Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Setting up AT-TLS z/OS Security Server RACF System Programmer's Guide SA23-2287-00 |
|
RACF® relies on AT-TLS to authenticate the RRSF nodes, and refuses to accept an RRSF connection unless AT-TLS has performed client authentication. Therefore, you must enable and configure AT-TLS. For information about how to do this, see the chapter on Application Transparent Transport Layer Security data protection in z/OS Communications Server: IP Configuration Guide. The security administrator must implement a trust policy based on digital certificates for AT-TLS. For more information, see the topic on implementing a trust policy for RRSF in z/OS Security Server RACF Security Administrator's Guide. If you store the private keys for any of these digital certificates in the ICSF PKDS, you must ensure that ICSF starts during IPL before the Policy Agent, or RRSF connections fails. z/OS® Communications Server provides a sample AT-TLS policy in its IBM® Configuration Assistant for z/OS Communications Server. Also, RACF ships sample policy statements in the IRRSRRSF member of SYS1.SAMPLIB, that you can edit into your existing policy. The
sample AT-TLS policy that z/OS Communications
Server provides is shipped disabled, and you must enable it, and install
it into Policy Agent. Some important features of the policy are:
You can use the NETSTAT command provided by z/OS Communications Server to display detailed information about the AT-TLS policy covering an RRSF connection. For more information, see z/OS Security Server RACF Diagnosis Guide and z/OS Communications Server: IP System Administrator's Commands. |
Copyright IBM Corporation 1990, 2014
|