You can enable the SMTP server and client to use Transport
Layer Security (TLS) to provide private, authenticated communication
over the Internet.
Procedure
Perform the following steps to use Transport Layer Security
(TLS) for CSSMTP:
- Set up secure mail using the YES option on the Secure parameter
of the TargetServer statement, the STARTTLS command in the JES batch
job, or both. Table 1 shows
whether TLS is required between CSSMTP and a target server based on
various JES batch job and CSSMTP configuration combinations.
Table 1. JES batch job and CSSMTP configuration combinations
for secure mailSTARTTLS command? |
Secure parameter value |
TLS required? |
Yes |
YES |
Yes |
No |
YES |
Yes |
Yes |
NO |
Yes |
No |
NO |
No |
If secure communication is required according to Table 1 and no available target servers
support TLS (as indicated by server capabilities in response to the
EHLO command), the mail message fails and is not delivered.
For
information about the TargetServer statement, see z/OS Communications Server: IP Configuration
Reference. For information about the STARTTLS command, see z/OS Communications Server: IP User's Guide and
Commands.
- See the following simple example to get started with TLS. For more information about TLS, see Application Transparent Transport Layer Security data protection.
In
this example, assume the following characteristics:
- The mail contains sensitive data, and you want CSSMTP to communicate
with only TLS protocols.
- CSSMTP is using port 25 to communicate with a target server on
another platform.
- There is only one TCP/IP stack over which mail is delivered, referred
to as the client stack.
To set up TLS for this sample environment, take the following
actions:
- Create the key ring.
The client key ring needs the root certification
used to sign the server certificates. For a TLS/SSL primer and some
step-by-step examples, see TLS/SSL security.
For more information about managing key rings and certificates with RACF® and the RACDCERT command,
see z/OS Security Server RACF Security Administrator's
Guide. For more information about managing key rings and certificates with
gskkyman, see z/OS Cryptographic Services System SSL Programming.
- Configure CSSMTP to require secure communication. Configure the
TargetServer statement with the Secure parameter set to YES, which
specifies that TLS protocols are always required. For information
about the TargetServer statement, see z/OS Communications Server: IP Configuration
Reference.
- Configure the client system to use TLS with AT-TLS policies as
follows:
- Specify TTLS on the TCPCONFIG statement in the TCP/IP profile
for the client stack. For information about the TCPCONFIG statement, see z/OS Communications Server: IP Configuration
Reference.
- Block the ability of applications to open a socket before AT-TLS
policy is loaded into the TCP/IP stack by setting up EZB.INITSTACK.sysname.tcpname for
the client stack.
- Create a main Policy Agent configuration file containing a TcpImage
statement for the client stack, and create a TcpImage policy file
for the client stack. For more information about AT-TLS policy statements, see z/OS Communications Server: IP Configuration
Reference.
- Add a TTLSConfig statement to each TcpImage policy file to identify
the TTLSConfig policy file location:
TTLSConfig clientPath
- Add the AT-TLS policy statements to the clientPath file:
TTLSRule CSSMTPRule
{
RemotePortRange 25
Direction Outbound
TTLSGroupActionRef CSSMTPGroup
TTLSEnvironmentActionRef CSSMTPEnvironment
}
TTLSGroupAction CSSMTPGroup
{
TTLSEnabled On
}
TTLSEnvironmentAction CSSMTPEnvironment
{
HandshakeRole Client
TTLSKeyRingParms
{
Keyring client_key_ring
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On
}
}
Results
You know you are done when CSSMTP can successfully deliver
mail to a target server using secure connections. If SECURE YES is
configured and CSSMTP is able to successfully negotiate and establish
a TLS session, the following message is displayed:
EZD1821I csproc ABLE TO USE TARGET SERVER ipAddress
Restriction: To use the STARTTLS command with a target server,
the target server must have a certificate that can be validated by
the AT-TLS component of z/OS Communications
Server as configured by Policy Agent. This certificate can be a self-signed
certificate or a certificate that can be validated by a known certificate
authority. If the certificate of the server cannot be validated, secure
communication with the server fails and mail that requires security
cannot be delivered to that server.