Overview

The BSA TCP/IP server relies on AT-TLS to secure its TCP connections from and to client partners.

AT-TLS policy is read, parsed, and installed into the TCP/IP stack by the z/OS Communications Server Policy Agent (PAGENT), which implements policy-based networking for the z/OS environment (protocols, cipher suites, etc.).

Hand-coding or z/OSMF

There are two approaches to configuring AT-TLS and Policy Agent on z/OS:

• You can use the z/OS Management Facility (z/OSMF) Configuration Assistant for z/OS Communications Server. The Configuration Assistant is a graphical user interface (GUI)-based tool that simplifies the setup, configuration, and deployment of z/OS Communications Server policy-based technologies, including AT-TLS.
• You can hand-code all of the necessary job control language (JCL), RACF directives, configuration files, and policy files. To provide the reader greater insight into the Policy Agent and AT-TLS configuration, this is the approach we follow in the remainder of this description.

Requirements (summary)

Following is a summary of the actions and definitions that are required for a complete implementation of AT-TLS between the BSA TCP/IP server and the client partner. These steps are described in more detail in the following sections.

1. Configuring Policy Agent (PAGENT) as a started task in z/OS
2. Defining the security authorization for Policy Agent
3. Defining the Policy Agent configuration files
4. Configuring AT-TLS
5. Defining the AT-TLS policy rules
6. Creating and configuring digital certificates in RACF
7. Configuring a secure connection for the TCP/IP server and the client partner