44 RACF Remote Sharing Facility over TCP/IP
## End of Configuration Assistant information
TTLSRule Default_RRSF-Client~1
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Direction Outbound
Priority 255
TTLSGroupActionRef gAct1
TTLSEnvironmentActionRef eAct1~RRSF-Client
TTLSConnectionActionRef cAct1~RRSF-Client
}
TTLSRule Default_RRSF-Server~2
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRangeRef portR2
RemotePortRangeRef portR1
Direction Inbound
Priority 254
TTLSGroupActionRef gAct1
TTLSEnvironmentActionRef eAct2~RRSF-Server
TTLSConnectionActionRef cAct2~RRSF-Server
}
TTLSGroupAction gAct1
{
TTLSEnabled On
}
TTLSEnvironmentAction eAct1~RRSF-Client
{
HandshakeRole Client
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~SC75
}
TTLSEnvironmentAction eAct2~RRSF-Server
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~SC75
}
TTLSConnectionAction cAct1~RRSF-Client
{
HandshakeRole Client
TTLSCipherParmsRef cipher1~AT-TLS_PlatinumClientAut
TTLSConnectionAdvancedParmsRef cAdv1~RRSF-Client
CtraceClearText Off
Trace 2
}
TTLSConnectionAction cAct2~RRSF-Server
{
HandshakeRole ServerWithClientAuth
TTLSCipherParmsRef cipher1~AT-TLS_PlatinumClientAut
TTLSConnectionAdvancedParmsRef cAdv2~RRSF-Server
CtraceClearText Off
Chapter 3. Configuring RRSF for TCP/IP 45
Trace 2
}
TTLSConnectionAdvancedParms cAdv1~RRSF-Client
{
SSLv3 Off
TLSv1 Off
SecondaryMap Off
}
TTLSConnectionAdvancedParms cAdv2~RRSF-Server
{
SSLv3 Off
TLSv1 Off
SecondaryMap Off
}
TTLSKeyringParms keyR~SC75
{
Keyring IRR.RRSF.KEYRING
}
TTLSCipherParms cipher1~AT-TLS_PlatinumClientAut
{
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
}
PortRange portR1
{
Port 1024-65535
}
PortRange portR2
{
Port 18136
}
The lines highlighted in bold illustrate the following aspects of the policy:
TLS security is enabled for traffic between all IP addresses to and from port 18136
The digital certificates are stored in the key ring named IRR.RRSF.KEYRING
Cipher suites TLS_RSA_WITH_AES_256_CBC_SHA are used for data transfer
However, you can define your own security level and select different cipher suites and
different client authentication methods such as SAF Check. For more information, see 3.4.5,
“Using an external CA to sign a server certificate for each RRSF node” on page 66.
Activating and verifying the AT-TLS policy
After loading the policy, refresh the PAGENT task. The output is shown in Example 3-8.
Example 3-8 Refreshing PAGENT with AT-TLS policy
F PAGENT,REFRESH
EZZ8443I PAGENT MODIFY COMMAND ACCEPTED
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCP/IP : TTLS
Consideration: If you already have an AT-TLS policy for other applications, open this
policy under z/OSMF. Update it to add the RRSF_Client and RRSF_Server rules. For more
information, see “Configuring the RRSF Client” on page 39 and “Configuring RRSF
Server” on page 41.

Get RACF Remote Sharing Facility over TCP/IP now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.