You can enable the SMTP server and client to use Transport
Layer Security (TLS) to provide private, authenticated communication
over the Internet.
Procedure
Perform the following steps to use Transport Layer Security
(TLS) for CSSMTP:
- Set up secure mail using the YES option on the Secure parameter
of the TargetServer statement, the STARTTLS command in the JES batch
job, or both.
- See the following simple example to get started with TLS.
For more information about TLS, see
Application Transparent Transport Layer Security data protection.
In
this example, assume the following characteristics:
- The mail contains sensitive data, and you want CSSMTP to communicate
with only TLS protocols.
- CSSMTP is using port 25 to communicate with a target server on
another platform.
- There is only one TCP/IP stack over which mail is delivered, referred
to as the client stack.
To set up TLS for this sample environment, take the following
actions:
- Create the key ring.
The client key ring needs the root certification
used to sign the server certificates. For a TLS/SSL primer and some
step-by-step examples, see TLS/SSL security.
For more information about managing key rings and certificates with RACF® and the RACDCERT command,
see z/OS Security Server RACF Security Administrator's Guide. For more information about managing key rings and certificates with
gskkyman, see z/OS Cryptographic Services System SSL Programming.
- Configure CSSMTP to require secure communication. Configure the
TargetServer statement with the Secure parameter set to YES, which
specifies that TLS protocols are always required. For information
about the TargetServer statement, see z/OS Communications Server: IP Configuration Reference.
- Configure the client system to use TLS with AT-TLS policies as follows:
- Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for the client stack. For
information about the TCPCONFIG statement, see
z/OS Communications Server: IP Configuration Reference.
- Block the ability of applications to open a socket before AT-TLS policy is loaded into the
TCP/IP stack by setting up
EZB.INITSTACK.sysname.tcpname for the client
stack.
- Create a main Policy Agent configuration file containing a TcpImage statement for the client
stack, and create a TcpImage policy file for the client stack. For more information about
AT-TLS policy
statements, see z/OS Communications Server: IP Configuration Reference.
- Add a TTLSConfig statement to each TcpImage policy file to identify the TTLSConfig policy file
location:
TTLSConfig clientPath
- Add the AT-TLS policy statements to the clientPath file:
TTLSRule CSSMTPRule
{
RemotePortRange 25
Direction Outbound
TTLSGroupActionRef CSSMTPGroup
TTLSEnvironmentActionRef CSSMTPEnvironment
}
TTLSGroupAction CSSMTPGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction CSSMTPEnvironment
{
HandshakeRole Client
TTLSKeyRingParms
{
Keyring client_key_ring
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On
}
}
- If the server requires an EHLO command
to be sent after a successful TLS negotiation, configure TLSEhlo Yes
on the Options statement in the CSSMTP configuration. For more information,
see Options statement in z/OS Communications Server: IP Configuration Reference.
Results
You know you are done when CSSMTP can successfully deliver
mail to a target server using secure connections. If SECURE YES is
configured and CSSMTP is able to successfully negotiate and establish
a TLS session, the following message is displayed: EZD1821I csproc ABLE TO USE TARGET SERVER ipAddress
Restriction: To use the STARTTLS command with a target server,
the target server must have a certificate that can be validated by
the AT-TLS component of z/OS Communications
Server as configured by Policy Agent. This certificate can be a self-signed
certificate or a certificate that can be validated by a known certificate
authority. If the certificate of the server cannot be validated, secure
communication with the server fails and mail that requires security
cannot be delivered to that server.