WIXLIB

Using AT-TLS with HSC/SMC Client/Server z/OS SolutionImplementation ExamplePart Number E27193-01December 2011Page 1

Using AT-TLS with HSC/SMC Client/Server z/OS Solution Implementation ExamplePart Number E27193-01Oracle welcomes your comments and suggestions for improving this book. Contact us at STP FEEDBACK US@ORACLE.COM.Please include the title, part number, issue date, and revision.Copyright 2011, Oracle and/or its affiliates. All rights reserved.This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and areprotected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use,copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, orby any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, pleasereport them to us in writing.If this is software or related software documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S.Government, the following notice is applicable:U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S.Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable FederalAcquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, andadaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extentapplicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer SoftwareLicense (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.This software or hardware is developed for general use in a variety of information management applications. It is not developed orintended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you usethis software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy,and other measures to ensure the safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use ofthis software or hardware in dangerous applications.Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Oracle and Java are registered trademarks of Oracle and/orits affiliates. Other names may be trademarks of their respective owners.AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Inteland Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and aretrademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company,Ltd.This software or hardware and documentation may provide access to or information on content, products, and services from thirdparties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect tothird-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damagesincurred due to your access to or use of third-party content, products, or services.Page 2

ContentsContents . 3Introduction . 5Chapter 1: Overview . 6Implementation . 6TCPIP:. 6Policy Agent (PAGENT): . 7RACF: . 8Started Tasks . 9Media Management Strategy . 9Chapter 2: Samples . 10AT-TLS client configuration file. 10AT-TLS server configuration file . 11TCPIP Obey file . 12TCPIP parmfiles . 12PAGENT parmfile. 13Debugging and PAGENT Logs . 14Sample JCL . 15Recommendations . 16Configuration Overview . 16Benefits of the Recommended Configuration. 16Chapter 3: RACF . 17Overview . 17Activate class commands . 17Ring creation and certificate creation commands . 17Commands to list RACF definitions . 19

Page 4

IntroductionThe purpose of this document is to present illustrative implementation concepts for Oracle’sStorageTek HSC/SMC secure client/server communication using IBM’s z/OS Application Transparent –Transport Layer Security (AT-TLS). The AT-TLS implementation for HSC/SMC communication isdependent on the environmental and business requirements of each individual customer. Dependingon your requirements, your HSC/SMC AT-TLS implementation may differ from the exampleimplementation shown in this document.Oracle tested HSC client/server secure communication with z/OS AT-TLS in its Mainframe CustomerEmulation Test Lab. HSC 6.2 was tested under z/OS 1.7, 1.8 and 1.9.Items to note:1. HSC 6.2 and SMC 6.2 were tested on z/OS 1.7, 1.8 and 1.9. No other HSC/SMC versions weretested with AT-TLS, and HSC/SMC 6.2 with AT-TLS was not tested on z/OS 1.10.2. Only the SMC client was tested with AT-TLS. LibraryStation and MVS/CSC were not tested.3. Only RACF was tested. No other z/OS security packages were tested, such as ACF2 and TopSecret.4. ACSLS users: ACSLS platforms use encryption techniques different from AT-TLS. ExcludeACSLS IP addresses from the z/OS AT-TLS configuration file to avoid a conflict.Page 5

Chapter 1: OverviewAT-TLS is an encryption solution for TCP/IP applications that is completely transparent to theapplication client and server. Packet encryption and decryption occurs in the z/OS TCPIP addressspace at the TCP protocol level. The encrypted packet payload is unintelligible when sniffed or traced,but by the time it is delivered to the application the payload is once again readable.Oracle tested AT-TLS with the StorageTek HSC/SMC 6.2 client/server solution without any changes tothe SMC client application or the HSC server application (HSC/HTTP). All necessary modifications,additional parameter files and started tasks were made only to the z/OS TCP/IP facility and the z/OSoperating system.There is overhead associated with encrypting and decrypting the payload contents in the TCP protocol.This overhead was observed as a reduction in the number of HSC mount transactions performedduring the test window. Encryption/decryption overhead will vary depending on the number ofindividual HSC/SMC client/server transactions and might not be observable in low-volume transactionenvironments.ImplementationTo implement AT-TLS encryption for HSC/SMC client/server communications, the minimum levelneeded for the Communication Server is z/OS 1.7.IBM APAR’s available should be applied for best performance:Release 1A0 : UK39417 available 08/10/07 (1000 ) z/OS 1.10Release 180 : UK39418 available 08/10/07 (1000 ) z/OS 1.8Release 190 : UK39419 available 08/10/07 (1000 ) z/OS 1.9See the following IBM publications for detailed information about the IBM z/OS Communications ServerPolicy Agent configuration and usage:– IP Configuration Guide, SC31-8775– IP Configuration Reference, SC31-8776– IBM Redbook Communications Server TCP/IP Implementation, Volume 4, Policy-Based NetworkSecurity, SG24-7172TCPIP:The address space where TCPIP policies are specified, which is not necessarily where these policiesare enabled. In our example implementation we indicated to TCPIP that TTLS would be used, but notuntil the PAGENT address space is active will TCPIP actually perform encryption/decryption work. Yourimplementation may differ depending on your business requirements.Parmfile: Indicate where TCPIP address space will obtain certain policy based rules, See below:TCPIP parmfilesPage 6

