Implementing AT-TLS Policy for Mainframe Connector Communication

For detailed information about implementing AT-TLS policy, refer to the Application Transparent Transport Layer Security Data Protection chapter of z/OS Communications Server IP Configuration Guide.

The required policy attributes for AT-TLS policies are listed below. You can copy and paste them into your AT-TLS policy.

Local Port Range – ports defined in Mainframe Connector as non-secured
Direction = Inbound
TLS Enabled = On
TLS v1.1 = On
TLS v1.2 = On
# For one way TLS

Handshake Role = Server
# For mutual TLS

Handshake Role = ServerWithClientAuth
# For one way TLS

Client Authorization Type = PassThru
# For mutual TLS

Client Authorization Type = Required
Application Controlled = Off
Secondary Map = Off
The name of the certificate created for the secured communication and the name of the key ring to which the server certificate and the CA certificate are connected, must be specified.

Note
TCPIP must be granted permission to access the key ring to which the Mainframe Connector certificate and the CA certificate are connected.

Sample File for AT-TLS Policy

Copy

RULE for RACF Connector CTSGATE

####################################################

TTLSRule CTSGATE
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange 2470-2471
Direction Inbound
Priority 255 # highest priority rule
Userid CTSGATE
TTLSGroupActionRef GrpAct_CTSGATE
TTLSEnvironmentActionRef GrpEnv_CTSGATE
TTLSConnectionActionRef GrpCon_CTSGATE
}
TTLSGroupAction GrpAct_CTSGATE
{
TTLSEnabled On
Trace 7
HandshakeRole Server
}
TTLSEnvironmentAction GrpEnv_CTSGATE
{
Trace 7
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParmsRef PrmKeyRing_CTSGATE
TTLSEnvironmentAdvancedParmsRef PrmEnvAdv_CTSGATE
}
TTLSEnvironmentAdvancedParms PrmEnvAdv_CTSGATE
{
TLSv1.1 On
TLSv1.2 On
#Comment out the following line out if enabling Mutual TLS
ClientAuthType PassThru
#To Enable Mutual TLS between Mainframe and Connector Gateway use below
#ClientAuthType Required
}
TTLSConnectionAction GrpCon_CTSGATE
{
#Comment out the following line out if enabling Mutual TLS
HandshakeRole Server
#If you are enabling Mutual TLS between Mainframe and Connector Gateway use below
#HandshakeRole ServerWithClientAuth
TTLSCipherParmsRef PrmCipher_CTSGATE
TTLSConnectionAdvancedParmsRef PrmConAdv_CTSGATE
CtraceClearText Off
Trace 7
}
TTLSConnectionAdvancedParms PrmConAdv_CTSGATE
{
ApplicationControlled Off
CertificateLabel CTSGATE
SecondaryMap Off
}
TTLSCipherParms PrmCipher_CTSGATE
{
# supported cipher suites - we used a wide list, that should be decreased according to specific needs V3CipherSuites TLS_DH_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_NULL_WITH_NULL_NULL
V3CipherSuites TLS_RSA_WITH_NULL_MD5
V3CipherSuites TLS_RSA_WITH_NULL_SHA
V3CipherSuites TLS_RSA_EXPORT_WITH_RC4_40_MD5
V3CipherSuites TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
V3CipherSuites TLS_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_CBC_SHA V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
}
TTLSKeyringParms PrmKeyRing_CTSGATE
{
Keyring CTSRING
}

Relevant entities – TCPIP and PAGENT
In TCPIP, AT-TLS must be active
PAGENT must be up
PAGENT requires a policy
Refresh definitions: after member/file is updated, use the F PAGENT,UPDATE or F PAFGENT,REFRESH
CTSGATE does not have to be restarted when the policy is changed
CA certificate must be sent to Connector Gateway side.

Note
The HandshakeRole ServerWithClientAuth and ClientAuthType Required attributes are commented out in the sample AT-TLS policy provided above. If you are configuring mutual TLS, remove the comment tags same and comment out the HandshakeRole Server and ClientAuthType PassThru line instead. These are not needed for mutual TLS.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Implementing AT-TLS Policy for Mainframe Connector Communication

Sample File for AT-TLS Policy

Documentation Feedback