Example of AT-TLS parameter setup
If you are enabling SSL encryption for any of the TCP/IP cloud traffic, IBM®'s Communication Server enables control through the Application Transparent Transport Layer Security (AT-TLS). This topic provides an example of the parameter setup for a TTLS Rule that enables an SSL/TLS encryption policy.
TTLSRule Default_MXQ
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRangeRef portR1
RemotePortRange 443
Userid SAFID <=== Should be user ID for MXQTINIT
Direction Both
Priority 255
TTLSGroupActionRef gAct1~MXQ
TTLSEnvironmentActionRef eAct1~MXQ
TTLSConnectionActionRef cAct1~MXQ
}
TTLSGroupAction gAct1~MXQ
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction eAct1~MXQ
{
HandshakeRole Client
EnvironmentUserInstance 0
TTLSKeyringParmsRef MXQ_keyring
Trace 255
}
TTLSConnectionAction cAct1~MXQ
{
HandshakeRole Client
TTLSCipherParmsRef cipher-MXQ
TTLSConnectionAdvancedParmsRef cAdv1~MXQ
CtraceClearText Off
Trace 2
}
TTLSConnectionAdvancedParms cAdv1~MXQ
{
ResetCipherTimer 2
SecondaryMap Off
}
TTLSKeyringParms MXQ_keyring
{
Keyring CLOUDrng
}
TTLSCipherParms cipher1~Default_Ciphers
{
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
}
TTLSCipherParms cipher-MXQ
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
}
PortRange portR1
{
Port 1024-65535
}
PortRange portR2
{
Port 1024-65535
}TTLSRule Default_AXQ
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRangeRef portR1
RemotePortRange 443
Userid SAFID <=== should be user ID for AXQTINIT
Direction Both
Priority 255
TTLSGroupActionRef gAct1~AXQ
TTLSEnvironmentActionRef eAct1~AXQ
TTLSConnectionActionRef cAct1~AXQ
}
TTLSGroupAction gAct1~AXQ
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction eAct1~AXQ
{
HandshakeRole Client
EnvironmentUserInstance 0
TTLSKeyringParmsRef AXQ_keyring
Trace 255
}
TTLSConnectionAction cAct1~AXQ
{
HandshakeRole Client
TTLSCipherParmsRef cipher-AXQ
TTLSConnectionAdvancedParmsRef cAdv1~AXQ
CtraceClearText Off
Trace 2
}
TTLSConnectionAdvancedParms cAdv1~AXQ
{
ResetCipherTimer 0
SecondaryMap Off
}
TTLSKeyringParms AXQ_keyring
{
Keyring CLOUDrng
}
TTLSCipherParms cipher1~Default_Ciphers
{
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
}
TTLSCipherParms cipher-AXQ
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DHE_DSS_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_DH_DSS_WITH_AES_128_CBC_SHA
}
PortRange portR1
{
Port 1024-65535
}
PortRange portR2
{
Port 1024-65535
}