Implementing AT-TLS Policy
For detailed information about implementing AT-TLS policy, refer to the "Application Transparent Transport Layer Security data protection" chapter of z/OS Communications Server IP Configuration Guide.
The required policy attributes for AT-TLS policy are:
-
Local Port Range – ports defined in LDAP as non-secured
-
Direction = Inbound
-
TLS Enabled = On
-
TLS v1.1 = On
-
TLS v1.2 = On
-
TLS v1.3 = On
-
Handshake Role = Server
-
Client Authorization Type = PassThru
-
Application Controlled = Off
-
Secondary Map = Off
-
The name of the certificate created for the secured communication and the name of the key ring to which the server certificate and the CA certificate are connected, should be specified.
Important
TCPIP must be granted permission to access the key ring to which the Top Secret LDAP Server certificate and the CA certificate are connected.
When generating certificates in LDAP, users must note that TLS v1.3 requires a minimal RSA key size of 2048 bit.
AT-TLS Policy Sample File
# RULE for LDAP GLDSRV
####################################################
TTLSRule LDAP
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange 389
Direction Inbound
Priority 255 # highest priority rule
Userid GLDSRV
TTLSGroupActionRef GrpAct_LDAP
TTLSEnvironmentActionRef GrpEnv_LDAP
TTLSConnectionActionRef GrpCon_LDAP
}
TTLSGroupAction GrpAct_LDAP
{
TTLSEnabled On
Trace 7
}
TTLSEnvironmentAction GrpEnv_LDAP
{
Trace 7
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParmsRef PrmKeyRing_LDAP
TTLSEnvironmentAdvancedParmsRef PrmEnvAdv_LDAP
}
TTLSEnvironmentAdvancedParms PrmEnvAdv_LDAP
{
TLSv1.1 On
TLSv1.2 On
TLSv1.3 On
ClientAuthType PassThru
}
TTLSConnectionAction GrpCon_LDAP
{
HandshakeRole Server
TTLSCipherParmsRef PrmCipher_LDAP
TTLSConnectionAdvancedParmsRef PrmConAdv_LDAP
CtraceClearText Off
Trace 7
}
TTLSConnectionAdvancedParms PrmConAdv_LDAP
{
ApplicationControlled Off
CertificateLabel GLDSRV
SecondaryMap Off
}
TTLSCipherParms PrmCipher_LDAP
{
# supported cipher suites - we used a wide list, that should be
decreased according # to specific needs
V3CipherSuites TLS_DH_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_NULL_WITH_NULL_NULL
V3CipherSuites TLS_RSA_WITH_NULL_MD5
V3CipherSuites TLS_RSA_WITH_NULL_SHA
V3CipherSuites TLS_RSA_EXPORT_WITH_RC4_40_MD5
V3CipherSuites TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
V3CipherSuites TLS_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_DES_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_AES_256_GCM_SHA384
V3CipherSuites TLS_AES_128_GCM_SHA256
V3CipherSuites TLS_CHACHA20_POLY1305_SHA256
}
TTLSKeyringParms PrmKeyRing_LDAP
{
Keyring GLDRING
}