SMF field descriptions: TLS_*

TLS_CLI_CERT_DIGEST_MTHD

TLS client certificate digest method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertDigestMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_DIGEST_MTHD for the possible values of the TLS_CLI_CERT_DIGEST_MTHD field. This field is missing if the client certificate digest method is unknown.

TLS_CLIENT_CERT_KEY_LEN

TLS client certificate key length in bits. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. This field is missing if the client certificate key length is unknown.

TLS_CLIENT_CERT_KEY_TYPE

TLS client certificate key type. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is KeyType. This field and its values can also be used as input for filtering purposes. See IKE_LOCAL_CERT_KEY_TYPE for the possible values of the TLS_CLIENT_CERT_KEY_TYPE field. This field is missing if the client certificate key type is unknown.

TLS_CLIENT_CERT_NOTAFTER

TLS client certificate date and time after which the certificate should not be trusted. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. This field is missing if the client certificate "not after" date and time are unknown.

TLS_CLIENT_CERT_SERIAL

TLS client certificate serial number. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The maximum length of the field is 40 hexadecimal digits. The field is missing if the client certificate serial number is unknown.

TLS_CLNT_CERT_ENCR_MTHD

TLS client certificate encryption method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertEncrMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_ENCR_METHOD for the possible values of the TLS_CLNT_CERT_ENCR_MTHD field. This field is missing if the client certificate encryption method is unknown.

TLS_CLNT_CERT_SIG_METHOD

TLS client certificate signature method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertSigMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_SIG_METHOD for the possible values of the TLS_CLNT_CERT_SIG_METHOD field. This field is missing if the client certificate signature method is unknown.

TLS_ENCR_CHAINING_MODE

Chaining mode of the symmetric encryption method that the TLS cipher suite uses. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is EncrChainingMode. This field and its values can also be used as input for filtering purposes. See IKE_TUNNEL_ENCR_CHAINING for the possible values of the TLS_ENCR_CHAINING_MODE field. This field is missing if the symmetric encryption method is unknown.

TLS_ENCR_KEY_LENGTH

Key length of the symmetric encryption method that the TLS cipher suite uses. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The field is 0 if no symmetric encryption is employed. This field is missing if the symmetric encryption method is unknown.

TLS_ENCRYPTION_FAMILY

Family of the symmetric encryption method used by the TLS cipher suite. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is EncryptionFamily. This field and its values can also be used as input for filtering purposes. See IKE_TUNNEL_ENCR_FAMILY for the possible values of the TLS_ENCRYPTION_FAMILY field. This field is missing if the symmetric encryption method is unknown.

TLS_ENCRYPTION_METHOD

Symmetric encryption method that is used by the TLS cipher suite. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is EncryptionMethod. This field and its values can also be used as input for filtering purposes. See IKE_TUNNEL_ENCR_METHOD for a list of the possible values of the TLS_ENCRYPTION_METHOD field. This field is missing if the symmetric encryption method is unknown.

TLS_ENCRYPT_THEN_MAC

Flag field that indicates whether the encrypt-then-MAC construct is used in TLS. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section.

TLS_FIPS_MODE

FIPS 140 mode of the TLS provider. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The default output format of this field is FIPSMode. This field and its values can also be used as input for filtering purposes. See SSH_FIPS_MODE for the possible values of the TLS_FIPS_MODE field.

TLS_HANDSHAKE_ROLE

TLS local handshake role. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The default output format of this field is TLSHandshakeRole. This field and its values can also be used as input for filtering purposes.

Following are the possible values of this field:

Client
Server
Svr_Cli_auth

The value Svr_Cli_auth is a Server with client authentication.

The field is missing if the local handshake role is unknown.

TLS_HANDSHAKE_TYPE

TLS handshake type. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The default output format of this field is TLSHandshakeType. This field and its values can also be used as input for filtering purposes.

Following are the possible values of this field:

Value:	Clarification:
Full	Full handshake
Abbreviated	Abbreviated handshake

TLS_KEY_EXCHANGE_METHOD

Key exchange method that the TLS cipher suite uses. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is TLSKeyExchMethod. This field and its values can also be used as input for filtering purposes.

Following are the possible values of this field:

None
RSA
RSA-EXPORT
RSA-PSK
DH-RSA
DH-RSA-EXPORT
DH-DSS
DH-ANON
DH-ANON-EXPORT
DH-DSS-EXPORT

DHE
DHE-RSA
DHE-RSA-EXPORT
DHE-DSS
DHE-DSS-EXPORT
DHE-PSK
ECDH-ECDSA
ECDH-RSA
ECDH-ANON

ECDHE
ECDHE-ECDSA
ECDHE-RSA
ECDHE-PSK
KRB5
KRB5-EXPORT
PSK
SRP-SHA-RSA
SRP-SHA-DSS
SRP-SHA

The field is missing if the key exchange method is unknown.

