AT-TLS Security with ZMF and the Client Pack
The rapidly expanding growth of distributed ZMF clients can be attributed to a more intuitive user experience, smart editors, integrated debuggers and more. As this technology becomes more widely implemented, customers have requested stronger network security for their ZMF Environment. Specifically the request has come in for all ZMF communications to be encrypted using the strongest version of TLS.
The Secure Sockets Layer (SSL) protocol was designed by Netscape in 1995. SSL went through many iterations and has now been effectively replaced by Transport Layer Security (TLS). The terms SSL and TLS have become somewhat interchangeable, but they both exist to provide secure transport for your communications. We have all used TLS Encryption technology when accessing sensitive data over the internet by using the https protocol .
Implementing TLS for ZMF distributed clients is fairly straightforward. Clients are written in JAVA and C++ with access to robust libraries that do much of the heavy lifting. A little research into the API’s, some configuration changes along with a security certificate for Tomcat and the clients are ready for testing.
The mainframe presents a much different challenge. There are some libraries available for implementing SSL in assembler language (System SSL), but these would require significant architectural changes to ZMF. Many products have been faced with the same requirement and IBM has delivered the AT-TLS product to address the issue. AT-TLS (Application Transparent – Transport Layer Security) provides TLS support by “intercepting” network traffic between 2 endpoints and providing encryption without needing any changes to the application. AT-TLS uses a policy configuration file to determine which connections are to be encrypted using TLS.
This is a very high level overview of the steps needed to implement TLS in the ZMF environment.
1) Obtain Certificates – TLS requires a digital certificate in order to function properly. Separate certificates are required for ZMF and the Application Server running Web Services. It is strongly recommended that customers purchase certificates from a trusted CA. Self-signed certificates will require additional configuration steps on every client communicating with ZMF.
2) AT-TLS configuration for ZMF. Use the configuration assistant or the Policy Agent to configure TLS rules for ZMF. There are 3 rules that need to be in place:
a. All inbound connections to the CMN Port be selected for TLS. This connection will be in the Server Role.
b. All inbound connections to the XCH Port be selected for TLS. This connection will be in the Server Role.
c. All outbound connections to the CMN/XCH ports be selected for TLS. This connection is for batch jobs that communicate back to ZMF. This connection is in the Client Role
3) Configure Web Services for TLS: (Tomcat)
a. Install latest version of ZMF Web Services (8.1.1)
b. Configure server.xml file to define a secure port (typically port 8443) The port definition should point to the certificate from step 1.
4) Configure ZDD for TLS:
a. Install latest version of ZDD (8.1.1)
b. Select the “TLS Security” option on the Server connection tab to enable TLS for that Server.
5) Configure ZMF4ECL for TLS
a. Install latest version of ZMF4ECL (8.1.1)
b. Select the “TLS Security” option on the Server Properties page to enable TLS for that Server.
There are many steps but the implementation is fairly straightforward. The AT-TLS setup on z/OS can be tricky due to the number of configuration options, but once setup it can be left alone. The key to success is planning and teamwork as there are many diverse areas of expertise involved. The various administrators (ZMF , Security, and WebSphere/Tomcat) all play a critical role in getting the environment setup correctly.
For customer information, ChangeMan ZMF Client Pack 8.1.1 is expected to be made Generally Available around March/April 2016.