A script enabled browser is required for this page to function properly.
Skip to main content
StorageTek Tape Analytics Configuration Guide, Version 1.0.2
E28378-04
Table of Contents Previous Next Index


Configuring STA Identity Management - RACF : Installing and Configuring STA’s RACF Authorization Facility : ▼ Configure AT-TLS

Activate AT-TLS

1.
Specify the following parameter in the TCPIP profile data set to activate the AT-TLS function:
 
TCPCONFIG TTLS

This statement may be placed in the TCP OBEY file.

Configure the Policy Agent (PAGENT)

The Policy Agent address space controls which TCP/IP traffic is encrypted.

2.
Enter the PAGENT started task JCL.

For example:

//PAGENT PROC
//*
//PAGENT EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT,
// PARM='POSIX(ON) ALL31(ON) ENVAR("_CEE_ENVFILE=DD:STDENV")/-d1'
//*
//STDENV DD DSN=pagentdataset,DISP=SHR//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//*
//CEEDUMP DD SYSOUT=*,DCB=(RECFM=FB,LRECL=132,BLKSIZE=132)
3.
Enter the PAGENT environment variables. The pagentdataset data set contains the PAGENT environment variables.

For example:

LIBPATH=/lib:/usr/lib:/usr/lpp/ldapclient/lib:.
PAGENT_CONFIG_FILE=/etc/pagent.conf
PAGENT_LOG_FILE=/tmp/pagent.log
PAGENT_LOG_FILE_CONTROL=3000,2
_BPXK_SETIBMOPT_TRANSPORT=TCPIP
TZ=MST7MDT
 

In this example, /etc/pagent.conf contains the PAGENT configuration parameters.

4.
Configure PAGENT.

For example:

TTLSRule 						TBI-TO-ZOS
{
   LocalAddr 						localtcpipaddress
   RemoteAddr 						remotetcpipaddress
   LocalPortRange 						localportrange
   RemotePortRange						remoteportrange
   Jobname 						HTTPserverJobname
   Direction 						Inbound
   Priority 						255
   TTLSGroupActionRef		 				gAct1~TBI_ICSF
   TTLSEnvironmentActionRef						eAct1~TBI_ICSF
   TTLSConnectionActionRef 						cAct1~TBI_ICSF
}
TTLSGroupAction 						gAct1~TBI_ICSF
{
   TTLSEnabled 						On
   Trace 						2
}
TTLSEnvironmentAction 						eAct1~TBI_ICSF
{
   HandshakeRole 	Server
   EnvironmentUserInstance 						0
   TTLSKeyringParmsRef 						keyR~ZOS
}
TTLSConnectionAction 						cAct1~TBI_ICSF
{
   HandshakeRole 						ServerWithClientAuth
   TTLSCipherParmsRef 						cipher1~AT-TLS__Gold
   TTLSConnectionAdvancedParmsRef						cAdv1~TBI_ICSF
   CtraceClearText 						Off
   Trace 						2
}
TTLSConnectionAdvancedParms						cAdv1~TBI_ICSF
{
   ApplicationControlled 						Off
   HandshakeTimeout 						10
   ResetCipherTimer 						0
   CertificateLabel 						certificatelabel
   SecondaryMap						Off
}
TTLSKeyringParms						keyR~ZOS
{
   Keyring						keyringname
}
TTLSCipherParms						cipher1~AT-TLS__Gold
{
   V3CipherSuites 						TLS_RSA_WITH_3DES_EDE_CBC_SHA
   V3CipherSuites 						TLS_RSA_WITH_AES_128_CBC_SHA
}

where:

localtcpipaddress

local TCP/IP address (address of HTTP server)

remotetcpipaddress

remote TCP/IP address (address of STA client). This can be ALL for all TCP/IP addresses

localportrange

local port of HTTP server (specified in the HTTP or SMC startup)

remoteportrange

remote port range (1024-65535 for all ephemeral ports)

HTTPserverJobname

jobname of the HTTP Server

certificatelabel

label from certificate definition

keyringname

name from RACF keyring definition

Activate RACF Classes

5.
Enter the following commands to activate RACF classes. Either the RACF panels or the CLI can be used.

The RACF classes include:
DIGTCERT
DIGTNMAP
DIGTRING

SERVAUTH CLASS must be RACLISTed to prevent PORTMAP and RXSERV from abending. 

SETROPTS RACLIST(SERVAUTH)
RDEFINE SERVAUTH ** UACC(ALTER) OWNER (RACFADM)
RDEFINE STARTED PAGENT*.* OWNER(RACFADM) STDATA(USER(TCPIP) GROUP(STCGROUP)
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) OWNER(RACFADM)
RDEFINE FACLITY IRR.DIGTCERT.LIST UACC(NONE) OWNER(RACFADM)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE) OWNER (RACFADM)
Table of Contents Previous Next Index Link to documentation
Copyright © 2012, 2013 Oracle and/or its affiliates. All rights reserved. Legal Notices