Hi Lionel, I did this a few years back and utilized it for a product. Below are a few items from the product doc and a few more that remain in accessible memory areas...
- Read the relevant sections of Comm Server IP Configuration Ref, specifically in the chapter on Policy Agent (PA) and Policy Applications. Also in the IP Configuration Guide, there is a chapter on AT-TLS Security Data Protection, topic TCPIP Stack Initialization. - Use z/OSMF for generation of your initial set of PA config files and inputs, then consider manually tailoring. I opted for this approach under z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe you can use z/OSMF exclusively w/out too much pain these days. - Configure the syslog daemon, and test it to ensure messages are being collected for whatever you're interested in (TCPIP is not a pre-req for syslogd) - Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG statement - Create the resource profile used to block access to the TCPIP stack during initialization, the name of the resource will be EZB.INITSTACK.%sysname.%tcpprocname (it may be differently named w/ACF2 or TSS) - Create a server keyring and x509 certificate, and then connect the cert to the keyring, and depending on what you're doing you may need to permit access so the keyring and cert can be listed (resources are IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST) - Once you have done the above and are ready to test: Ensure syslogd running Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the TCPIP AS and watch for msg EZZ4248E, after which you should start your PA daemon (eventually, you'll want to automate this), the start will probably look something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c /etc/pagent.conf & - Once started, check out the following for messages... MVS system log Pagent log file Output from the pasearch -t command If you need additional detail, please feel free to email me directly. HTH, Mike -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lionel B Dyck Sent: Sunday, June 28, 2020 6:26 PM To: [email protected] Subject: AT-TLS ? Caution! This message was sent from outside your organization. Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck <sdg>< Website: <https://www.lbdsoftware.com> https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
