Configuring AT-TLS policy statements

Follow these steps to configure AT-TLS rules for inbound and outbound connections to handle a proper communication between the CAE Agent and CAE Server.

Before you begin

Ensure that the following prerequisites are met:

  • You must define policy statements in the TCPPARMS member of every LPAR where the CAE Agent is supposed to be running.
  • You must generate the keyring manually to define keyringCaeAgentInboundRule.

The following notation is used in the examples below:

  • $AGENT_KEYRING_INBOUND is the inbound keyring name in format {keyring_owner}/{inbound_keyring_name}
  • $AGENT_KEYRING_OUTBOUND is the outbound keyring name in format {keyring_owner}/{outbound_keyring_name}
  • $CAE_SERVER_ADDRESS is the IP-address of the CAE Server
  • $CAE_AGENT_LISTENER_PORTS is the LISTENER_PORTS parameter values specified in the CAE Agent CQMCPRMS
  • $CAE_AGENT_JOB_NAME is the name of the CAE Agent started task

Procedure

  1. Define inbound rules in TCPPARMS to handle incoming connections between the CAE Agent and CAE Server.

    For example:

    # ----------------INBOUND RULES----------------

TTLSRule CaeAgentInboundRule
{
    LocalAddr ALL
    RemoteAddr $CAE_SERVER_ADDRESS
    LocalPortRange $CAE_AGENT_LISTENER_PORTS
    Jobname $CAE_AGENT_JOB_NAME
    Direction Inbound
    TTLSGroupActionRef groupCaeAgentInboundRule
    TTLSEnvironmentActionRef envCaeAgentInboundRule
    TTLSConnectionActionRef connectionCaeAgentInboundRule
}
TTLSGroupAction groupCaeAgentInboundRule
{
    TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentInboundRule
{
    HandshakeRole Server
    TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentInboundRule
    TTLSKeyringParmsRef keyringCaeAgentInboundRule
}
TTLSKeyringParms keyringCaeAgentInboundRule
{
    Keyring $AGENT_KEYRING_INBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentInboundRule
{
    ApplicationControlled Off
    SSLv2 Off
    SSLv3 Off
    TLSv1 Off
    TLSv1.1 Off
    TLSv1.2 On
}
TTLSConnectionAction connectionCaeAgentInboundRule
{
    HandshakeRole Server
    TTLSCipherParmsRef cipherCaeAgentInboundRule
    TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentInboundRule
    CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentInboundRule
{
    ApplicationControlled Off
    SecondaryMap Off
}
TTLSCipherParms cipherCaeAgentInboundRule
{
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  
}
  2. Issue the following TSO command to verify that the inbound keyring exists on the LPAR and contains the proper certificate alias, where keyring_owner_ID is the keyring owner: 
    TSO RACDCERT LISTRING(*) ID(keyring_owner_ID)
  3. Define outbound rules in TCPPARMS to handle outgoing connections between the CAE Agent and CAE Server.
    For example:
    # ----------------OUTBOUND RULES----------------

TTLSRule CaeAgentOutboundRule
{
    LocalAddr ALL
    RemoteAddr $CAE_SERVER_ADDRESS
    Jobname $CAE_AGENT_JOB_NAME
    Direction Outbound
    TTLSGroupActionRef groupCaeAgentOutboundRule
    TTLSEnvironmentActionRef envCaeAgentOutboundRule
    TTLSConnectionActionRef connectionCaeAgentOutboundRule
}
TTLSGroupAction groupCaeAgentOutboundRule
{
    TTLSEnabled On
}
TTLSEnvironmentAction envCaeAgentOutboundRule
{
    HandshakeRole Client
    TTLSEnvironmentAdvancedParmsRef envAdvancedCaeAgentOutboundRule
    TTLSKeyringParmsRef keyringCaeAgentOutboundRule
}
TTLSKeyringParms keyringCaeAgentOutboundRule
{
    Keyring $AGENT_KEYRING_OUTBOUND
}
TTLSEnvironmentAdvancedParms envAdvancedCaeAgentOutboundRule
{
    ClientAuthType Required
    ApplicationControlled Off
    SSLv2 Off
    SSLv3 Off
    TLSv1 Off
    TLSv1.1 Off
    TLSv1.2 On
}
TTLSConnectionAction connectionCaeAgentOutboundRule
{
    HandshakeRole Client
    TTLSCipherParmsRef cipherCaeAgentOutboundRule
    TTLSConnectionAdvancedParmsRef connAdvancedCaeAgentOutboundRule
    CtraceClearText Off
}
TTLSConnectionAdvancedParms connAdvancedCaeAgentOutboundRule
{
    ApplicationControlled Off
    SecondaryMap Off
    HandshakeTimeout 120
}
TTLSCipherParms cipherCaeAgentOutboundRule
{
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}
  4. After you have modified TCPPARMS, you must refresh the pagent in SDSF by issuing the following command: 
    /F PAGENT,REFRESH