Configuring the gateway

The BMC AMI Enterprise Connector for Venafi (EC for Venafi) gateway supports transactions driven by the Venafi Trust Protection Platform (TPP). The gateway is responsible for distributing the TPP transactions to the target mainframe system for processing by an agent.


Related topics

Planning

Installing

Configuring-after-installation

EC for Venafi uses TPP adaptable drivers, installed on each server in your cluster, to communicate with the gateway at various times in the life cycle of a TPP certificate. Each time the gateway receives a call from a driver, it verifies whether the driver is using the correct software version. If the versions do not match, certificate processing stops and an error message is sent indicating the problem. For more information about the TPP adaptable driver, see Installing-the-TPP-adaptable-driver-and-Bulk-Insert-utility and Configuring-the-TPP-adaptable-driver.

To set up your gateway, you must configure the following statements. You can find a sample configuration member, ECVGPARM, in the hlq.RSSSAMP library.

Global statement

The following global parameters define general functionality:

Parameter

Description

ClassName FACILITY|className

By default, the RSS RACF resources are defined in the FACILITY class.

If you placed the RSS resources in a different class during installation, specify it here.

RACFAdminUser userID auto|noauto

Defines the user ID under which RACF commands are issued

  • (Optional) userID specifies the user ID that is used to issue commands. If you omit userID, the default is the user ID for the address space in which RSS is running.
  • auto specifies that RSS should use APF authorization to provide the authority for commands.
  • (Default) noauto specifies that RSS should not use APF authorization.

If you omit RACFAdminUser, RACF commands run under the user ID for the address space on which RSS is running, with no APF authorization.

CommandSecurity On|Off

Adds a layer of security, the userid must have READ access to RACF profile RSM.RSSCMD.command

Whether RSS should implement an additional layer of security for MODIFY commands submitted to the started task

When set to On, RSS checks for the RACF or Top Secret profile, RSM.RSSCMD.command, and verifies that the user submitting the MODIFY command has a minimum of READ access to the profile.

If you omit this parameter, the default is Off.

MessageLevel level level

Message level written to RSSPRINT

You can define multiple message levels.

We recommend that you include message level Info Error.

TCPBufferSize

Specifies the size in bytes of the TCP receive buffer used by the EC for Venafi web interface

The value of this parameter must be 65535.

Activate appName

Name of the application to be loaded

The value of this parameter must be Venafi.

Example

ClassName        FACILITY
RACFAminUser <userID> noauto
CommandSecurity Off
MessageLevel     Info Error
TCPBufferSize    65535
Activate         Venafi

HTTPServer statement

Define the HTTP server to use to access the EC for Venafi web interface.

Parameter

Description

HTTPServer

Begins the HTTPServer statement

Protocol HTTP

(Required) Internet protocol used to access the web interface.

Enter HTTP to access the web interface.

Port portNumber

(Required) Port number of the web interface instance

Enter the port number that the server uses for the web interface.

EndHTTPServer

Ends the HTTPServer statement

Example

*********************************************** 
* HTTP Server Settings                        * 
*********************************************** 
HTTPServer                                           
Protocol     HTTP                                
Port         9351                           
EndHTTPServer   

TPPServer statement

(SPE2501)

The following TPPServer parameters define the TPP server for the gateway instance. Only one TPPServer statement is required per instance.

Important

  • If you don't plan to use the Certificate administration feature, you do not need to complete the TPPServer statement.
  • If you do plan to use the Certificate administration feature, all of the parameters in the TPPServer statement are required.

Parameter

Description

TPPServer

Begins the TPPServer statement

HostName hostName | IPaddress

Location of the TPP REST server

Enter the host name or IP address for the server on which the TPP REST interface is located.

Port portNumber

Port number of the TPP REST server

Enter the port number that the server on which the TPP REST interface is listening.

ECGatewayURL url

URL of the EC for Venafi gateway

Enter the URL of the EC for Venafi gateway exactly as it appears in the TPP device object.

CertificateFolderName pathName

Path name to the TPP policy folder where new certificate objects will be created

Enter the path name of the default TPP policy folder for new certificate objects created by using the EC for Venafi UI. For the specific syntax, see the example following this table.

You can define multiple CertificateFolderName parameters.

DeviceFolderName pathName

Path name to the TPP policy folder that contains the TPP device object

Enter the path name of the TPP policy folder containing the device object that represents the EC for Venafi gateway. For the specific syntax, see the example following this table.

DeviceObjectName objectName

Name of the TPP device object

Enter the name of the TPP device object that represents the EC for Venafi gateway.

Repository repositoryName

Location of the encrypted TPP API authentication token

Important

You must create this directory at the location you specify and make sure that the gateway has write access.