We set up an obeyfile to dynamically modify TCPIP and include TTLS:VARY TCPIP,,O,ZIP.TCPIP.PROFILES(ATTLS), see below: TCPIP Obey file.Policy Agent (PAGENT):The address space where the encryption rules are applied.Parmfile: Where to find the configuration file and other parameters see:TCPIP parmfilesHost-Based****** ********************************* Top of Data ************************000001 ; OSA GIG ETHERNET CARD000002 DEVICE ECCQD01 MPCIPA000003 LINKNONROUTER AUTORESTART&SYSNAME.MVS IPAQENET ECCQD01000004000005 ; OSA 1000BASE-T CARD000006 DEVICE ECCQA01 MPCIPA000007 LINKNONROUTER AUTORESTART&SYSNAME.2MVS IPAQENET ECCQA01000008000009 HOME00001010.80.&IPADDR1 &SYSNAME.MVS00001110.80.&IPADDR2 &SYSNAME.2MVS000012000013 BEGINROUTES000014 ;DestinationFirstHopLinknamePacketSize000015ROUTE 10.80.69.0/24 &SYSNAME.MVSMTU 1492000016ROUTE DEFAULT10.80.69.254 &SYSNAME.MVSMTU 1492000017ROUTE 10.80.68.0/24 &SYSNAME.2MVSMTU 1492000018ROUTE DEFAULT10.80.68.254 &SYSNAME.2MVSMTU 1492000019 ENDROUTES000020 INCLUDE USER.TCPIP.PROFILES(COMMON)000021 START ECCQD01000022 START ECCQA01****** ******************************** Bottom of Data ** ********************************* Top of Data *********************000001 AUTOLOG000002FTPD; O/E FTP Server000003SMTP; Mail Server000004RXSERVE; Remote Execution Server000005PORTMAP; Portmap Server000006 ENDAUTOLOG000008 PORTPage 7

0000097 UDP MISCSERV0000107 TCP MISCSERV; Miscellaneous Server00001120 TCP OMVS; FTP Server data port00001221 TCP OMVS; FTP Server control port00001323 TCP TN327000001425 TCP SMTP00001553 TCP NAMESRVNOAUTOLOG ;DOMAIN NAME SERVER00001653 UDP NAMESRVNOAUTOLOG ; DOMAIN NAME SERVER000017111 TCP PORTMAP; Portmap Server000018111 UDP PORTMAP; Portmap Server000019135 UDP LLBD; HSC Location Broker000020161 UDP SNMPD; SNMP Agent000021162 UDP SNMPQE; SNMP Query Engine000022512 TCP RXSERVE; Remote Execution Server000023514 TCP RXSERVE; Remote Execution Server000024515 TCP LPSERVE; LPD Server000025520 UDP ROUTED; RouteD Server000026580 UDP NCPROUTNOAUTOLOG ; NCPROUTE SERVER000027750 TCP MVSKERBNOAUTOLOG ; KERBEROS000028750 UDP MVSKERBNOAUTOLOG ; KERBEROS000029751 TCP ADM@SRVNOAUTOLOG ; KERBEROS ADMIN SERVER000030751 UDP ADM@SRVNOAUTOLOG ; KERBEROS ADMIN SERVER000031NOAUTOLOG ; TN3270 Server; SMTP Server2049 UDP MVSNFS; NFS Server0000323000 TCP CICSTCP0000438000 TCP OMVSNOAUTOLOG ; CICS SOCKET; Reserved for O/E Users0000448000 UDP OMVS; Reserved for O/E Users****** ******************************** Bottom of Data ********************** PAGENT parmfile.Configuration File: Used to indicate to the PAGENT address space who/what/where the encryption is to takeplace see: AT-TLS client configuration, and AT-TLS server configuration. This is an Open Edition (OE) segment file.App Manual documenting use of the configuration assistant tool is at:li IBMConfiguration Assistant for z/os Communications ServerancRACF:eIn the z/OS environment, digital certificates are used by AT-TLS to authenticate and encrypt the protocol handshaking messages. An AT-TLS server must send its certificate to the client, and a serverBcan optionally request a certificate from the client. See Chapter 3, “IP Security” in to the IBM Redbook:aCommunications Server for z/OS V1R8 TCP/IP Implementation Volume 4: Policy-Based NetworksSecurity SG24-7342, for information about how to set up digital certificate keys and key rings. SeeeChapter 3: RACF below used in our example implementation with RACF.d Download IBM Configuration Assistant tool from ‘Downloads’ section zos/support/Page 8