Thank you everyone for your advice - this morning will be time deep in the
doc.


Lionel B. Dyck <sdg><
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Mike Hochee
Sent: Sunday, June 28, 2020 7:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few
items from the product doc and a few more that remain in accessible memory
areas...

- Read the relevant sections of Comm Server IP Configuration Ref,
specifically in the chapter on Policy Agent (PA) and Policy Applications.
Also in the IP Configuration Guide, there is a chapter on AT-TLS Security
Data Protection, topic TCPIP Stack Initialization.     

- Use z/OSMF for generation of your initial set of PA config files and
inputs, then consider manually tailoring. I opted for this approach under
z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe
you can use z/OSMF exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being
collected for whatever you're interested in (TCPIP is not a pre-req for
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG
statement

- Create the resource profile used to block access to the TCPIP stack during
initialization, the name of the resource will be
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to
the keyring, and depending on what you're doing you may need to permit
access so the keyring and cert can be listed (resources are
IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running
Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the TCPIP
AS and watch for msg EZZ4248E, after which you should start your PA daemon
(eventually, you'll want to automate this), the start will probably look
something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c
/etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH,
Mike  
 

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <sdg><
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden




----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to