You can create the AT-TLS policies by using the IBM Configuration Assistant for z/OS Communications Server, a Java™ application that you can download from IBM. Complete the following steps to define the policies required to enable SSL support on behalf of IBM Integration Bus for z/OS running SOAPInput and SOAPRequest nodes:
- Start the configuration assistant by clicking .
- Click Add a New z/OS Image, enter
the name of your z/OS image (LPAR)
and a description, then click OK.
- In the Configuration Assistant Navigation pane, select
the image that you added in step 2, click Add New TCP/IP
Stack, enter the stack name and description, then click OK.
- In the Configuration Assistant Navigation pane, select
the stack that you added in step 3, select AT-TLS from
the list of technologies, then click Enable.
- Click Configure.
- Click Add. The Connectivity
Rule wizard opens. Click Next
- Identify the data endpoints by completing the following
fields. A generic rule facilitates testing, but can be
made more specific later.
- In the Local data endpoint field, select ALL_IP_Addresses.
- In the Remote data endpoint field, select ALL_IP_Addresses.
- In the Connectivity Rule Name field, enter a suffix
for the name of the rules, then click Next.
- Select a requirement map by clicking Add. The map is used to match the type of IP traffic with the security
level to be implemented by AT-TLS.
- Enter a name and description for the requirement map, then
click Work with Traffic Descriptors. Two
traffic descriptors are required: one for the inbound SOAP requests
(IBM Integration Bus is the server), and another
for the outbound SOAP requests (IBM Integration Bus is
the client).
- Create an inbound traffic descriptor by clicking Add ,
enter a name and description, then click OK.
- Enter details about the inbound traffic descriptor:
- For the local port, select Single port and
set the port number to 7800 (the port on which
the SOAPInput node normally
listens).
- For the remote port, select All ports.
- Set the Indicate the TCP connect direction field to Inbound
only.
- In the Jobname field, enter an asterisk (*).
- In the User ID field, enter an asterisk (*).
- Select Use the following key ring database.
- Select Key ring is in SAF produce (such as
RACF), then enter the name of the key ring.
- Set the AT-TLS handshake role to Server,
then click AT-TLS Advanced.
- Enter the label of the IBM Integration Bus personal
certificate, then click OK.
- Click OK to save the traffic details
for inbound SOAP traffic, then click OK to
create the traffic descriptor for inbound SOAP.
- Create an outbound traffic descriptor by clicking Add,
add a name and description, then click OK .
- Enter details about the outbound traffic descriptor:
- For the local port, select All ports.
- For the remote port, select Single port and
set the port number to 7843.
- Set the Indicate the TCP connect direction to Outbound
only.
- In the Jobname field, enter an asterisk (*).
- In the User ID field, enter an asterisk (*).
- Select Use the following key ring database.
- Select Key ring is in SAF produce (such as
RACF), then enter the name of the key ring.
- Set the AT-TLS handshake role to Client,
then click AT-TLS Advanced.
- Enter the label of the IBM Integration Bus personal
certificate, then click OK.
- Click OK to save the traffic details
for outbound SOAP traffic, then click OK to
create the traffic descriptor for outbound SOAP.
- Click Close.
- To create a security level for IBM Integration Bus, click Work with
Security Levels, then click Add.
- On the Name and Type tab, enter a name and description.
- On the Ciphers tab, select Use TLS V1, Use
SSL V3, and Use System SSL defaults,
then click OK.
- To add traffic descriptors to the requirement map, select SOAP_Server and SOAP_Client from
the Objects list, then click Add.
- For each traffic descriptor, select the AT-TLS security
level that you created in step 17, then click OK.
- Click Next and set the appropriate
Optional Connectivity Rule Settings, which are used to set tracing
levels, tuning parameters, and timings when the rule is in effect..
- Click Finish.
- To save changes to the AT-TLS rules, click Apply
changes, then click Main perspective.
- To install the AT-TLS policy, select AT-TLS
technology, click Install, then
click FTP to send the policy rules to the LPAR.
- Specify the FTP parameters:
- Enter the LPAR host name and set the port number to
21.
- Enter your user ID and password.
- Enter the AT-TLS policy file location and name (for
example, /etc/pagent/TCPIP_TTLS.policy.
- Select Default transfer mode.
- Click Send, wait for file transfer
to complete, then check that the transfer was successful.
- Click Close.
- After the file transfer, refresh or restart PAGENT.
The AT-TLS policies have been created and deployed.
Next: Test and verify AT-TLS
for
IBM Integration Bus by following the instructions
in
Testing and verifying AT-TLS.