Defining and installing AT-TLS policies
Define and install AT-TLS policies by using the IBM® Configuration Assistant for z/OS® Communications Server.
Before you begin
- Configure and activate PAGENT by following the instructions in Configuring and activating the policy agent (PAGENT).
About this task
Procedure
- Start the configuration assistant by clicking Start > All Programs > IBM Programs > IBM Configuration Assistant for z/OS > Configuration Assistant V1R10.
- Click Add a New z/OS Image, enter the name of your z/OS image (LPAR) and a description, then click OK.
- In the Configuration Assistant Navigation pane, select the image that you added in step 2, click Add New TCP/IP Stack, enter the stack name and description, then click OK.
- In the Configuration Assistant Navigation pane, select the stack that you added in step 3, select AT-TLS from the list of technologies, then click Enable.
- Click Configure.
- Click Add. The Connectivity Rule wizard opens. Click Next
- Identify the data endpoints by completing the following
fields. A generic rule facilitates testing, but can be made more specific later.
- In the Local data endpoint field, select ALL_IP_Addresses.
- In the Remote data endpoint field, select ALL_IP_Addresses.
- In the Connectivity Rule Name field, enter a suffix for the name of the rules, then click Next.
- Select a requirement map by clicking Add.
The map is used to match the type of IP traffic with the security level to be implemented by AT-TLS.
- Enter a name and description for the requirement map, then
click Work with Traffic Descriptors. Two traffic descriptors are required: one for the inbound SOAP requests (IBM Integration Bus is the server), and another for the outbound SOAP requests (IBM Integration Bus is the client).
- Create an inbound traffic descriptor by clicking Add , enter a name and description, then click OK.
- Enter details about the inbound traffic descriptor:
- For the local port, select Single port and set the port number to 7800 (the port on which the SOAPInput node normally listens).
- For the remote port, select All ports.
- Set the Indicate the TCP connect direction field to Inbound only.
- In the Jobname field, enter an asterisk (*).
- In the User ID field, enter an asterisk (*).
- Select Use the following key ring database.
- Select Key ring is in SAF produce (such as RACF), then enter the name of the key ring.
- Set the AT-TLS handshake role to Server, then click AT-TLS Advanced.
- Enter the label of the IBM Integration Bus personal certificate, then click OK.
- Click OK to save the traffic details for inbound SOAP traffic, then click OK to create the traffic descriptor for inbound SOAP.
- Create an outbound traffic descriptor by clicking Add, add a name and description, then click OK .
- Enter details about the outbound traffic descriptor:
- For the local port, select All ports.
- For the remote port, select Single port and set the port number to 7843.
- Set the Indicate the TCP connect direction to Outbound only.
- In the Jobname field, enter an asterisk (*).
- In the User ID field, enter an asterisk (*).
- Select Use the following key ring database.
- Select Key ring is in SAF produce (such as RACF), then enter the name of the key ring.
- Set the AT-TLS handshake role to Client, then click AT-TLS Advanced.
- Enter the label of the IBM Integration Bus personal certificate, then click OK.
- Click OK to save the traffic details for outbound SOAP traffic, then click OK to create the traffic descriptor for outbound SOAP.
- Click Close.
- To create a security level for IBM Integration Bus, click Work with
Security Levels, then click Add.
- On the Name and Type tab, enter a name and description.
- On the Ciphers tab, select Use TLS V1, Use SSL V3, and Use System SSL defaults, then click OK.
- To add traffic descriptors to the requirement map, select SOAP_Server and SOAP_Client from the Objects list, then click Add.
- For each traffic descriptor, select the AT-TLS security level that you created in step 17, then click OK.
- Click Next and set the appropriate Optional Connectivity Rule Settings, which are used to set tracing levels, tuning parameters, and timings when the rule is in effect..
- Click Finish.
- To save changes to the AT-TLS rules, click Apply changes, then click Main perspective.
- To install the AT-TLS policy, select AT-TLS technology, click Install, then click FTP to send the policy rules to the LPAR.
- Specify the FTP parameters:
- Enter the LPAR host name and set the port number to 21.
- Enter your user ID and password.
- Enter the AT-TLS policy file location and name (for example, /etc/pagent/TCPIP_TTLS.policy.
- Select Default transfer mode.
- Click Send, wait for file transfer to complete, then check that the transfer was successful.
- Click Close.
- After the file transfer, refresh or restart PAGENT.
The AT-TLS policies have been created and deployed.