For AT-TLS setup you need to configure the Policy Agent, which is a component of the Communications Server.
Here's an example configuration.
This needs to be used in conjunction with the documentation:
Configure and Deploy SYSVAPPS (SYSVIEW Application Server)
SysView R17.0
TTLSRule SYSVAPPSServerRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange {{ port }}
Direction Inbound
TTLSGroupActionRef SYSVAPPSServerGroupAction
TTLSEnvironmentActionRef SYSVAPPSServerEnvironmentAction
TTLSConnectionActionRef SYSVAPPSServerConnectionAction
}
TTLSGroupAction SYSVAPPSServerGroupAction
{
TTLSEnabled On
}
TTLSEnvironmentAction SYSVAPPSServerEnvironmentAction
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef SYSVAPPSEnvironmentAdvancedParms
TTLSKeyringParmsRef SYSVAPPSKeyring
}
TTLSKeyringParms SYSVAPPSKeyring
{
Keyring {{ keyringName }}
}
TTLSEnvironmentAdvancedParms SYSVAPPSEnvironmentAdvancedParms
{
ApplicationControlled Off
Renegotiation Disabled
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
ClientAuthType Full
}
TTLSConnectionAction SYSVAPPSServerConnectionAction
{
HandshakeRole ServerWithClientAuth
TTLSCipherParmsRef SYSVAPPSCipherParms
TTLSConnectionAdvancedParmsRef SYSVAPPSConnectionAdvancedParms
}
TTLSConnectionAdvancedParms SYSVAPPSConnectionAdvancedParms
{
ApplicationControlled Off
ServerCertificateLabel {{ certificateLabel }}
CertificateLabel {{ certificateLabel }}
SecondaryMap Off
}
TTLSCipherParms SYSVAPPSCipherParms
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_AES_128_GCM_SHA256
V3CipherSuites TLS_AES_256_GCM_SHA384
V3CipherSuites TLS_CHACHA20_POLY1305_SHA256
}
Replace the following placeholders in the sample:
If you have a site-specific policy for the cipher set, use it instead of SYSVAPPSCipherParms.
SYSVAPPSCipherParms is a set of ciphers that were considered secure in July 2020.
That will configure AT-TLS on the z/OS side. For SYSVAPPS, you will need to add the attls profile to the list on the first line of the application.yml
config file, so that it will look like:
spring.profiles.active: https,zos,attls