Using AT-TLS for encrypted communications
ATTLS=Y
Using AT-TLS requires the configuration of z/OS® Communications Server and policy agent rules to enable TLS protection of inbound connections to the ADFzCC server and subsequent data flows between the client and server. Your security administrator or system programmer can create this configuration in accordance with your installation standards and ensure that the z/OS® Communication server policy agent is running to provide AT-TLS services.
- Change the z/OS® Communication
Server profile TCPCONFIG statement to activate the AT-TLS function.
For example:
Optionally, installations might also change the z/OS® Communication Server profile AUTOLOG statement to automate starting the policy agent (PAGENT), which is needed to effect AT-TLS rules. For example:TCPCONFIG TTLS ; Required for AT-TLS
AUTOLOG PAGENT ; POLICY AGENT, required for AT-TLS ENDAUTOLOG
- Create the z/OS® Communication Server policy
agent (PAGENT) configuration to establish AT-TLS rules for inbound connections to the ADFzCC server . For
example:
TTLSRule rule_ADFzCC { LocalPortRange 2800 Direction Inbound TTLSGroupActionRef grp_ADFzCC TTLSEnvironmentActionRef env_ADFzCC } TTLSGroupAction grp_ADFzCC { TTLSEnabled On } TTLSEnvironmentAction env_ADFzCC { HandshakeRole Server TTLSKeyRingParms { Keyring ADFzCC.KEYRING } TTLSEnvironmentAdvancedParms { TLSv1.3 On HandshakeTimeout 30 ApplicationControlled On } TTLSCipherParms { V3CipherSuites4Char 13021301 } TTLSSignatureParms { ServerKeyShareGroups 00230024002500290030 } TTLSGskAdvancedParms { GSK_SESSION_TICKET_SERVER_ENABLE Off } }
Note: The ApplicationControlled parameter must be on for the ADFzCC server . In addition, the SSL_REQUIRED configuration parameter must be set to a valid protocol value. The protocol that is chosen must match a protocol that is supported by the AT-TLS rules that are specified in the AT-TLS configuration TTLSEnvironmentAdvancedParms statement. For example:SSL_REQUIRED=TLSv1.3
A HandshakeTimeout value of 30 seconds is recommended. If using a LocalAddr* (LocalAddr, LocalAddrRef, LocalAddrSetRef, LocalAddrGroupRef) statement within your rule to limit the IP addresses on which the ADFzCC server listens, you must ensure that the statement allows connections to the server on address 127.0.0.1.
In addition, the IPVSRV STC user will require access to the keystore that is identified on the Keyring parameter of the TTLSKeyRingParms statement. For more information on cipher specifications, key share groups, and certificate types supported for TLS 1.3, see https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-required-updates-enable-tls-v13-protocol-support.
- Start the z/OS® Communications
Server policy agent.Note: If your policy agent configuration, or the key ring or keystore that is identified in the policy agent configuration is changed, restart the policy agent.
Clients such as z/OS® Explorer will be prompted to trust the server certificate identified in the AT-TLS configuration if the certificate is not registered as trusted.
Clients such as File Manager Remote Services might require that the remote server CA certificate is imported as a SITE certificate on the client z/OS® system for establishing trust of the remote system.