AT-TLS policy statements
This topic contains information about the following AT-TLS
policy statements:
- TTLSCipherParms statement
- TTLSConnectionAction statement
- TTLSConnectionAdvancedParms statement
- TTLSEnvironmentAction statement
- TTLSEnvironmentAdvancedParms statement
- TTLSGroupAction statement
- TTLSGroupAdvancedParms statement
- TTLSGskAdvancedParms statement
- TTLSGskHttpCdpParms statement
- TTLSGskLdapParms statement
- TTLSGskOcspParms statement
- TTLSKeyringParms statement
- TTLSRule statement
- TTLSSignatureParms statement
Consider the following guidelines when using the AT-TLS policy statements.
Guidelines:
- While configuring AT-TLS policy, see z/OS Cryptographic Services System SSL Programming for a detailed description of each of the System SSL attributes that are being configured using the AT-TLS policy statements (System SSL attributes are those that begin with GSK). See the information describing the gsk_attribute_set_buffer API, the gsk_attribute_set_enum API, and the gsk_attribute_set_numeric_value API descriptions of how each attribute is used by System SSL, as well as the meaning of available attribute settings and default attribute settings.
- AT-TLS requires a valid z/OS® UNIX key database, SAF key ring, or z/OS PKCS #11 token. For more information about AT-TLS configuration, see z/OS Communications Server: IP Configuration Guide.
- AT-TLS can be configured to write trace data to syslogd. AT-TLS writes messages to syslogd using the daemon or auth facility. See Syslog daemon for more information about configuring syslogd.
- If System SSL needs to access ICSF, ICSF must be started before you start the Policy Agent. For information about using hardware Cryptographic Features with System SSL, see z/OS Cryptographic Services System SSL Programming.
Note the following results when using the AT-TLS policy statements.
Results: When using AT-TLS
policy statements, consider the following results:
- When an IpAddrGroup statement contains non-continuous ranges of IP addresses, or a PortGroup statement contains non-continuous ranges of port numbers, Policy Agent cannot merge these conditions into a single condition. The group's ranges are displayed by pasearch, as configured, with the summary condition for each of these respective attributes equal to the lowest from value in the group to the highest to value in the group. If an IP address of value 0.0.0.0 exists in an IpAddrGroup statement, the summary condition for this attribute is set to All. If a Port of value 0 exists in a PortGroup statement, the summary condition for this attribute is set to the range 0-0. When an IpAddrGroup statement contains a mixture of IPv4 and IPv6 addresses, a summary condition cannot be created. The group's ranges are displayed by pasearch, as configured, with a summary condition for this attribute of All.
- For optional parameters that have default values and are not specified, pasearch displays the default value when the parameter is not configured.
- For optional parameters that do not have default values and are not specified, pasearch does not display the parameter.
- If an optional parameter is not specified for a GSK statement, System SSL uses its default value.
- For parameters that can be specified in multiple action types,
the value used by a connection is determined by the following hierarchical
rule set.
- If the parameter is specified in the TTLSConnectionAction statement that is the value used.
- If the parameter is specified in the TTLSEnvironmentAction statement that is the value used.
- If the parameter is specified in the TTLSGroupAction statement that is the value used.
- If a default value is defined, that is the value used.
- No value is used by AT-TLS and no parameter is explicitly passed to System SSL.
- Each AT-TLS action has a user instance variable (GroupUserInstance, EnvironmentUserInstance, and ConnectionUserInstance). These parameters can be used to cause Policy Agent to refresh a specific action, when using the -i startup option or when a refresh interval is coded.
Tip: For an example of AT-TLS policy definitions
see
/usr/lpp/tcpip/samples/pagent_TTLS.conf