ca.portal.admin

Help implementing AT-TLS

Discussion created by ca.portal.admin on Jan 15, 2010
Latest reply on Jan 15, 2010 by ca.portal.admin
Informational APAR QI83006 describes how to implement AT-TLS to enable
SSL traffic to and from IDMS. Our MVS people have installed AT-TLS, but
we are finding that we need more information than what is contained in
the APAR to proceed further. Has anyone else successfully implemented
this? We have two main questions right now:

1) Where do we indicate which IDMS TCP/IP ports should require SSL
for incoming requests?

2) Is there something we need to include in the outgoing request
(other than than the correct target port) to cause AT-TLS to use SSL for
the request?

Kay Rozeboom
State of Iowa
Information Technology Enterprise
Department of Administrative Services
Telephone: 515.281.6139 Fax: 515.281.6137
Email: Kay.Rozeboom@Iowa.Gov
"
IDMS 3rd-party providers forum
IDMSVENDOR-L@LISTSERV.IUASSN.COM
SMTP
IDMSVENDOR-L@LISTSERV.IUASSN.COM
IDMSVENDOR-L@LISTSERV.IUASSN.COM
SMTP








Normal

Normal
Re: Help implementing AT-TLS
"Hi Kay,

1) Where do we indicate which IDMS TCP/IP ports should require SSL
for incoming requests?

Answer: In the AT-TLS Policy Agent Configuration file for your MVS image
(see the PortRange portR1 definition
in the example below)

2) Is there something we need to include in the outgoing request
(other than the correct target port)
to cause AT-TLS to use SSL for the request?

Answer: No, however, if it is from JDBC (JAVA request), then you need
to alter your connection url to indicate you wish to build an SSL
connection, as follows:

jdbc:idms:ssl://hostname:port/database

This is documented in the IDMS Server User Guide on page B-5.

You also need to specify the location of the local keystore for JDBC
connections using SSL. When running standalone Java applications, the
SSL keystore file must be specified to the Java VM. For example, in the
Java command to run JCF insert an option similar to this to point to
your keystore (note: this goes before the class name):

-Djavax.net.ssl.trustStore=""C:\Documents and
Settings\user.DOMAIN\.keystore""

When running Java applications in application servers such as Websphere
or Weblogic, see the vendor's documentation on how to specify the
keystore file.

If you wish to establish connection for an ODBC Connection, then you'll
need to do this via CCI (for Server 16.1 or prior), or by properly
configuring the SSL tab on the IDMS ODBC Administrator for Server 17.0
users wishing to use the new ODBC Wire Protocol.




Below is an example of an AT-TLS Policy Agent Configuration file for an
MVS image IDMS who has CA IDMS
Port 3746 (for IDMSJSRV) defined on the TCP/IP line TCP246.


DCMT LINE TCP246
*** Physical Line Display ***
PLine-ID TCP246
Status InSrv
Opened 2010-01-15-13.07.21.530592
Module IP
Plug-in RHDCD1IP
LTerm-ID PTerm-ID Type/M Status Port Target-host
TCLJSRV TCPJSRV LIST InSrv 03746


##
## AT-TLS Policy Agent Configuration file for:
## Image: IDMS
## Stack: TCPIP2
##
## Created by the z/OS Network Security Configuration Assistant
## Date Created = Thu Dec 18 22:29:46 EST 2008
##
## Copyright = None
##
TTLSRule IDMSJSRV~1
{
LocalAddrRef addr1
RemoteAddrSetRef addr2
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Direction Inbound
Priority 255
TTLSGroupActionRef enableGrpAct~ IDMS
TTLSEnvironmentActionRef eAct1~IDMSJSRV
}
TTLSGroupAction enableGrpAct~ IDMS
{
TTLSEnabled On
TTLSGroupAdvancedParmsRef gAdv~ IDMS
}
TTLSGroupAdvancedParms gAdv~ IDMS
{
Envfile DD:STDENV
}
TTLSEnvironmentAction eAct1~IDMSJSRV
{
## HandshakeRole Server
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 4
TTLSKeyringParmsRef keyR1
TTLSCipherParmsRef cipher1~AT-TLS__Silver
TTLSEnvironmentAdvancedParmsRef eAdv1~IDMSJSRV
Trace 15
}
}
TTLSEnvironmentAdvancedParms eAdv1~IDMSJSRV
{
HandshakeTimeout 60
## CertificateLabel XSRVCERT
CertificateLabel JSRVCERT (This certificate must
reside in the clients Keystore (for JDBC) or the ""Server Cert"" location
for ODBC)
## ClientAuthType PassThru
ClientAuthType Full
## ClientAuthType Required
## ClientAuthType SAFCheck
}
TTLSKeyringParms keyR1
{
## Keyring XSRV IDMS
Keyring JSRV IDMS
}
TTLSCipherParms cipher1~AT-TLS__Silver
{
{
V3CipherSuites TLS_RSA_WITH_DES_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
} cancel
IpAddr addr1
{
Addr 141.900.111.00
CommSent: CA IDMS Incoming IP Address
}
IpAddrSet addr2
{
Prefix 0.0.0.0/0
}
}
PortRange portR1
{
Port 3746
CommSent: CA IDMS incoming port
}
PortRange portR2
{
Port 1024-65535
}


David Pomeroy and David Dillon
CA

Outcomes