Establishing secure communications with the Distributed Data Server

You must ensure that communication between the Resource Monitoring tasks and the RMF Distributed Data Server (DDS) is protected. For secure network communications, it is recommended that you use Application Transparent Transport Layer Security (AT-TLS) and Transport Layer Security (TLS), as described in this topic.

Before you begin

  • Ensure that the basic setup for the Policy Agent is done. For information about policy-based networking and data protection, in z/OS Communications Server: IP Configuration Reference.
  • Ensure that the basic certificate setup is done. For information about handling certificates for secure communications with RACF, see the topic on digital certificates in z/OS Security Server RACF Security Administrator's Guide.
  • To enable AT-TLS and encrypted communication with the DDS server, you require the following:
    • Valid server certificate and the associated server private key
    • Certificate from a trusted Certificate Authority (CA).

    The example in Figure 1 uses a key ring that is named DDSServerKeyring to store these credentials. This key ring must be accessible by the DDS server user ID (for example, GPMSERVE), and the server certificate must be the default certificate.

  • To enable secure communication for the Resource Monitoring tasks, you require a certificate from a trusted Certificate Authority (CA). The example in Figure 2 uses a key ring that is named DDSClientKeyring to store the credentials. This key ring must be accessible to the z/OSMF server user ID, which is IZUSVR, by default.

For a sample setup that uses RACF, see "RACF and digital certificates" in z/OS Security Server RACF Security Administrator's Guide, specifically "Implementation Scenario 1" and "Implementation Scenario 2."

For other security management products, refer to your product documentation for information about handling certificates and key rings.

About this task

Use this procedure to establish secure communications between the Resource Monitoring tasks and the RMF DDS server.

Procedure

  1. Configure the Policy Agent to allow secure communication with the RMF DDS server.
    1. Enable the Policy Agent for AT-TLS.
      For information about AT-TLS data protection, see z/OS Communications Server: IP Configuration Reference.
    2. Configure the Policy Agent to specify secure communication for the DDS server.
      For a sample policy, see Figure 1.
      Figure 1. Sample Policy Agent policy for simple SSL protection for the RMF DDS server
      
 #-------------------------------------------------#   
 #  TYQ: Created this file for the pagent          #   
 #  configuration for the GPMSERVE server.         #   
 #-------------------------------------------------#   
                                                       
  # RMF DDS SERVER RULE                                
  TTLSRule                          DDSServerRule      
  {                                                    
    LocalPortRange                  8803               
    Jobname                         GPMSERVE           
    Direction                       Inbound            
    TTLSGroupActionRef              DDSServerGRP       
    TTLSEnvironmentActionRef        DDSServerENV       
  }                                                    
  TTLSGroupAction                   DDSServerGRP       
  {                                                    
    TTLSEnabled                     On                 
    Trace                           255                
  }                                                    
  TTLSEnvironmentAction             DDSServerENV       
  {                                                    
    HandshakeRole                   Server             
    TTLSKeyringParms                                   
    {                                                  
      Keyring                       DDSServerKeyring   
    }                                                  
  }
    Where the AT-TLS policy properties are set, as follows:
    TTLSRule: Jobname
    Identifies the program for which this rule applies, which is the RMF DDS server in this example (GPMSERVE). If you set the property as shown, the policy affects GPMSERVE only; it does not affect other programs that are running on the system.
    TTLSRule: LocalPortRange
    Specifies the port of the RMF DDS server, which is 8803 in the example.
    TTLSRule: Direction
    Specifies the direction from which a connection must be initiated for this rule's action to be performed. In the example, Inbound is specified, which means that the rule applies to connection requests that arrive inbound to the local host. An application must issue an accept request to service this connection.
    TTLSKeyringParms: Keyring
    Specifies the key ring name of the RMF DDS server, which is DDSServerKeyring in the example. The key ring must contain the server certificate, the associated server private key, and the certificate of the trusted Certificate Authority (CA).
  2. Configure the Policy Agent to require secure communication for the Resource Monitoring tasks.
    For an example of a Policy Agent policy for setting up simple TLS protection for the Resource Monitoring tasks, see Figure 2.
    Figure 2. Sample Policy Agent policy for simple TLS protection for the Resource Monitoring tasks
    
#-------------------------------------------------#     
                                                         
  TTLSRule                          DDSClientRule        
  {                                                      
    RemotePortRange                 8803 
    RemoteAddr                      9.xxx.yyy.zzz
    Direction                       Outbound             
    TTLSGroupActionRef              DDSClientGroup       
    TTLSEnvironmentActionRef        DDSClientEnvironment 
  }                                                      
  TTLSGroupAction                   DDSClientGroup       
  {                                                      
    TTLSEnabled                     On                   
    Trace                           255                  
  }                                                      
  TTLSEnvironmentAction             DDSClientEnvironment 
  {                                                      
    TTLSKeyRingParms                                     
    {                                                    
      Keyring                       DDSClientKeyring     
    }                                                    
    HandshakeRole                   Client               
    Trace                           255                  
  }
    Where the AT-TLS policy properties are set, as follows:
    TTLSRule: RemoteAddr
    Specifies the remote IP address for which this rule's action is to be performed. In the example, it is the IP address of the remote RMF DDS server (9.xxx.yyy.zzz).
    TTLSRule: RemotePortRange
    Specifies the port of the remote RMF DDS server, which is 8803 in the example.
    TTLSRule: Direction
    Specifies the direction from which a connection must be initiated for this rule's action to be performed. In the example, Outbound is specified, which means that the rule applies to connection requests that are issued from the local host. An application must issue a connect request to initiate a connection.
    TTLSKeyringParms: Keyring
    Specifies the key ring name of the z/OSMF server, which is DDSClientKeyring in the example. The key ring must contain the certificate of the trusted Certificate Authority (CA) that issued the server certificate.
  3. Refresh the Policy Agent to have your changes take effect.
    You can use the following command to refresh the Policy Agent: 
    F PAGENT,REFRESH