Setting up AT-TLS

RACF® relies on AT-TLS to authenticate the RRSF nodes, and refuses to accept an RRSF connection unless AT-TLS has performed client authentication. Therefore, you must enable and configure AT-TLS. For information about how to do this, see the chapter on Application Transparent Transport Layer Security data protection in z/OS Communications Server: IP Configuration Guide. The security administrator must implement a trust policy based on digital certificates for AT-TLS. For more information, see Implementing an RRSF trust policy in z/OS Security Server RACF Security Administrator's Guide. If you store the private keys for any of these digital certificates in the ICSF PKDS, you must ensure that ICSF starts during IPL before the Policy Agent, or RRSF connections fails.

z/OS® Communications Server provides a sample AT-TLS policy in its IBM® Configuration Assistant for z/OS Communications Server. Also, RACF ships sample policy statements in the IRRSRRSF member of SYS1.SAMPLIB, that you can edit into your existing policy.

The sample AT-TLS policy that z/OS Communications Server provides is shipped disabled, and you must enable it, and install it into Policy Agent. Some important features of the policy are:
  • It consists of two rules: one to describe RRSF as the server role, and one for the client role.
  • The server role specifies a client authentication level of Required. You can specify SAFCheck instead, for increased security, but you only need to do this if you do not have full control over your signing certificate. (For more information about specifying SAFCheck, see z/OS Security Server RACF Security Administrator's Guide.) Do not specify Full. For a description of the different levels of client authentication, see the section on TLS/SSL security in z/OS Communications Server: IP Configuration Guide.
  • It specifies the AES 256 cipher TLS_RSA_WITH_AES_256_CBC_SHA, which means 256-bit AES encryption with SHA-1 message authentication and RSA key exchange. RACF does not enforce a minimum encryption level.
  • It specifies the default listening port number 18136 for the server. The policy matches a client connection from any ephemeral port number.
  • It specifies a default key ring name of tlsKeyring. There is no dependency on this name within RRSF, so you can specify a different name that is not used by another application. (The sample policy that RACF provides in the IRRSRRSF member of SYS1.SAMPLIB specifies IRR.RRSF.KEYRING.)
  • It specifies only the level TLS V1.1 of the TLS protocol.
  • It specifies no application control.

You can use the NETSTAT command provided by z/OS Communications Server to display detailed information about the AT-TLS policy covering an RRSF connection. For more information, see z/OS Security Server RACF Diagnosis Guide and z/OS Communications Server: IP System Administrator's Commands.