Hi Chris,
Thanks for your comments. I tried z/OSMF to define AT-TLS stuff - and
blogged about the experience about 18 months ago. The experience was ok to not-so-good. (and too many clicks for me)
For example I mention that I want to turn on trace for one session . I said
- Change the configuration to set the trace. This can be difficult if someone else is in the middle of changing the configuration.
- Deploy the whole configuration. You may pick up incomplete changes which have been made, but not deployed.
- If a second TCPIP stack is using the configuration, this may get trace enabled if the configuration file is recreated.
I already had a working AT-TLS configuration (I had been sent). I could not use that as input to Z/OSMF.
Ive also been working the MFA, and they provide definitions. How am I meant to feed these definitions into z/OSMF?
I'm not looking for answers to the points I raised - they are to illustrate the problems an end user may have.
BTW I like the way VTAM is configured. I can have little files, and I think it is more secure and easier to manage than the TCPIP way of doing this.
Colin
Original Message:
Sent: 1/15/2024 9:14:00 AM
From: Chris Meyer
Subject: RE: Managing TLS definitions is hard - is there an easy option
Hi Colin,
We've been recommending the z/OSMF Network Configuration Assistant (NCA) for managing AT-TLS (as well as other types of) policies for many years. That being said, I understand that you have chosen a different path.
Policy Agent does have a relevant capability (that NCA does not use), but I doubt it will get you where you want to be: You can have a Common and a Stack-specific AT-TLS policy file. When Policy Agent processes the policies, it combines the contents of the common AT-TLS file with the contents of the stack-specific file to come up with the complete policy for that stack. You can read more about this and other topics on managing policy files here: https://www.ibm.com/docs/en/zos/3.1.0?topic=networking-configuration-files-policy-definition-files However, based on your description (wanting to manage policy at the application level), I'm not sure this function provides enough granularity for what you're trying to achieve.
I can't really think of another approach that will do what you want beyond the concatenated data sets you described.
------------------------------
Chris Meyer, CISSP
IBM STSM, z/OS network security architect
------------------------------
Original Message:
Sent: Tue January 09, 2024 12:04 PM
From: Colin Paice
Subject: Managing TLS definitions is hard - is there an easy option
My TLS definition members are getting hard to manage. Are there any techniques to help me manage them . (Not z/OSMF).
I want to be able to manage my MQ/ZOSMF/MFA definitions as small self contained files - but I could not find an INCLUDE statement for these.
It is easier to manage small files, and do change management on them.
The best I've come up with is JCL like
//IBMUSERT JOB 1,MSGCLASS=H
// JCLLIB ORDER=COLIN.TLS.JCL
// EXPORT SYMLIST=(*)
// SET MQ='MQM1'
//S1 EXEC PGM=IEBGENER,REGION=0M
//SYSPRINT DD SYSOUT=*
//SYSIN DD DUMMY
//SYSUT1 DD *,SYMBOLS=(JCLONLY)
// INCLUDE MEMBER=MFA
// INCLUDE MEMBER=MQ
// INCLUDE MEMBER=ZOSMF
//SYSUT2 DD DISP=SHR,DSN=USER.Z24C.TCPPARMS(TLSCOLIN)
Where I keep members such as COLIN.TLS.JCL(MFA) etc... and run this job to copy all the members into one member in USER...TCPPARMS.
So change the member, run the job, and get PAGENT to pick it up
I can have &MQ replaced by MQM1 as part of this.
Is there a better way of doing this?
Colin
------------------------------
Colin Paice
------------------------------