Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few 
items from the product doc and a few more that remain in accessible memory 
areas...

- Read the relevant sections of Comm Server IP Configuration Ref, specifically 
in the chapter on Policy Agent (PA) and Policy Applications. Also in the IP 
Configuration Guide, there is a chapter on AT-TLS Security Data Protection, 
topic TCPIP Stack Initialization.     

- Use z/OSMF for generation of your initial set of PA config files and inputs, 
then consider manually tailoring. I opted for this approach under z/OS 2.2, but 
z/OSMF has undoubtedly improved greatly since then, so maybe you can use z/OSMF 
exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being 
collected for whatever you're interested in (TCPIP is not a pre-req for 
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG 
statement

- Create the resource profile used to block access to the TCPIP stack during 
initialization, the name of the resource will be 
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or 
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to 
the keyring, and depending on what you're doing you may need to permit access 
so the keyring and cert can be listed (resources are IRR.DIGTCERT.LISTRING and 
IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running 
Stop the TCPIP AS (there are undoubtedly less invasive ways) 
Start the TCPIP AS and watch for msg EZZ4248E, after which you should start 
your PA daemon (eventually, you'll want to automate this), the start will 
probably look something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log 
-c /etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log 
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH, 
Mike  
 

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <sdg><
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden




----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to