TLS security enhancements for Policy Agent

With APAR PM96891 installed, z/OS® V2R1 Communications Server enables centralized Policy Agent to support TLSv1.1 and TLSv1.2 with a new set of TLSv1.2 2-byte specific ciphers. In addition, the import services between the Policy Agent and IBM® Configuration Assistant for z/OS Communications Server allow user-defined AT-TLS policies to create a secure SSL connection.

Using TLS security enhancements for Policy Agent

To update SSL/TLS support in the centralized policy agent and import services, perform the appropriate tasks in Table 1.

Table 1. TLS security enhancements for Policy Agent
Task/Procedure	Reference
If System SSL needs to access ICSF for new TLSv1.2 ciphers, ICSF must be started before starting policy agent.	z/OS Cryptographic Services System SSL Programming for information about using hardware Cryptographic Features with System SSL
In the Policy Agent configuration file (/etc/pagent.conf), you can update ServerConnection/ServerSSLV3CipherSuites to use the TLSv1.1 or TLSv1.2 new 2-byte ciphers for centralized policy agent support.	ServerSSLV3CipherSuites in ServerConnection under Policy Agent general configuration file statements in z/OS Communications Server: IP Configuration Reference
In the Policy Agent configuration file (/etc/pagent.conf), you can set ServicesConnection to Security Basic and use a default unsecure connection, or you can define AT-TLS policies to protect this import services connection with SSL/TLS.	Security Basic in ServicesConnection under Policy Agent general configuration file statements in z/OS Communications Server: IP Configuration Reference