Appendix B. Activating TCP/IP AT-TLS

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Activating TCP/IP AT-TLS

This appendix contains examples that show how we configured AT-TLS on the ITSO test system to enable us to use IBM Tivoli NetView for z/OS to access IBM zAware information using the IBM zAware API. AT-TLS is needed to provide the Secure Sockets connection for the HTTPS request API provided with the IBM zAware application.

Impact of AT-TLS on TCP/IP startup

The IBM zAware API allows you to retrieve either the current day’s interval results, in summary, or each interval’s result in detail.

Keep the following considerations in mind when you decide to activate the AT-TLS function of TCP/IP:

•Server certificates from the IBM zAware application will need to be imported into your security product’s stored key facilities. In RACF we used the SITE virtual keyring. This allows any user ID with access to RACF profile IRR.DIGTCERT.LISTRING to use the IBM zAware certificate to connect to the IBM zAware API.

•When AT-TLS is activated, it will not allow connections to the TCP/IP stack until the policy for AT-TLS has been loaded. This can impact your applications in the following ways:

– It can cause message EZZ4248E TCPIP WAITING FOR PAGENT TTLS POLICY to be issued. Refer to “Common AT-TLS startup errors” in z/OS Communications Server Diagnosis Guide, GC31-8782, for more information about this topic.

– The normal TCP/IP initialization message is no longer the one that you should use in your automation product to indicate TCP/IP is available. If you do not change the message that your automation uses to flag that TCP/IP initialization has completed, your applications that are dependent on TCP/IP will start too early, resulting in socket connection failures.

– When AT-TLS is activated, the TCP/IP initialization complete message changes to EZZ4250I.

– You also need to stop messages EZB6473I and EZAIN11I from being used as initialization complete messages in your automation. Under IBM Tivoli System Automation for z/OS, add a message trap in INGMSGU1 as shown in Example B-1:

Example B-1 NetView automation table statements

IF (MSGID= ‘EZB6473I’ | MSGID=’EZAIN11I’)

THEN CONTINUE(N);

•The Policy Agent (PAGENT) started task for TCP/IP needs to be started because it is responsible for loading the AT-TLS policy.

•The started task user ID associated with the Policy Agent address space in your security tool needs access to profile EZB.INITSTACK.sysname.tcpname in the SERVAUTH class. This allows the Policy Agent to connect to the TCP stack, before it has loaded the AT-TLS policy.

•If you want any of your applications to access the stack before the AT-TLS policy has been loaded, then you also need to grant them READ access to the EZB.INITSTACK.sysname.tcpname in the SERVAUTH class.

AT-TLS policy for IBM zAware certificate

When we created the policy for AT-TLS on the ITSO test system, we used a SITE certificate to store the IBM zAware applications certificate.

To use the SITE certificate of RACF in the AT-TLS policy, we used statements as shown in Example B-2 on page 215.

Example B-2 AT-TLS policy statement for SITE certificate use.

TTLSKeyringParms keyR~TRAINERA

{

Keyring *SITE*/*

}

Adding the IBM zAware certificate to the RACF SITE keyring

In our ITSO system, we used RACF to control access to the IBM zAware application certificate.

The IBM zAware certificate was retrieved from the server by using the export certificate feature of Mozilla Firefox. This function is accessed through the tools → options → Advanced icon → Encryption tab → View Certificates button. Locate the IBM zAware LPAR’s host name or IP address, select the certificate, and use the export button to export the certificate.

Because the IBM zAware default certificate is self-signed (implying no certificate chain), we exported it as a DER file. We then uploaded the certificate to a sequential data set on z/OS as a binary file.

After the file became available on z/OS, we imported that certificate into RACF to store in its SITE keyring using the commands shown in Example B-3.

Example B-3 RACF commands to store server certificate.

RACDERT ADD('CERT.ZAWARE.DER.BIN') SITE WITH LABEL('zAware')

Creating the client certificate for the system

We also created a client certificate for the IBM zAware connection. Although this step might not be necessary, we show the commands needed to accomplish this in Example B-4.

Example B-4 Create client certificate in RACF.

RACDERT SITE GENCERT WITH LABEL('IBMZAWARECLIENT') SUBJECTDSN(CN('IBM_zAware_client')) KEYUSAGE(HANDSHAKE) NOTAFTER(DATE(2017-01-01))

AT-TLS policy file details

Example B-5 contains the policy file we used in our test environment to allow a connection from z/OS to the IBM zAware API using secure sockets.

Example B-5 AT-TLS policy file.

TTLSRule Default_zAware-Requester~1

{

LocalAddr ALL

RemoteAddrGroupRef zAware_Servers

LocalPortRangeRef portR1

RemotePortRangeRef portR2

Direction Outbound

Priority 255

TTLSGroupActionRef gAct1~zAware-Requester

TTLSEnvironmentActionRef eAct1~zAware-Requester

TTLSConnectionActionRef cAct1~zAware-Requester

}

TTLSGroupAction gAct1~zAware-Requester

{

TTLSEnabled On

}

TTLSEnvironmentAction eAct1~zAware-Requester

{

HandshakeRole Client

EnvironmentUserInstance 0

TTLSKeyringParmsRef keyR~TRAINERA

}

TTLSConnectionAction cAct1~zAware-Requester

{

HandshakeRole Client

TTLSCipherParmsRef cipher1~Default_Ciphers

TTLSConnectionAdvancedParmsRef cAdv1~zAware-Requester

CtraceClearText Off

Trace 0

}

TTLSConnectionAdvancedParms cAdv1~zAware-Requester

{

CertificateLabel zawareclient

SecondaryMap Off

}

TTLSKeyringParms keyR~TRAINERA

{

Keyring *SITE*/*

}

TTLSCipherParms cipher1~Default_Ciphers

{

V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA

V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA

V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA

V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA

V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA

}

IpAddrGroup zAware_Servers

{

IpAddr

{

Addr 9.nn.n.nnn

}

IpAddr

{

Addr 9.nn.n.nnn

}

PortRange portR1

{

Port 1024-65535

}

PortRange portR2

{

Port 443

}

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Appendix B. Activating TCP/IP AT-TLS

Create new playlist

Sign In

Sign Up

Table of Contents for
Appendix B. Activating TCP/IP AT-TLS