLS server certificate and its associated
certificate authority (CA). How you acquire these certificates is
your choice. You may use z/OS Security Server (RACF) or equivalent
certificate commands or use the z/OS Public Key Infrastructure Services
(PKI). You may also choose to purchase your certificates from a commercial
certificate authority.
The following are sample z/OS Security Server (RACF) TSO commands
to create the CA and server certificates. The samples assume the following:
- The CA is to be labeled 'Regional Server CA'.
- One server certificate is to be created, where the hostname is nacc.company.com.
- The user ID assigned to the ICSF started task is ICSFU.
- All certificates are to be valid from January 1, 2015, through December 31, 2024.
- All certificates will have RSA 2048-bit keys.
- For RACDCERT EXPORT, 'hlq' is to be replaced with the desired data set high-level qualifier.
/* Create the CA certificate */
RACDCERT CERTAUTH GENCERT SUBJECTSDN(C('CN') O('Company.com')
OU('Regional Server CA')) WITHLABEL('Regional Server CA') SIZE(2048)
NOTBEFORE(DATE(2015-01-01)) NOTAFTER(DATE(2024-12-31))
/* Create the server certificate */
RACDCERT SITE GENCERT SUBJECTSDN(C('CN') O('Company.com') CN('nacc.company.com'))
WITHLABEL('nacc.company.com') SIZE(2048) NOTBEFORE(DATE(2015-01-01))
NOTAFTER(DATE(2024-12-31)) SIGNWITH(CERTAUTH LABEL('Regional Server CA'))
/* Export the server certificate and private key to be installed on the regional
server.
The password is 'RegionalServer1' */
RACDCERT SITE EXPORT(LABEL('nacc.company.com')) FORMAT(PKCS12DER)
PASSWORD('RegionalServer1') DSN('hlq.NACC.P12')
AT-TLS policy
The following
is a sample z/OS Communications Server AT-TLS policy agent configuration
file that may be used to enable AT-TLS whenever ICSF connects to a regional cryptographic server:
##
## AT-TLS Policy Agent Configuration file for ICSF Regional Crypto
##
TTLSRule ICSF-Client
{
JobName CSF
LocalAddr ALL
RemoteAddr ALL
RemotePortRange 1024-65535
Direction Outbound
Priority 255
TTLSGroupActionRef ICSF-ClientGrp
TTLSEnvironmentActionRef ICSF-ClientEnv
}
TTLSGroupAction ICSF-ClientGrp
{
TTLSEnabled On
}
TTLSEnvironmentAction ICSF-ClientEnv
{
HandshakeRole Client
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParms
{
TLSv1 On
TLSv1.1 On
TLSv1.2 On
}
TTLSKeyringParms
{
Keyring CSF.ICSF.KEYRING
}
}
Notes:
- Check the JobName rule to ensure it matches the name of the ICSF started procedure.
- The keyring name may be changed if desired.
AT-TLS Authorization
The ICSF started task userid must have authorization to the CSFPKE and CSFDSV profiles in the CSFSERV class. See z/OS Communication Server: IP Configuration Guide for details on encryption algorithms.The keyring
The client keyring (named CSF.ICSF.KEYRING in the AT-TLS policy topic) must be created and populated with the certificate authority certificates used to issue the server certificates to the regional cryptographic servers.The following are
sample z/OS Security Server (RACF) TSO commands to provision the keyring using the certificate
created in the AT-TLS policy
topic:
/* Create the keyring under user ID ICSFU */
RACDCERT ID(ICSFU) ADDRING(CSF.ICSF.KEYRING)
/* Add the CA certificate */
RACDCERT ID(ICSFU) CONNECT(CERTAUTH LABEL('Regional Server CA')
RING(CSF.ICSF.KEYRING))
For
more information on AT-TLS, see the topic, Application Transparent Transport Layer Security data
protection, in z/OS Communications Server: IP Configuration Guide.