Customization › NJE (Network Job Entry) Interface › Set Up Security for NJE TCP/IP

Set Up Security for NJE TCP/IP

You can use the Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocol to encrypt the CA Spool data that is transmitted through NJE over TCP/IP. This technique uses Application Transparent-Transport Layer Security (AT-TLS), which secures all SSL/TLS definitions through TCP/IP and security profiles. This technique requires updates in the following entities: your security software, the TCP/IP configuration for your operating system, JES2 or JES3 (whichever you use), and CA Spool.

Important! We strongly recommend securing connections with TLS instead of SSL.

Note: For general information about AT-TLS, see the IBM z/OS Communications Server: IP Configuration Guide. For information about Policy Agent and AT-TLS statements see the IBM z/OS Communication Server: IP Reference Guide.

Follow this process:

1. In your security software, perform these tasks:
   1. Define a keyring for the CA Spool started task.
   2. Generate the certificates.
   3. Add these certificates to the keyring.

   Note: For information to perform these tasks, see the documentation for your security software, for example, CA Top Secret, CA ACF2, or IBM RACF.

2. Update the TCP/IP configuration for your operating system, as follows. Here, your operating system means the computer on which CA Spool is installed.
   • Set up a Policy Agent.
   • Verify that CA Spool is defined as an AT-TLS controlling application in the AT-TLS policy file in the Policy Agent. A sample AT-TLS policy file follows these steps.
3. Perform one of the following actions:
   • In JES2, specify SECURE=YES in the SOCKET(xxxxxxxx) statement for the NJE node that connects to CA Spool.
   • In JES3, specify TLS=YES in the NJERMT statement for the NJE node that connects to CA Spool.
4. In CA Spool, specify TCPTLS=YES in the NJE statement for the NJE node that transmits data over TCP/IP.

When the connection is initiated and NJE control records are exchanged between CA Spool and the remote NJE node, the secure environment is established by AT-TLS and the remaining communication is secured.

Sample TTLS Policy File

You can use the following sample TTLS policy file as a model.

TTLSRule                          ESFNJE-Client
{
  LocalAddr                       ALL
  RemoteAddr                      ALL
  LocalPortRange                  1024 65535
  RemotePortRange                 2252
  Direction                       Outbound
  Priority                        254
  TTLSGroupActionRef              gESF
  TTLSEnvironmentActionRef        eActESFNJEClient
}
TTLSRule                          ESFNJE-Server
{
  LocalAddr                       ALL
  RemoteAddr                      ALL
  LocalPortRange                  4711
  RemotePortRange                 1024 65535
  Direction                       Inbound
  Priority                        254
  TTLSGroupActionRef              gAct1
  TTLSEnvironmentActionRef        eActESFNJEServer
}
TTLSGroupAction                   gESF
{
  TTLSEnabled                     On
  Trace                           7
}
TTLSEnvironmentAction             eActESFNJEClient
{
  HandshakeRole                   Client
  EnvironmentUserInstance         0
  TTLSKeyringParmsRef             keyESF
  TTLSCipherParmsRef              cipher1~Default_Ciphers
  TTLSEnvironmentAdvancedParmsRef eAdvESFNJE
  CtraceClearText                 Off
}
TTLSEnvironmentAction             eActESFNJEServer
{
  HandshakeRole                   Server
  EnvironmentUserInstance         0
  TTLSKeyringParmsRef             keyESF
  TTLSCipherParmsRef              cipher1~Default_Ciphers
  TTLSEnvironmentAdvancedParmsRef eAdvESFNJE
  CtraceClearText                 Off
}
TTLSEnvironmentAdvancedParms      eAdvESFNJE
{
  ApplicationControlled           On
  CertificateLabel                ESFCERT
  SecondaryMap                    Off
}
TTLSKeyringParms                  keyESF
{
  Keyring                         ESFRING
}
TTLSCipherParms                   cipher1~Default_Ciphers
{
  V3CipherSuites                  TLS_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_AES_256_CBC_SHA
  V3CipherSuites                  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
  V3CipherSuites                  TLS_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DH_RSA_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  V3CipherSuites                  TLS_DH_DSS_WITH_AES_128_CBC_SHA
}