The following is a sample definition that can be modified for use in the PAGENT address space to allow AT-TLS access to MFA and z/Server. This example must be modified to suit your requirements.
Micro Focus recommend using Trace 3 in the TTLSGroupAction. This allows error messages to be logged to the z/OS syslog, otherwise messages are logged by the syslog daemon (syslogd) and are typically stored in /var/log. You can check the exact output location of the syslogd by checking the syslog.conf file.
Click here to download an IBM Redbook that provides further information on configuring your PAGENT address space. The Redbook also contains information on other configuration aspects that support AT-TLS connectivity between your client application and mainframe.
TTLSRule ToMFASSL~1
{
LocalAddrRef addr1
RemoteAddr ALL
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Direction Inbound
Priority 255
TTLSGroupActionRef gAct1~MFASSL
TTLSEnvironmentActionRef eAct1~MFASSL
TTLSConnectionActionRef cAct1~MFASSL
}
TTLSRule ToZSERVER~1
{
LocalAddrRef addr1
RemoteAddr ALL
LocalPortRangeRef portR4
RemotePortRangeRef portR2
Direction Inbound
Priority 255
TTLSGroupActionRef gAct1~ZSERVER
TTLSEnvironmentActionRef eAct1~ZSERVER
TTLSConnectionActionRef cAct1~ZSERVER
}
TTLSGroupAction gAct1~MFASSL
{
TTLSEnabled On
Trace 3
}
TTLSGroupAction gAct1~ZSERVER
{
TTLSEnabled On
Trace 3
}
TTLSEnvironmentAction eAct1~MFASSL
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~ADCD113
TTLSEnvironmentAdvancedParmsRef eAdv1~MFASSL
}
TTLSEnvironmentAction eAct1~ZSERVER
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~ADCD113
TTLSEnvironmentAdvancedParmsRef eAdv1~ZSERVER
}
TTLSEnvironmentAdvancedParms eAdv1~MFASSL
{
ClientAuthType SAFCheck
}
TTLSEnvironmentAdvancedParms eAdv1~ZSERVER
{
ClientAuthType SAFCheck
}
TTLSConnectionAction cAct1~MFASSL
{
HandshakeRole ServerWithClientAuth
TTLSConnectionAdvancedParmsRef cAdv1~MFASSL
CtraceClearText Off
Trace 3
}
TTLSConnectionAction cAct1~ZSERVER
{
HandshakeRole ServerWithClientAuth
TTLSConnectionAdvancedParmsRef cAdv1~ZSERVER
CtraceClearText Off
Trace 3
}
TTLSConnectionAdvancedParms cAdv1~MFASSL
{
SecondaryMap Off
}
TTLSConnectionAdvancedParms cAdv1~ZSERVER
{
SecondaryMap Off
}
TTLSKeyringParms keyR~ADCD113
{
Keyring MFARING
}
TTLSCipherParms cipher1~MFASSL
{
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
}
IpAddr addr1
{
Addr 10.24.11.231
}
PortRange portR1
{
Port 20201
}
PortRange portR2
{
Port 1024-65535
}
PortRange portR4
{
Port 1515
}