GSK trace was very helpful! On Mon, Jun 29, 2020 at 6:14 AM Lionel B Dyck <lbd...@gmail.com> wrote:
> Thank you everyone for your advice - this morning will be time deep in the > doc. > > > Lionel B. Dyck <sdg>< > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > you are, reputation merely what others think you are." - John Wooden > > -----Original Message----- > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf > Of > Mike Hochee > Sent: Sunday, June 28, 2020 7:08 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi Lionel, > > I did this a few years back and utilized it for a product. Below are a few > items from the product doc and a few more that remain in accessible memory > areas... > > - Read the relevant sections of Comm Server IP Configuration Ref, > specifically in the chapter on Policy Agent (PA) and Policy Applications. > Also in the IP Configuration Guide, there is a chapter on AT-TLS Security > Data Protection, topic TCPIP Stack Initialization. > > - Use z/OSMF for generation of your initial set of PA config files and > inputs, then consider manually tailoring. I opted for this approach under > z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe > you can use z/OSMF exclusively w/out too much pain these days. > > - Configure the syslog daemon, and test it to ensure messages are being > collected for whatever you're interested in (TCPIP is not a pre-req for > syslogd) > > - Configure PROFILE.TCPIP, you will need to add a TTLS parm to the > TCPCONFIG > statement > > - Create the resource profile used to block access to the TCPIP stack > during > initialization, the name of the resource will be > EZB.INITSTACK.%sysname.%tcpprocname (it may be differently named w/ACF2 or > TSS) > > - Create a server keyring and x509 certificate, and then connect the cert > to > the keyring, and depending on what you're doing you may need to permit > access so the keyring and cert can be listed (resources are > IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST) > > - Once you have done the above and are ready to test: > Ensure syslogd running > Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the > TCPIP > AS and watch for msg EZZ4248E, after which you should start your PA daemon > (eventually, you'll want to automate this), the start will probably look > something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c > /etc/pagent.conf & > > - Once started, check out the following for messages... > MVS system log > Pagent log file > Output from the pasearch -t command > > If you need additional detail, please feel free to email me directly. > > HTH, > Mike > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Lionel B Dyck > Sent: Sunday, June 28, 2020 6:26 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: AT-TLS ? > > Caution! This message was sent from outside your organization. > > Anyone have any pointers for configuring AT-TLS on z/OS? > > > > > > Lionel B. Dyck <sdg>< > Website: <https://www.lbdsoftware.com> https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > you are, reputation merely what others think you are." - John Wooden > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Politics: Poli (many) - tics (blood sucking parasites) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
