IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Defining and installing AT-TLS policies

Define and install AT-TLS policies by using the IBM® Configuration Assistant for z/OS® Communications Server.

Before you start:
You can create the AT-TLS policies by using the IBM Configuration Assistant for z/OS Communications Server, a Java™ application that you can download from IBM. Complete the following steps to define the policies required to enable SSL support on behalf of IBM Integration Bus for z/OS running SOAPInput and SOAPRequest nodes:
  1. Start the configuration assistant by clicking Start > All Programs > IBM Programs > IBM Configuration Assistant for z/OS > Configuration Assistant V1R10.
  2. Click Add a New z/OS Image, enter the name of your z/OS image (LPAR) and a description, then click OK.
  3. In the Configuration Assistant Navigation pane, select the image that you added in step 2, click Add New TCP/IP Stack, enter the stack name and description, then click OK.
  4. In the Configuration Assistant Navigation pane, select the stack that you added in step 3, select AT-TLS from the list of technologies, then click Enable.
  5. Click Configure.
  6. Click Add. The Connectivity Rule wizard opens. Click Next
  7. Identify the data endpoints by completing the following fields. A generic rule facilitates testing, but can be made more specific later.
    1. In the Local data endpoint field, select ALL_IP_Addresses.
    2. In the Remote data endpoint field, select ALL_IP_Addresses.
    3. In the Connectivity Rule Name field, enter a suffix for the name of the rules, then click Next.
  8. Select a requirement map by clicking Add. The map is used to match the type of IP traffic with the security level to be implemented by AT-TLS.
  9. Enter a name and description for the requirement map, then click Work with Traffic Descriptors. Two traffic descriptors are required: one for the inbound SOAP requests (IBM Integration Bus is the server), and another for the outbound SOAP requests (IBM Integration Bus is the client).
  10. Create an inbound traffic descriptor by clicking Add , enter a name and description, then click OK.
  11. Enter details about the inbound traffic descriptor:
    1. For the local port, select Single port and set the port number to 7800 (the port on which the SOAPInput node normally listens).
    2. For the remote port, select All ports.
    3. Set the Indicate the TCP connect direction field to Inbound only.
    4. In the Jobname field, enter an asterisk (*).
    5. In the User ID field, enter an asterisk (*).
    6. Select Use the following key ring database.
    7. Select Key ring is in SAF produce (such as RACF), then enter the name of the key ring.
    8. Set the AT-TLS handshake role to Server, then click AT-TLS Advanced.
    9. Enter the label of the IBM Integration Bus personal certificate, then click OK.
  12. Click OK to save the traffic details for inbound SOAP traffic, then click OK to create the traffic descriptor for inbound SOAP.
  13. Create an outbound traffic descriptor by clicking Add, add a name and description, then click OK .
  14. Enter details about the outbound traffic descriptor:
    1. For the local port, select All ports.
    2. For the remote port, select Single port and set the port number to 7843.
    3. Set the Indicate the TCP connect direction to Outbound only.
    4. In the Jobname field, enter an asterisk (*).
    5. In the User ID field, enter an asterisk (*).
    6. Select Use the following key ring database.
    7. Select Key ring is in SAF produce (such as RACF), then enter the name of the key ring.
    8. Set the AT-TLS handshake role to Client, then click AT-TLS Advanced.
    9. Enter the label of the IBM Integration Bus personal certificate, then click OK.
  15. Click OK to save the traffic details for outbound SOAP traffic, then click OK to create the traffic descriptor for outbound SOAP.
  16. Click Close.
  17. To create a security level for IBM Integration Bus, click Work with Security Levels, then click Add.
    1. On the Name and Type tab, enter a name and description.
    2. On the Ciphers tab, select Use TLS V1, Use SSL V3, and Use System SSL defaults, then click OK.
  18. To add traffic descriptors to the requirement map, select SOAP_Server and SOAP_Client from the Objects list, then click Add.
  19. For each traffic descriptor, select the AT-TLS security level that you created in step 17, then click OK.
  20. Click Next and set the appropriate Optional Connectivity Rule Settings, which are used to set tracing levels, tuning parameters, and timings when the rule is in effect..
  21. Click Finish.
  22. To save changes to the AT-TLS rules, click Apply changes, then click Main perspective.
  23. To install the AT-TLS policy, select AT-TLS technology, click Install, then click FTP to send the policy rules to the LPAR.
  24. Specify the FTP parameters:
    1. Enter the LPAR host name and set the port number to 21.
    2. Enter your user ID and password.
    3. Enter the AT-TLS policy file location and name (for example, /etc/pagent/TCPIP_TTLS.policy.
    4. Select Default transfer mode.
    5. Click Send, wait for file transfer to complete, then check that the transfer was successful.
    6. Click Close.
    7. After the file transfer, refresh or restart PAGENT.
    The AT-TLS policies have been created and deployed.
Next: Test and verify AT-TLS for IBM Integration Bus by following the instructions in Testing and verifying AT-TLS.
Parent topic: Enabling SSL on z/OS IBM Integration Bus by using AT-TLS
Related concepts:
Application Transparent Transport Layer Security
Related tasks:
Enabling SSL on z/OS IBM Integration Bus by using AT-TLS
Creating a RACF key ring
Configuring and activating the policy agent (PAGENT)
Testing and verifying AT-TLS
Diagnosing problems with PAGENT and AT-TLS
bp22810_.htm | Last updated Friday, 21 July 2017