Table of Contents

Search

  1. Preface
  2. Introduction to PowerExchange
  3. DBMOVER Configuration File
  4. Netport Jobs
  5. PowerExchange Message Logs and Destination Overrides
  6. SMF Statistics Logging and Reporting
  7. PowerExchange Security
  8. Secure Sockets Layer Support
  9. PowerExchange Alternative Network Security
  10. PowerExchange Nonrelational SQL
  11. PowerExchange Globalization
  12. Using the PowerExchange ODBC Drivers
  13. PowerExchange Datatypes and Conversion Matrix
  14. Appendix A: DTL__CAPXTIMESTAMP Time Stamps
  15. Appendix B: PowerExchange Glossary

Example AT-TLS Policy File for PowerExchange

Example AT-TLS Policy File for PowerExchange

The following example shows a complete AT-TLS policy file for PowerExchange:
## ========================================================================== ## This is a sample AT_TLS Policy Agent Configuration file for Power Exchange, ## based on a subset of a file originally created by the ## IBM z/OS Network Security Configuration Assistant. ## ## It defines rules inbound connections arriving on 2 ports for listener PWXLST ## - port 56496 is for protocol TLSV1_2 without requesting client certificates ## - port 46496 is for protocol TLSV1_2 with the connection rejected ## if the client certificates do not pass validation checks. ## ## TTLSCipherParms cipher1_TLS1_2_AES256 defines the allowed ciphers ## ========================================================================== ##----------------------------------------------------------------- ## Rule for inbound connections on port 56496 for job PWXLST* ## Environment Action eActTls12Server defines handshake role server ## so client certificates are not authenticated ##----------------------------------------------------------------- TTLSRule PWXLSTTls12Server { Jobname PWXLST* LocalPortRange 56496 Direction Inbound TTLSGroupActionRef gActEnableTTLS TTLSEnvironmentActionRef eActTls12Server } ##----------------------------------------------------------------- ## Rule for inbound connections on port 46496 for job PWXLST* ## Environment Action eActTls12Server defines handshake role server ## so client certificates are authenticated ##----------------------------------------------------------------- TTLSRule PWXLSTTls12SrvrAuthTypeRequired { Jobname PWXLST* LocalPortRange 46496 Direction Inbound TTLSGroupActionRef gActEnableTTLS TTLSEnvironmentActionRef eActTls12SrvrAuthTypeRequired } ##----------------------------------------------------------------- ## Group Action gActEnableTTLS enables TTLS and traces some packets ##----------------------------------------------------------------- TTLSGroupAction gActEnableTTLS { TTLSEnabled On CtraceClearText Off Trace 31 # all trace levels except data GroupUserInstance 20319 } ##----------------------------------------------------------------- ## Environment Action eActTls12Server ## Uses protocol TLSv1.2 and certain TLSv1.2 ciphers ## HandshakeRole Server means client certificates are not requested ##----------------------------------------------------------------- TTLSEnvironmentAction eActTls12Server { HandshakeRole Server TTLSCipherParmsRef cipher1_TLS1_2_AES256 TTLSKeyringParmsRef kATTLSkeyring TTLSEnvironmentAdvancedParms { TLSv1.2 On } EnvironmentUserInstance 20319 } ##----------------------------------------------------------------- ## Environment Action eActTls12SrvrAuthTypeRequired ## Uses protocol TLSv1.2 and certain TLSv1.2 ciphers ## HandshakeRole ServerWithClientAuth means client certificates are requested ## ClientAuthType Required means connection rejected if client certificates ## do not pass authentication checks. ##----------------------------------------------------------------- TTLSEnvironmentAction eActTls12SrvrAuthTypeRequired { HandshakeRole ServerWithClientAuth TTLSCipherParmsRef cipher1_TLS1_2_AES256 TTLSKeyringParmsRef kATTLSkeyring TTLSEnvironmentAdvancedParms { ClientAuthType Required TLSv1.2 On } EnvironmentUserInstance 20319 } ##----------------------------------------------------------------- ## Defines the name of the key ring ##----------------------------------------------------------------- TTLSKeyRingParms kATTLSkeyring { Keyring ATTLS_keyring } ##----------------------------------------------------------------- ## Defines protocol TLS1_2 ciphers allowed for the connection ##----------------------------------------------------------------- TTLSCipherParms cipher1_TLS1_2_AES256 { V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA }