AT-TLS policy example
The following example shows a sample AT-TLS policy. This policy is included for information purposes only, and will require modification for your environment. See SYS1.SAZFSAMP(AZFTTLSX) for sample AT-TLS rule definitions for IBM MFA.
TTLSRule AZFSrvAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?serverAuthPort?
Direction Inbound
Priority 255
TTLSGroupActionRef AZFGroupAction1
TTLSEnvironmentActionRef AZFEnvAction1
TTLSConnectionActionRef AZFConnAction1
}
TTLSRule AZFMutAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?mutualAuthPort?
Direction Inbound
Priority 255
TTLSGroupActionRef AZFGroupAction1
TTLSEnvironmentActionRef AZFEnvActionMutual
TTLSConnectionActionRef AZFConnActionMutual
}
TTLSRule AZFClientRule
{
Jobname AZF*
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort?
Direction Outbound
Priority 255
TTLSEnvironmentActionRef eActAZFClient
TTLSGroupActionRef AZFGroupAction1
TTLSConnectionActionRef AZFConnAction1
}TTLSKeyringParms AZFKeyringParms
{
Keyring ?keyringName?
}
TTLSKeyringParms AZFClientKeyringParms
{
Keyring ?clientRingName?
}
TTLSGroupAction AZFGroupAction1
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction AZFEnvAction1
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvServer
TTLSKeyringParmsRef AZFKeyringParms
Trace 255
}
TTLSEnvironmentAction AZFEnvActionMutual
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvMutual
TTLSKeyringParmsRef AZFKeyringParms
Trace 255
}TTLSEnvironmentAction eActAZFClient
{
HandshakeRole Client
EnvironmentUserInstance 1
TTLSKeyringParmsRef AZFClientKeyringParms
Trace 255
TTLSEnvironmentAdvancedParmsRef eAdvAZFClient
}
TTLSConnectionAction AZFConnAction1
{
TTLSCipherParmsRef AZFCipherParms
TTLSConnectionAdvancedParmsRef AZFConnAdvParms1
CtraceClearText Off
Trace 255
}
TTLSConnectionAction AZFConnActionMutual
{
TTLSCipherParmsRef AZFCipherParms
TTLSConnectionAdvancedParmsRef AZFConnAdvParmsMutual
CtraceClearText Off
Trace 255
}
TTLSEnvironmentAdvancedParms AZFEnvAdvServer
{
ClientAuthType PassThru
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms AZFEnvAdvMutual
{
ClientAuthType Required
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms eAdvAZFClient
{
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
TLSv1.2 On
TLSv1.3 On
}
TTLSConnectionAdvancedParms AZFConnAdvParms1
{
ApplicationControlled Off
SecondaryMap Off
}
TTLSConnectionAdvancedParms AZFConnAdvParmsMutual
{
HandshakeTimeout 120
ApplicationControlled Off
SecondaryMap Off
}
TTLSCipherParms AZFCipherParms
{
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}