EndTPPServer

Ends the TPPServer statement

Example

***********************************************     
* Define TPP Server                           *     
***********************************************     
TPPServer                                           
  HostName               tpp.mycompany.com
  PortNumber             8080 
  ECGatewayURL           http://lpar.mycompany.com
  CertificateFolderName  \\VED\\Policy\\Development\\EC Venafi\\main
  DeviceFolderName       \\VED\\Policy\\Development\\EC Venafi\\workfiles
  DeviceObjectName       lparname
  Repository             /u/venafi
EndTPPServer

Important

  • The path name of the CertificateFolderName and DeviceFolderName parameters must always start with \\VED\\Policy\\.
  • Use double backslashes (\\) to delimit the individual folder-name components in the path name.
  • If the path name is too long for a single line, you can continue to the next line after any \\.
  • You can add as many lines as needed.

ECGateway statement

The following ECGateway parameters define the REST API server for the gateway instance. Only one ECGateway statement is required per instance.

Parameter

Description

ECGateway

Begins the ECGateway statement

HostName hostName | IPaddress

(Required) Location of the gateway instance

Enter the host name or IP address for the server on which the gateway is located.

Port portNumber

(Required) Port number of the gateway instance

Enter the port number that the server uses for the gateway.

RequestTimeout seconds | hours

Number of seconds or hours after which agent requests from this gateway are abandoned

Transactions that are not completed within this time period stop with a timeout error message. 

The default value is 120 seconds.

TLSAware Yes | No

Verifies whether incoming transactions have been secured by a valid AT-TLS policy

Transactions that are flagged as insecure or not having an AT-TLS policy are rejected.

The default value is No.

TPPHostName tppName | tppIPaddress

(Optional) Host name or IP address of the TPP client instance from which TPP transactions are expected to arrive

Transactions arriving from other hosts are rejected.

You can define multiple TPP client instances.

Encoding ASCII | UTF8

Encoding used for incoming requests from the REST API

The default value is ASCII.

GatewayId gatewayID

Name that the logging reports should use to identify the gateway from which a specific request is received

EndECGateway

Ends the ECGateway statement

Example

***********************************************     
* Define TPP Gateway                          *     
***********************************************     
ECGateway                                           
   HostName             SYSA              
   Port                 4000                        
   RequestTimeout       120 seconds                 
   TLSAware             Yes
   TPPHostName          TPPProdSystem
   GatewayId            SystemA                      
EndECGateway

TargetEnvironment statement

The following TargetEnvironment parameters define the environment (LPAR) in which an EC for Venafi agent is running. You can use multiple statement blocks to define multiple agent environments. You can also define Dynamic Virtual IP Addressing (DVIPA) environments if you are using DVIPA from TPP, instead of an LPAR, to process agent requests.

Parameter

Description

TargetEnvironment envName

(Required) Name of the environment

Enter the name of the environment in which the agent is located. The value specified for TargetEnvironment must match the value specified for the target environment in the definition of the TPP application that sends certificates to the agent. 

HostName hostName | IPaddress

(Required) Location of the agent instance

Enter the host name or IP address for the server on which the the agent is located.

Port portNumber

(Required) Port number of the agent instance

Enter the port number that the server uses for the agent.

EndTargetEnvironment

Ends the TargetEnvironment statement

Sample Target Environment statements

Standard Target Environment

***********************************************     
* Define Target Environment                   *     
***********************************************     
TargetEnvironment       PROD                                  
   HostName             SYS1              
   Port                 4000                        
EndTargetEnvironment    
TargetEnvironment       TEST                                  
   HostName             SYS2              
   Port                 4000                        
EndTargetEnvironment    
TargetEnvironment       DEV                                  
   HostName             SYS3              
   Port                 4000                        
EndTargetEnvironment

DVIPA Target Environment statement

***********************************************     
* Define Target Environment                   *     
***********************************************     
TargetEnvironment       vipaEnv1Name               
   HostName             vipa.ip.address       
   Port                 portNumber                   
EndTargetEnvironment                           
TargetEnvironment       vipaEnv2Name               
   HostName             vipa.ip.address       
   Port                 portNumber                   
EndTargetEnvironment   

LPARGroups statement

(SPE2404)

The following LPARGroups parameters define a group of LPARs under a single group name that you can use as a target environment in TPP. Requests sent to the group are sent to all LPARs specified for the particular group name.

Parameter

Description

LPARGroups

Begins the LPARGroups statement

grpname lpar1 lpar2

(Required) Group name and the LPARs in that group

Enter the name of the group and up to 15 LPARs, separated by spaces, to include in the group. You can add multiple groups to the statement.

EndLPARGroups

Ends the LPARGroups statement

Example

***********************************************     
* Define LPAR Groups                          *     
***********************************************     
LPARGroups
GRP1 PRD1 PRD2
GRP2 DEV1 DEV2 DEV3
EndLPARGroup

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*