| Create key ring |
Create server key ring with server certificate
and necessary certificate authority certificates. |
| Create Policy Agent files |
- Create a Policy Agent main configuration file containing a TcpImage
statement for the server stack.
- Create a Policy Agent image configuration file for the server
stack.
- If AT-TLS policies are to be retrieved from the policy server,
create image-specific AT-TLS configuration files, and optionally,
common AT-TLS configuration files, on the policy server.
|
| Add AT-TLS configuration |
- For local AT-TLS policies, add a TTLSConfig statement to the Policy
Agent image configuration file, identifying the TTLSConfig policy
file location:
TTLSConfig serverpath
- For remote AT-TLS policies, add a PolicyServer statement to the
policy client image configuration file:
PolicyServer
{
ClientName name
PolicyType TTLS
{
…
}
…
}
Add a DynamicConfigPolicyLoad statement to the policy
server main configuration file: DynamicConfigPolicyLoad clientname
{
PolicyType TTLS
{
PolicyLoad serverpath
}
…
}
|
| Add statements to the AT-TLS policy file |
Add the AT-TLS policy statements to the serverpath file: TTLSRule XYZServerRule
{
LocalPortRange 5000
JobName XYZSRV
Direction Inbound
TTLSGroupActionRef XYZGroup
TTLSEnvironmentActionRef XYZServerEnvironment
}
TTLSGroupAction XYZGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction XYZServerEnvironment
{
TTLSKeyRingParms
{
Keyring server_key_ring
}
HandshakeRole SERVER
Trace 7
}
|
| Set up InitStack access control |
- Define the EZB.INITSTACK.sysname.tcpname profile
for each AT-TLS stack.
- Permit administrative applications to use the stack before AT-TLS
is initialized.
For examples of the security product commands needed to create
this resource profile name and grant users access to it, see member
EZARACF in sample data set SEZAINST. |
| Enable AT-TLS |
Set TCPCONFIG TTLS in PROFILE.TCPIP. |