I wrote Using AT-TLS and PAGENT on z/OS <https://colinpaice.blog/2022/10/19/using-at-tls-and-pagent-on-z-os-with-adcd/> which covers setting up ATTLS, and gives an example or two Colin
On Mon, 1 May 2023 at 22:17, Keith Gooding < [email protected]> wrote: > Bill. > > A AT-TLS rule consists of a number of tests and pointers to actions which > are performed if all of the tests are true. One of the actions specifies if > TLS is to be enabled or not. You can test on local and remote port > numbers , local and remote IP addresses, connection direction (inbound or > outbound) , local address space name etc. you may have a rule which says > “if the remote port is 443 (https ?) and direction is outbound then enable > TLS”. This would enable TLS for an SMPE batch job connecting to an https > server. To check you can either view the AT-TLS policy or, to get a better > formatted list, use the unix command “pasearch -t > mylist.txt” and then > view mylist.txt. See Comms Server IP diagnosis for details of pasearch and > how to list a subset of the policy. If this is in fact the problem you > could add add another rule which says “if the remote IP address is the IBM > https server then do not enable TLS“. > > Keith > > On 1 May 2023, at 20:29, Michael Babcock <[email protected]> wrote: > > > > Here's our simple DB2 Secure port definition in AT-TLS: > > > > TTLSRule DBRTSecureServer # Secure DBRT > > { > > LocalPortRange 4450 # DBRT Secure Port > > Direction Inbound # Inbound Only > > Priority 1 # Lowest priority > rule > > TTLSGroupActionRef grp_Production # Uncomment once > debugging > > TTLSEnvironmentActionRef DBRT_SecureServer_Action # DBRT Env Action > > } > > > > TTLSEnvironmentAction DBRT_SecureServer_Action > > { > > HandshakeRole Server > > TTLSKeyRingParmsRef DBRT_Keyring_Parms > > TTLSCipherParmsRef DB2_CipherParms > > TTLSEnvironmentAdvancedParms > > { > > ClientAuthType PassThru > > SSLv2 Off > > SSLv3 Off > > TLSv1 Off > > TLSv1.1 Off > > TLSv1.2 On > > } > > } > > > > TTLSKeyRingParms DBRT_Keyring_Parms > > { > > Keyring DBRT/DBRT.KEYRING > > } > >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
