Follow these steps to configure AT-TLS rules for inbound and outbound connections to
handle a proper communication between the CAE
Agent
and CAE
Server.
Before you begin
Ensure that the following prerequisites are met:
- You must define policy statements in the TCPPARMS member of every LPAR where the CAE
Agent is supposed to be
running.
- You must generate the keyring manually to define keyringCaeAgentInboundRule.
The following notation is used in the examples below:
- $AGENT_KEYRING_INBOUND is the inbound keyring name in format
{keyring_owner}/{inbound_keyring_name}
- $AGENT_KEYRING_OUTBOUND is the outbound keyring name in format
{keyring_owner}/{outbound_keyring_name}
- $CAE_SERVER_ADDRESS is the IP-address of the CAE
Server
- $CAE_AGENT_LISTENER_PORTS is the LISTENER_PORTS parameter values specified in the CAE
Agent CQMCPRMS
- $CAE_AGENT_JOB_NAME is the name of the CAE Agent started task
Procedure
-
Define inbound rules in TCPPARMS to handle incoming connections between the CAE
Agent and CAE
Server.
For example:
# ----------------INBOUND RULES----------------
TTLSRule CaeAgentInboundRule
{
LocalAddr ALL
RemoteAddr $CAE_SERVER_ADDRESS
LocalPortRange $CAE_AGENT_LISTENER_PORTS
Jobname $CAE_AGENT_JOB_NAME
Direction Inbound
TTLSGroupActionRef groupCaeAgentInboundRule
TTLSEnvironmentActionRef envCaeAgentInboundRule
TTLSConnectionActionRef connectionCaeAgentInboundRule
}
TTLSGroupAction groupCaeAgentInboundRule
{
TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentInboundRule
{
HandshakeRole Server
TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentInboundRule
TTLSKeyringParmsRef keyringCaeAgentInboundRule
}
TTLSKeyringParms keyringCaeAgentInboundRule
{
Keyring $AGENT_KEYRING_INBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentInboundRule
{
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
}
TTLSConnectionAction connectionCaeAgentInboundRule
{
HandshakeRole Server
TTLSCipherParmsRef cipherCaeAgentInboundRule
TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentInboundRule
CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentInboundRule
{
ApplicationControlled Off
SecondaryMap Off
}
TTLSCipherParms cipherCaeAgentInboundRule
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
-
Issue the following TSO command to verify that the inbound
keyring exists on the LPAR and contains the proper certificate alias, where
keyring_owner_ID is the keyring owner:
TSO RACDCERT LISTRING(*) ID(keyring_owner_ID)
- Define outbound rules in TCPPARMS to handle outgoing connections between the CAE
Agent and CAE
Server.
For example:
# ----------------OUTBOUND RULES----------------
TTLSRule CaeAgentOutboundRule
{
LocalAddr ALL
RemoteAddr $CAE_SERVER_ADDRESS
Jobname $CAE_AGENT_JOB_NAME
Direction Outbound
TTLSGroupActionRef groupCaeAgentOutboundRule
TTLSEnvironmentActionRef envCaeAgentOutboundRule
TTLSConnectionActionRef connectionCaeAgentOutboundRule
}
TTLSGroupAction groupCaeAgentOutboundRule
{
TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentOutboundRule
{
HandshakeRole Client
TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentOutboundRule
TTLSKeyringParmsRef keyringCaeAgentOutboundRule
}
TTLSKeyringParms keyringCaeAgentOutboundRule
{
Keyring $AGENT_KEYRING_OUTBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentOutboundRule
{
ClientAuthType Required
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
}
TTLSConnectionAction connectionCaeAgentOutboundRule
{
HandshakeRole Client
TTLSCipherParmsRef cipherCaeAgentOutboundRule
TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentOutboundRule
CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentOutboundRule
{
ApplicationControlled Off
SecondaryMap Off
HandshakeTimeout 120
}
TTLSCipherParms cipherCaeAgentOutboundRule
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
-
After you have modified TCPPARMS, you must refresh the
pagent in SDSF by issuing the following command: