AT-TLS setup for SYSVAPPS with REST API
search cancel

AT-TLS setup for SYSVAPPS with REST API

book

Article ID: 381971

calendar_today

Updated On:

Products

SYSVIEW Performance Management

Issue/Introduction

For AT-TLS setup you need to configure the Policy Agent, which is a component of the Communications Server. 
Here's an example configuration.

This needs to be used in conjunction with the documentation: 
Configure and Deploy SYSVAPPS (SYSVIEW Application Server)

Environment

SysView R17.0

 

Resolution

TTLSRule SYSVAPPSServerRule
{
  LocalAddr ALL
  RemoteAddr ALL
  LocalPortRange {{ port }}
  Direction Inbound
  TTLSGroupActionRef SYSVAPPSServerGroupAction
  TTLSEnvironmentActionRef SYSVAPPSServerEnvironmentAction
  TTLSConnectionActionRef SYSVAPPSServerConnectionAction
}
TTLSGroupAction SYSVAPPSServerGroupAction
{
  TTLSEnabled On
}
TTLSEnvironmentAction SYSVAPPSServerEnvironmentAction
{
  HandshakeRole ServerWithClientAuth
  EnvironmentUserInstance 0
  TTLSEnvironmentAdvancedParmsRef SYSVAPPSEnvironmentAdvancedParms
  TTLSKeyringParmsRef SYSVAPPSKeyring
}
TTLSKeyringParms SYSVAPPSKeyring
{
  Keyring {{ keyringName }}
}
TTLSEnvironmentAdvancedParms SYSVAPPSEnvironmentAdvancedParms
{
  ApplicationControlled Off
  Renegotiation Disabled
  SSLv2 Off
  SSLv3 Off
  TLSv1 Off
  TLSv1.1 Off
  TLSv1.2 On
  TLSv1.3 On
  ClientAuthType Full
}
TTLSConnectionAction SYSVAPPSServerConnectionAction
{
  HandshakeRole ServerWithClientAuth
  TTLSCipherParmsRef SYSVAPPSCipherParms
  TTLSConnectionAdvancedParmsRef SYSVAPPSConnectionAdvancedParms
}
TTLSConnectionAdvancedParms SYSVAPPSConnectionAdvancedParms
{
  ApplicationControlled Off
  ServerCertificateLabel {{ certificateLabel }}
  CertificateLabel {{ certificateLabel }}
  SecondaryMap Off
}
TTLSCipherParms SYSVAPPSCipherParms
{
  V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  V3CipherSuites TLS_AES_128_GCM_SHA256
  V3CipherSuites TLS_AES_256_GCM_SHA384
  V3CipherSuites TLS_CHACHA20_POLY1305_SHA256
}


Replace the following placeholders in the sample:

  • {{ keyringName }} with the name of your key ring (without user ID).
  • {{ certificateLabel }} with the label of the server certificate with a private key you want to use for SYSVAPPS.
  • {{ port }} with the SYSVAPPS port number.
     

If you have a site-specific policy for the cipher set, use it instead of SYSVAPPSCipherParms.
SYSVAPPSCipherParms is a set of ciphers that were considered secure in July 2020.
That will configure AT-TLS on the z/OS side. For SYSVAPPS, you will need to add the attls profile to the list on the first line of the application.yml config file, so that it will look like:

spring.profiles.active: https,zos,attls