Securing TCP/IP connections with AT-TLS

Overview

The BSA TCP/IP server relies on AT-TLS to secure its TCP connections from and to client partners.

AT-TLS policy is read, parsed, and installed into the TCP/IP stack by the z/OS Communications Server Policy Agent (PAGENT), which implements policy-based networking for the z/OS environment (protocols, cipher suites, etc.).

Hand-coding or z/OSMF

There are two approaches to configuring AT-TLS and Policy Agent on z/OS:

  • You can use the z/OS Management Facility (z/OSMF) Configuration Assistant for z/OS Communications Server. The Configuration Assistant is a graphical user interface (GUI)-based tool that simplifies the setup, configuration, and deployment of z/OS Communications Server policy-based technologies, including AT-TLS.
  • You can hand-code all of the necessary job control language (JCL), RACF directives, configuration files, and policy files. To provide the reader greater insight into the Policy Agent and AT-TLS configuration, this is the approach we follow in the remainder of this description.

Requirements (summary)

Following is a summary of the actions and definitions that are required for a complete implementation of AT-TLS between the BSA TCP/IP server and the client partner. These steps are described in more detail in the following sections.

  1. Configuring Policy Agent (PAGENT) as a started task in z/OS
  2. Defining the security authorization for Policy Agent
  3. Defining the Policy Agent configuration files
  4. Configuring AT-TLS
  5. Defining the AT-TLS policy rules
  6. Creating and configuring digital certificates in RACF
  7. Configuring a secure connection for the TCP/IP server and the client partner