Communities
A collaborative platform to connect and grow with like-minded Informaticans across the globe
Product Communities
Connect and collaborate with Informatica experts and champions
Discussions
Have a question? Start a Discussion and get immediate answers you are looking for
User Groups
Customer-organized groups that meet online and in-person. Join today to network, share ideas, and get tips on how to get the most out of Informatica
Get Started
Community Guidelines
Knowledge Center
Troubleshooting documents, product guides, how to videos, best practices, and more
Knowledge Base
One-stop self-service portal for solutions, FAQs, Whitepapers, How Tos, Videos, and more
Support TV
Video channel for step-by-step instructions to use our products, best practices, troubleshooting tips, and much more
Documentation
Information library of the latest product documents
Velocity (Best Practices)
Best practices and use cases from the Implementation team
Learn
Rich resources to help you leverage full capabilities of our products
Trainings
Role-based training programs for the best ROI
Certifications
Get certified on Informatica products. Free, Foundation, or Professional
Product Learning Paths
Free and unlimited modules based on your expertise level and journey
Resources
Library of content to help you leverage the best of Informatica products
Tech Tuesdays Webinars
Most popular webinars on product architecture, best practices, and more
Product Availability Matrix
Product Availability Matrix statements of Informatica products
SupportFlash
Monthly support newsletter
Support Documents
Informatica Support Guide and Statements, Quick Start Guides, and Cloud Product Description Schedule
Product Lifecycle
End of Life statements of Informatica products
Ideas
Events
Change Request Tracking
Marketplace
English
  • PowerExchange for CDC and Mainframe H2L
  • All Products

Table of Contents

Search

  1. Abstract
  2. Supported Versions
  3. Implementing TLS Security in a PowerExchange Network

Implementing TLS Security in a PowerExchange Network

Implementing TLS Security in a PowerExchange Network

Back Next

Step 2A. Set Up AT-TLS on z/OS

Step 2A. Set Up AT-TLS on z/OS

On z/OS release 1.7 and later, AT-TLS uses a Communications Server policy file to determine which sessions use the TLS protocol.
Before you add a rule to the AT-TLS policy file, verify that the file exists and that the policy Agent is running.
Add a rule to this file that defines PowerExchange Listener properties for TLS communication.
To add a rule, edit the policy file or use the IBM Configuration Assistant for z/OS Communications Server. You can download the IBM Configuration Assistant for z/OS Communications Server from the IBM z/OS Support web site.
When you add a rule, include the following statements:
Statement
Value
LocalPortRange
PowerExchange Listener port number.
Jobname
PowerExchange Listener job name.
Direction
Direction of communication. Specify
Inbound
 to indicate that communication proceeds from client to Listener.
TTLSGroupActionRef
References an existing
group_action
 that is defined in another section of the policy file.
TTLSEnvironmentActionRef
environment_action
References an existing
environment_action
 that is defined in another section of the policy file.
The following example rule demonstrates how to enter the statements: 
 TTLSRULE JOB_JBBV861
{
 LocalPortRange           13132
 Jobname                  JBBV861
 Direction                Inbound
 TTLSGroupActionRef       gActEnableTTLS
 TTLSEnvironmentActionRef eActServerDefault
}
The TTLSGroupActionRef and TTLSEnvironment ActionRef statements in the rule reference statements in other sections of the policy file. The following table describes the statements that are referenced:
Statement
Sub-Statement
Value
TTLS Group Action
TTLSEnabled
On
CtraceClearText
Off
Trace
7
TTLSEnvironmentAction
HandshakeRole
For servers, specifies one of the following values:
  • Server
    . The Listener acts as the TLS server and does not require client authentication. Little or no peer subject certificate verification is performed. Use this mode to establish a quick configuration with only network encryption.
  • ServerWithClientAuth
    . The Listener acts as the TLS server and requires client authentication. This mode requires AT-TLS to verify that the subject certificate is issued from a remote Linux, Unix, or Windows client with a CA certificate that the z/OS system trusts. This mode provides more security, and requires that a security administrator with knowledge of certificate administration coordinate the certificates on both the z/OS and Linux, Unix, or Windows servers.
TTLSCipherParmsRef
References the TTLSCipherParms statement.
TTLSKeyRingParmsRef
References the TTLSKeyRingParms statement.
TTLSCipherParms
V3CipherSuites
Supported symmetric cipher suites.
TTLSKeyRingParms
Keyring
Key ring that contains the personal and CA certificates.
The following example statements are referenced by the rule in the policy file: 
 TTLSGroupAction   gActEnableTTLS
{
 TTLSEnabled            On
 CtraceClearText        Off
 Trace                  7
}
 TTLSEnvironmentAction  eActServerDefault
 {
  HandshakeRole         Server
  TTLSCipherParmsRef    cipher1~AT-TLS__Silver
  TTLSKeyringParmsRef   kATTLSkeyring
}
 TTLSCipherParms        cipher1~AT-TLS__Silver
{
 V3CipherSuites         TLS_RSA_WITH_DES_CBC_SHA 
 V3CipherSuites         TLS_RSA_WITH_3DES_EDE_CBC_SHA
 V3CipherSuites         TLS_RSA_WITH_AES_128_CBC_SHA
}
 TTLSKeyRingParms       kATTLSkeyring
 {
 Keyring                ATTLS_keyring
 }
0 COMMENTS
We’d like to hear from you!