Defining the AT-TLS policy rules
Defining the AT-TLS policy rules
Overview
An AT-TLS policy configuration file contains AT-TLS rules that identify specific types of TCP traffic, along with the type
of TLS/SSL to be applied to those connections. You can use a z/OS dataset or a Unix file.
Sample configuration for BSA TCP/IP server
In our example, we will use a z/OS dataset member. The following example describes AT‑TLS policy parameters that are exclusively
intended for use with the BSA TCP/IP server with TLS/SSL support. You can find this example in member TTLSCONF in the BSA.SAMPLIB.
Important:
- Parameter names and values are case-sensitive.
- Line numbering must be turned off when editing this member.
- The member must be edited with codepage 1047.
- BSA TCP/IP server ports must be defined with ApplicationControlled on.
|
###################################################################
# BSA TCP/IP Server AT-TLS Support #
###################################################################
# Common Production Group that all Rules use
TTLSGroupAction BSA_Secure_GroupAct
{
TTLSEnabled On
Trace 15
}
###################################################################
# #
# BSA Specific Rules and Actions for BETA WebEnabler #
# #
###################################################################
TTLSRule BSA_Secure_Server_BWE_64193
{
LocalPortRange 64193
#Jobname BETA02X
Direction Inbound
TTLSGroupActionRef BSA_Secure_GroupAct
TTLSEnvironmentActionRef BSA_Secure_Server_Env
}
TTLSRule BSA_Secure_Server_BWE_64293
{
LocalPortRange 64293
#Jobname BETA02X
Direction Inbound
TTLSGroupActionRef BSA_Secure_GroupAct
TTLSEnvironmentActionRef BSA_Secure_Server_Auth_Env
}
|
|
|
|
# Environment Shared by all secure BSA server connections.
TTLSEnvironmentAction BSA_Secure_Server_Env
{
HandshakeRole Server
TTLSKeyRingParms
{
Keyring B02COMMON
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On # required
HandshakeTimeout 10
CertificateLabel B02-PROD-CERT
SecondaryMap On # include data connections
SSLV2 Off # Allow SSLv2 connections (Default is Off)
SSLV3 Off # Allow SSLv3 connections (Default is On )
TLSV1 Off # Allow TLSv1 connections (Default is On )
TLSV1.1 Off # Allow TLSv1.1 connections (Default is On )
TLSV1.2 On # Allow TLSv1.2 connections (Default is Off )
}
}
# Environment Shared by all secure BSA server Clientauth connections.
TTLSEnvironmentAction BSA_Secure_Server_Auth_Env
{
HandshakeRole ServerWithClientAuth
TTLSKeyRingParms
{
Keyring B02COMMON
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On # required
HandshakeTimeout 10
CertificateLabel B02-PROD-CERT
SecondaryMap On # include data connections
SSLV2 Off # Allow SSLv2 connections (Default is Off)
SSLV3 Off # Allow SSLv3 connections (Default is On )
TLSV1 Off # Allow TLSv1 connections (Default is On )
TLSV1.1 Off # Allow TLSv1.1 connections (Default is On )
TLSV1.2 On # Allow TLSv1.2 connections (Default is Off )
}
}
|
|
|
|
# Set of TLS Ciphers with Encryption
TTLSCipherParms RequireEncryption
{
V3CIPHERSUITES TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
V3CIPHERSUITES TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
V3CIPHERSUITES TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
V3CIPHERSUITES TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
V3CIPHERSUITES TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
V3CIPHERSUITES TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
V3CIPHERSUITES TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
V3CIPHERSUITES TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
V3CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CIPHERSUITES TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CIPHERSUITES TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CIPHERSUITES TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CIPHERSUITES TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CIPHERSUITES TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CIPHERSUITES TLS_RSA_WITH_AES_128_CBC_SHA256
V3CIPHERSUITES TLS_RSA_WITH_AES_256_CBC_SHA256
V3CIPHERSUITES TLS_RSA_WITH_AES_128_GCM_SHA256
V3CIPHERSUITES TLS_RSA_WITH_AES_256_GCM_SHA384
}
|
Note: Specify Direction Outbound if the z/OS client is to open a TLS connection to the Unix/Windows server, as in the following example:
|
# Host Client to PC Server ( with server handshake on the host side )
TTLSRule BSA_Secure_client_SPC
{
RemotePortRange 63192
Direction Outbound
TTLSGroupActionRef BSA_Secure_GroupAct
TTLSEnvironmentActionRef BSA_Secure_Client_SPC_Env
}
|
Activating AT‑TLS policies
You can activate the AT-TLS policies dynamically with the help of the following operator command:
F PAGENT,UPDATE
Alternatively, you can also stop and then restart the PAGENT started task.
Verifying active policies
You can verify the active policies under OMVS with the help of the following command:
pasearch -t
Under TSO/ISPF, you can use the following commands for verification:
NETSTAT TTLS
NETSTAT TTLS CO number_from_pasearch command DETAIL
