PowerExchange for CDC and Mainframe
- PowerExchange for CDC and Mainframe 10.5
- All Products
## ========================================================================== ## This is a sample AT_TLS Policy Agent Configuration file for Power Exchange, ## based on a subset of a file originally created by the ## IBM z/OS Network Security Configuration Assistant. ## ## It defines rules inbound connections arriving on 2 ports for listener PWXLST ## - port 56496 is for protocol TLSV1_2 without requesting client certificates ## - port 46496 is for protocol TLSV1_2 with the connection rejected ## if the client certificates do not pass validation checks. ## ## TTLSCipherParms cipher1_TLS1_2_AES256 defines the allowed ciphers ## ========================================================================== ##----------------------------------------------------------------- ## Rule for inbound connections on port 56496 for job PWXLST* ## Environment Action eActTls12Server defines handshake role server ## so client certificates are not authenticated ##----------------------------------------------------------------- TTLSRule PWXLSTTls12Server { Jobname PWXLST* LocalPortRange 56496 Direction Inbound TTLSGroupActionRef gActEnableTTLS TTLSEnvironmentActionRef eActTls12Server } ##----------------------------------------------------------------- ## Rule for inbound connections on port 46496 for job PWXLST* ## Environment Action eActTls12Server defines handshake role server ## so client certificates are authenticated ##----------------------------------------------------------------- TTLSRule PWXLSTTls12SrvrAuthTypeRequired { Jobname PWXLST* LocalPortRange 46496 Direction Inbound TTLSGroupActionRef gActEnableTTLS TTLSEnvironmentActionRef eActTls12SrvrAuthTypeRequired } ##----------------------------------------------------------------- ## Group Action gActEnableTTLS enables TTLS and traces some packets ##----------------------------------------------------------------- TTLSGroupAction gActEnableTTLS { TTLSEnabled On CtraceClearText Off Trace 31 # all trace levels except data GroupUserInstance 20319 } ##----------------------------------------------------------------- ## Environment Action eActTls12Server ## Uses protocol TLSv1.2 and certain TLSv1.2 ciphers ## HandshakeRole Server means client certificates are not requested ##----------------------------------------------------------------- TTLSEnvironmentAction eActTls12Server { HandshakeRole Server TTLSCipherParmsRef cipher1_TLS1_2_AES256 TTLSKeyringParmsRef kATTLSkeyring TTLSEnvironmentAdvancedParms { TLSv1.2 On } EnvironmentUserInstance 20319 } ##----------------------------------------------------------------- ## Environment Action eActTls12SrvrAuthTypeRequired ## Uses protocol TLSv1.2 and certain TLSv1.2 ciphers ## HandshakeRole ServerWithClientAuth means client certificates are requested ## ClientAuthType Required means connection rejected if client certificates ## do not pass authentication checks. ##----------------------------------------------------------------- TTLSEnvironmentAction eActTls12SrvrAuthTypeRequired { HandshakeRole ServerWithClientAuth TTLSCipherParmsRef cipher1_TLS1_2_AES256 TTLSKeyringParmsRef kATTLSkeyring TTLSEnvironmentAdvancedParms { ClientAuthType Required TLSv1.2 On } EnvironmentUserInstance 20319 } ##----------------------------------------------------------------- ## Defines the name of the key ring ##----------------------------------------------------------------- TTLSKeyRingParms kATTLSkeyring { Keyring ATTLS_keyring } ##----------------------------------------------------------------- ## Defines protocol TLS1_2 ciphers allowed for the connection ##----------------------------------------------------------------- TTLSCipherParms cipher1_TLS1_2_AES256 { V3CipherSuites TLS_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256 V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA }