z/OS Communications Server: IP Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


AT-TLS traces

z/OS Communications Server: IP Diagnosis Guide
GC27-3652-02

By default, AT-TLS uses the syslog facility name daemon. Other TCP/IP functions, for example the SNMP agent, also specify the daemon facility name when writing records to syslogd. The job name and syslog facility name are the same. Filters cannot be used to direct the records to different output files. If you want AT-TLS records to go to a different output file, you can change the syslog facility name by configuring SyslogFacility Auth on the TTLSGroupAdvancedParms statement to direct the messages from that group to the Auth facility instead. You can then set up filtering based on the job name and facility in the syslogd configuration file to direct AT-TLS records to a different output file.

If you are configuring using the IBM® Configuration Assistant for z/OS® Communications Server, you can modify the syslog facility name from the AT-TLS: Image Level Settings panel.

AT-TLS traces are enabled by setting the AT-TLS policy statement Trace to a nonzero value. A Trace statement can be configured on a TTLSGroupAction, TTLSEnvironmentAction or TTLSConnectionAction statement. See the z/OS Communications Server: IP Configuration Reference for more details about AT-TLS policy statements. The Trace levels enable different AT-TLS messages to be issued. The sum of the numbers associated with each level of tracing that you want is the value that should be specified.

If you are configuring using the IBM Configuration Assistant for z/OS Communications Server, you can set the default trace level on the AT-TLS: Image Level Settings panel, and you can override the trace level for each Connectivity Rule.

Table 1 lists the trace level, the generated AT-TLS messages, and the syslog priority.
Table 1. AT-TLS trace levels
Trace level Traced information Syslog priority
1 Error (to Joblog) EZD1287I NA
2 Error EZD1286I err
4 - Info EZD1281I, EZD1283I info
8 - Event EZD1282I, EZD1283I debug
16 - Flow EZD1282I, EZD1283I, EZD1284I debug
32 - Data EZD1285I debug
Tip: Setting the Trace level to 6 enables both error messages and info messages.

The information messages trace when an AT-TLS connection is mapped to a policy (EZD1281I) and when the secure connection is successfully negotiated (EZD1283I), including the security protocol and cipher used. Using syslogd's filtering parameters, a separate log file could be kept for AT-TLS info and error messages, enabling AT-TLS connections to be tracked.

Tip: Trace level 32 shows all the SSL headers sent and received.

Each secure connection is uniquely identified by its connection ID (ConnID). You can use the ConnID to follow a connection through the AT-TLS trace.

Parent topic: Diagnosing Application Transparent Transport Layer Security (AT-TLS)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014