Installation and Configuration

When installing or after you have installed TIBCO MFT Platform Server for z/OS, you must configure security-related parameters mentioned in the following sections based on your requirements:

Global Parameters
Node Parameters

Global Parameters

There are a variety of Global parameters that affect security mentioned in the following sections. For a detailed description of these parameters, see the "GLOBAL Startup Parameters" in TIBCO® Managed File Transfer Platform Server for z/OS Installation and Operation Guide.

Security Parameters

Parameter Description

Parameter	Description
`ENFORCE_SECURITY_POLICY`	Defines the security policy for the Platform Server started task. You can configure the following values: `NO`: No security policy is defined. `FIPS140`: STC is FIPS140 compliant. `TLSFIPS`: TLS and Tunnel connections use FIPS compliant ciphers. `HIPAA`: HIPAA rules requiring encryption are followed.
`TLSCIPHERS`	Allows you to define ciphers used for TLS/SSL and Tunnel connections.
`TLSENABLEDPROTOCOL`	Defines the TLS protocols used `(TLSv1`, `TLSv1.1`, `TLSv1.2`). Responder Profile Password Rules: These parameters define the rules used when responder profiles are created. These rules apply to responder passwords created by the FUSPROF utility or through Command Center.

ENFORCE_SECURITY_POLICY

Defines the security policy for the Platform Server started task. You can configure the following values:

NO: No security policy is defined.

FIPS140: STC is FIPS140 compliant.

TLSFIPS: TLS and Tunnel connections use FIPS compliant ciphers.

HIPAA: HIPAA rules requiring encryption are followed.

TLSCIPHERS Allows you to define ciphers used for TLS/SSL and Tunnel connections.

TLSENABLEDPROTOCOL

Defines the TLS protocols used (TLSv1, TLSv1.1, TLSv1.2).

Responder Profile Password Rules:

These parameters define the rules used when responder profiles are created. These rules apply to responder passwords created by the FUSPROF utility or through Command Center.

Responder Profile Password Rule Parameters

These parameters define the rules used when responder profiles are created. These rules apply to responder passwords created by the FUSPROF utility or through Command Center.

RPROFILE_PASSWORD_VALIDATION
RPROFILE_MIN_LENGTH
RPROFILE_MIN_UNIQUE
RPROFILE_MIN_NUMBER
RPROFILE_MIN_SPECIAL
RPROFILE_MIN_LETTERS
RPROFILE_REQUIRE_UPPER_LOWER

Communication Parameters

These parameters allow you to set the Adapter IP address that Platform Server uses when establishing TCP connections. You can set different Adapter IP address parameters for IPv4 and IPv6 and for Listen(Responder) and Connect(Initiator).

TCPLISTEN_ADAPTER_IPADDR
TCPLISTEN_ADAPTER_IPADDR_IPV6
TCPCONNECT_ADAPTER_IPADDR
TCPCONNECT_ADAPTER_IPADDR_IPV6

RACF Facility Class Checking Parameters

Parameter	Description
`BOSSID`	Defines users that can create profile and responder profile definitions.
`CCC_BROWSE_FACILITY`	Defines users that can perform audit inquiry via Command Center.
`CCC_ALTER_FACILITY`	Defines users that can alter or delete active or inactive transfers.
`CCC_ADMIN_FACILITY`	Defines users that can perform configure nodes and profiles via Command Center.
`CCC_TRANSFER_FACILITY`	Defines users that can initiate transfers via Command Center.
`EXTENDED_SECURITY_CHECK`	Defines whether extended RACF resource checking is performed to see if a user is authorized to initiate transfers through the TSO or BATCH interfaces. There is also a parameter that defines whether users are authorized to send files to particular nodes.
`EXTENDED_SECURITY_CHECK_RESOURCE`	Defines the Facility Class prefix used when `EXTENDED_SECURITY_CHECK` is enabled.
`DNI_USERID`	Defines the RACF user used when DNI scans for files to be transferred.
`SAPI_USERID`	Defines the RACF user used when SAPI scans for SYSOUT data to be transferred.

Miscellaneous Parameters

Parameter	Description
`REQUIRE_NODE_DEFINITION`	Allows you to require pre-defined nodes for initiator and responder requests.
`RESPONDER_PROFILE`	Sets the default that defines whether responder profiles are required. This parameter can be overridden by node definitions.
`ACCEPT_VERIFIED_USER`	We suggest using the default value of NO.
`RESPONDER_PROFILE_LPASS`	Defines if a local password is required when creating a responder profile for a local user that is different than the requestor's user ID.
`TRANSFER_INTERFACE_PROTOCOL`	Defines the protocol that can be used to initiate file transfers.
`MANAGE_INTERFACE_PROTOCOL`	Defines the protocol that can be used to manage configuration information.
`ALLOW_TRANSFER_REQUESTS`	Defines the default value for all nodes that define whether transfers can be initiated by a node. This parameter can be overridden by Node definitions.
`ALLOW_MANAGE_REQUESTS`	Defines the default value for all nodes that define whether configuration information can be initiated by a node. This parameter can be overridden by Node definitions.

Node Parameters

There are a variety of node parameters that affect security. For a more detailed description of these parameters, see the "Node Definition Parameters" section in TIBCO® Managed File Transfer Platform Server for z/OS Installation and Operation Guide.

Security Parameters

Parameter	Description
`ENFORCE_SECURITY_POLICY`	Defines the security policy for this node. Overrides the Global definition. You can configure the following values: `FIPS140`: STC is FIPS140 compliant. `HIPAA`: HIPAA rules requiring encryption are followed.
`RESPONDER_PROFILE`	Overrides the Global Responder Profile setting.
`ACCEPT_VERIFIED_USER`	We suggest using the default value of `NO`.
`DEFAULT_ENCRYPT`	Defines the default encryption for initiator transfers with this node.
`COMMAND_CENTER_SUPPORT`	Defines whether requests from this IP address support Command Center functions.
`ALLOW_TRANSFER_REQUESTS`	Overrides the Global setting.
`ALLOW_MANAGE_REQUESTS`	Overrides the Global setting.
`TLS`	Defines whether communication to this node should be through TLS or Tunnel communication.