Securing TCP/IP connections with AT-TLS
Overview
The BSA TCP/IP server relies on AT-TLS to secure its TCP connections from and to client partners.
AT-TLS policy is read, parsed, and installed into the TCP/IP stack by the z/OS Communications Server Policy Agent (PAGENT),
which implements policy-based networking for the z/OS environment (protocols, cipher suites, etc.).
Hand-coding or z/OSMF
There are two approaches to configuring AT-TLS and Policy Agent on z/OS:
- You can use the z/OS Management Facility (z/OSMF) Configuration Assistant for z/OS Communications Server. The Configuration
Assistant is a graphical user interface (GUI)-based tool that simplifies the setup, configuration, and deployment of z/OS
Communications Server policy-based technologies, including AT-TLS.
- You can hand-code all of the necessary job control language (JCL), RACF directives, configuration files, and policy files.
To provide the reader greater insight into the Policy Agent and AT-TLS configuration, this is the approach we follow in the
remainder of this description.
Requirements (summary)
Following is a summary of the actions and definitions that are required for a complete implementation of AT-TLS between the
BSA TCP/IP server and the client partner. These steps are described in more detail in the following sections.
- Configuring Policy Agent (PAGENT) as a started task in z/OS
- Defining the security authorization for Policy Agent
- Defining the Policy Agent configuration files
- Configuring AT-TLS
- Defining the AT-TLS policy rules
- Creating and configuring digital certificates in RACF
- Configuring a secure connection for the TCP/IP server and the client partner