The IBM® Configuration Assistant for z/OS® Communications Server, an optional GUI-based tool, provides a guided interface for configuring TCP/IP policy-based networking functions. You can use the Configuration Assistant to generate the Policy Agent files.
The Configuration Assistant is a z/OS Management Facility (z/OSMF) task. z/OSMF provides a web browser interface for a variety of z/OS system management functions. When you invoke the Configuration Assistant in z/OSMF, the Configuration Assistant runs natively in the z/OS system and you can access it through a web browser. To use the Configuration Assistant in z/OSMF, your system must be z/OS V1R11 or later.
Through a series of wizards and online help panels, you can use the Configuration Assistant to create AT-TLS configuration files for any number of z/OS images with any number of TCP/IP stacks per image. Using the Configuration Assistant, there are three types of reusable objects:
For each TCP/IP stack, you create a set of connectivity rules that indicate the data endpoints and indicate which requirement map will govern security between the data endpoints.
The Configuration Assistant comes with a number of IBM-supplied traffic descriptors, security levels, and requirement maps that are easily applied, or you can use the IBM-supplied definitions as the basis for your own set of reusable objects.
The Configuration Assistant can dramatically reduce the amount of time that is required to create AT-TLS policy files, contributing to ease of configuration and maintenance. Because of the inherently complex nature of z/OS security, using the GUI can help you ensure that you have a consistent and easily manageable interface for implementing AT-TLS security.
This information primarily describes option 2, manual configuration. However, if you are using the Configuration Assistant, reading this information will help you understand security concepts and the relationship between Policy Agent and AT-TLS function.