AT-TLS support can be enabled by the specifying the TTLS parameter on the TCPCONFIG statement in the TCP/IP profile dataset.
Recommended alternative: You can also activate/deactivate AT-TLS support dynamically.
The BSA.SAMPLIB includes sample members for the dynamic activation/deactivation of TTLS.
Activating TTLS
Member TTLSON is used for activating TTLS. This member contains the following:
TCPCONFIG TTLS
To activate TTLS, enter the following operator command on the console:
V TCPIP,tcpname,O,DSN=BSA.SAMPLIB(TTLSON)
Deactivating TTLS
Member TTLSOFF is used for deactivating TTLS. This member contains the following:
TCPCONFIG NOTTLS
To deactivate TTLS, enter the following operator command on the console:
V TCPIP,tcpname,O,DSN=BSA.SAMPLIB(TTLSOFF)
Sample commands
You can find sample commands in member TTLSCMD in the BSA.SAMPLIB.
When AT-TLS is started during TCP/IP stack initialization, there might be a delay between the time that the stack comes up and when Policy Agent successfully installs policy information into the stack. This situation can leave a window of time where connections that are intended to be protected by AT-TLS can be established without that protection. Additional RACF definitions for AT‑TLS initialization can be used to prevent access from the network before Policy Agent has been properly started and activated.
With an appropriate RACF profile in place, you can control which applications are allowed to establish TCP connections before Policy Agent is started. Give READ access to this profile to all tasks that need access to TCP/IP before Policy Agent is started and has terminated its initialization. All other applications are forced to wait until Policy Agent has initialized and its policies have been installed into the stack before connections are enabled.
Initialization access control for AT-TLS:
RDEFINE SERVAUTH EZB.INITSTACK.sysname.TCPIP UACC(NONE)
PERMIT EZB.INITSTACK.sysname.TCPIP CLASS(SERVAUTH) -
ID(OMVSKERN) ACCESS(READ)
PERMIT EZB.INITSTACK.sysname.TCPIP CLASS(SERVAUTH) -
ID(PAGENT) ACCESS(READ)
PERMIT EZB.INITSTACK.sysname.TCPIP CLASS(SERVAUTH) -
ID(SYSLOGD) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
A sample job can be found in member TTLSRAC in the BSA.SAMPLIB.
Tip: This type of profile is normally defined with UACC=NONE. To prevent that you lock yourself out of your z/OS system, we recommend that you define the profile with UACC=READ, and then define profiles with ACC=NONE to exclude the individual tasks that have to wait for AT-TLS. For more information, see z/OS V2R1 Communications Server: IP Configuration Reference.
Use the z/OS START command to start Policy Agent as a started task, for example:
S PAGENT
To shut down PAGENT (normally), use the z/OS STOP command, for example:
P PAGENT