AT-TLS policy example
The following example shows a sample AT-TLS policy. This policy is included for information purposes only, and will require modification for your environment. See SAZFSAMP(AZFTTLSX) for sample AT-TLS rule definitions for IBM® MFA.
TTLSRule AZFSrvAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?serverAuthPort?
Direction Inbound
Priority 255
TTLSGroupActionRef AZFGroupAction1
TTLSEnvironmentActionRef AZFEnvAction1
TTLSConnectionActionRef AZFConnAction1
}
TTLSRule AZFMutAuthRule
{
LocalAddr ALL
RemoteAddr ALL
LocalPortRange ?mutualAuthPort?
Direction Inbound
Priority 255
TTLSGroupActionRef AZFGroupAction1
TTLSEnvironmentActionRef AZFEnvActionMutual
TTLSConnectionActionRef AZFConnActionMutual
}
TTLSRule AZFClientRule
{
Jobname AZF*
LocalAddr ALL
RemoteAddr ALL
RemotePortRange ?outboundPort?
Direction Outbound
Priority 255
TTLSEnvironmentActionRef eActAZFClient
TTLSGroupActionRef AZFGroupAction1
TTLSConnectionActionRef AZFConnAction1
}
TTLSKeyringParms AZFKeyringParms
{
Keyring ?serverRingName?
}
TTLSKeyringParms AZFClientKeyringParms
{
Keyring ?clientRingName?
}
TTLSGroupAction AZFGroupAction1
{
TTLSEnabled On
Trace 255
}
TTLSEnvironmentAction AZFEnvAction1
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvServer
TTLSKeyringParmsRef AZFKeyringParms
Trace 255
}
TTLSEnvironmentAction AZFEnvActionMutual
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSEnvironmentAdvancedParmsRef AZFEnvAdvMutual
TTLSKeyringParmsRef AZFKeyringParms
Trace 255
}
TTLSEnvironmentAction eActAZFClient
{
HandshakeRole Client
EnvironmentUserInstance 1
TTLSKeyringParmsRef AZFClientKeyringParms
Trace 255
TTLSEnvironmentAdvancedParmsRef eAdvAZFClient
}
TTLSConnectionAction AZFConnAction1
{
TTLSCipherParmsRef AZFCipherParms
TTLSConnectionAdvancedParmsRef AZFConnAdvParms1
CtraceClearText Off
Trace 255
}
TTLSConnectionAction AZFConnActionMutual
{
TTLSCipherParmsRef AZFCipherParms
TTLSConnectionAdvancedParmsRef AZFConnAdvParmsMutual
CtraceClearText Off
Trace 255
}
TTLSEnvironmentAdvancedParms AZFEnvAdvServer
{
ClientAuthType PassThru
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
# To enable TLSv1.2, change the next line to "On"
TLSv1.2 Off
# On z/OS 2.3, or earlier, add a leading '#' to the next line.
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms AZFEnvAdvMutual
{
ClientAuthType Required
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
# To enable TLSv1.2, change the next line to "On"
TLSv1.2 Off
# On z/OS 2.3, or earlier, add a leading '#' to the next line.
TLSv1.3 On
}
TTLSEnvironmentAdvancedParms eAdvAZFClient
{
ApplicationControlled Off
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 Off
# To enable TLSv1.2, change the next line to "On"
TLSv1.2 Off
# On z/OS 2.3, or earlier, add a leading '#' to the next line.
TLSv1.3 On
}
TTLSConnectionAdvancedParms AZFConnAdvParms1
{
ApplicationControlled Off
SecondaryMap Off
}
TTLSConnectionAdvancedParms AZFConnAdvParmsMutual
{
HandshakeTimeout 120
ApplicationControlled Off
SecondaryMap Off
}
TTLSCipherParms AZFCipherParms
{
# TLSv1.3 required ciphers
# On z/OS 2.3, or earlier, add a leading '#' to the next three lines.
V3CipherSuites TLS_AES_256_GCM_SHA384
V3CipherSuites TLS_AES_128_GCM_SHA256
V3CipherSuites TLS_CHACHA20_POLY1305_SHA256
# TLSv1.2 required ciphers (ignored when TLSv1.2 is not enabled)
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
}