TLS_MSG_AUTH_METHOD

Message authentication method that is used by the TLS cipher suite. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is MsgAuthMethod. This field and its values can also be used as input for filtering purposes. See IKE_TUNNEL_AUTH_METHOD for the possible values of the TLS_MSG_AUTH_METHOD field. This field is missing if the message authentication method is unknown.

TLS_NEG_CIPHER_SUITE_ID

Negotiated TLS cipher suite identifier. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section.

If the TLS protocol version is SSLv3 or later, then TLS_NEG_CIPHER_SUITE_ID is a character string with 4 hexadecimal digits. For a complete list of possible values and their descriptions, refer to the TLS Cipher Suite registry at www.iana.org/assignments/tls-parameters/tls-parameters.xhtml.

If the TLS protocol version is SSLv2, then TLS_NEG_CIPHER_SUITE_ID is a character string with 6 hexadecimal digits that can have the following values:

Value:	Description:
010080	128-bit RC4 with MD5
020080	40-bit RC4 with MD5
030080	128-bit RC2 with MD5
040080	40-bit RC2 with MD5
050080	128-bit IDEA with MD5
060040	DES with MD5
0700C0	3DES with MD5

The maximum length of the field is 6 characters. This field is missing if the TLS protocol version is unknown.

TLS_POLICY_RULE_NAME

This field reflects the matching zERT TLS policy rule name, if any. The field is reported missing if there is no matching zERT TLS policy rule name. TLS_POLICY_RULE_NAME is included in SMF record type 119, subtypes 2 and 11. The value is reported missing for z/OS 2.4 or earlier. The default length of the field is 48 characters.

TLS_PROTOCOL_PROVIDER

This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. A TLS_PROTOCOL_PROVIDER value of Observation means that the information was observed by the TCP/IP stack, rather than supplied by a Cryptographic Protocol Provider. A value of IBM System SSL means that the information was provided by System SSL, which is the TLS support that is integral to z/OS. The maximum length of the field is 16 characters.

TLS_PROTOCOL_VERSION

TLS protocol version. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is TLSProtocolVer. This field and its values can also be used as input for filtering purposes.

Following are the possible values of this field:

SSLv2
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
TLSv1.3

The field is missing if the protocol version is unknown.

TLS_SERVER_CERT_KEY_LEN

TLS server certificate key length in bits. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. This field is missing if the server certificate key length is unknown.

TLS_SERVER_CERT_KEY_TYPE

TLS server certificate key type. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is KeyType. This field and its values can also be used as input for filtering purposes. See IKE_LOCAL_CERT_KEY_TYPE for the possible values of the TLS_SERVER_CERT_KEY_TYPE field. This field is missing if the server certificate key type is unknown.

TLS_SERVER_CERT_NOTAFTER

TLS server certificate date and time after which the certificate should not be trusted. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. This field is missing if the server certificate "not after" date and time are unknown.

TLS_SERVER_CERT_SERIAL

TLS server certificate serial number. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The maximum length of the field is 40 hexadecimal digits. This field is missing if the server certificate serial number is unknown.

TLS_SESSION_ID

TLS session ID. This field is found in zERT connection detail records (SMF record type 119, subtype 11) that have a TLS protocol attributes section. The maximum length of the field is 64 hexadecimal digits.

TLS_SRVR_CERT_ENCR_MTHD

TLS server certificate encryption method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertEncrMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_ENCR_METHOD for the possible values of the TLS_SRVR_CERT_ENCR_MTHD field. This field is missing if the server certificate encryption method is unknown.

TLS_SRVR_CERT_SIG_METHOD

TLS server certificate signature method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertSigMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_SIG_METHOD for the possible values of the TLS_SRVR_CERT_SIG_METHOD field. This field is missing if the server certificate signature method is unknown.

TLS_SSL_PROTOCOL

This is an alias CSSMTP_CN_TLS_SSL_PROTO. This alias has a wider applicability than just CSSMTP.

TLS_SVR_CERT_DIGEST_MTHD

TLS server certificate digest method. This field is found in zERT connection detail records (SMF record type 119, subtype 11) and zERT summary records (SMF record type 119, subtype 12) that have a TLS protocol attributes section. The default output format of this field is CertDigestMethod. This field and its values can also be used as input for filtering purposes. See IKE_LCL_CERT_DIGEST_MTHD for the possible values of the TLS_SVR_CERT_DIGEST_MTHD field. This field is missing if the server certificate digest method is unknown.