TTLSGroupAction statement

Parameters

name

A string 1 - 32 characters in length specifying the name of this TTLSGroupAction statement.

TTLSEnabled

Indicates the action that should be applied to connections using this TTLSGroupAction statement.

On

AT-TLS security is active. Data might be encrypted, based on other policy statements.

Off

AT-TLS security is not active. Data is sent in the clear.

CtraceClearText

Specifies whether application data traced using Ctrace or data trace is shown as unencrypted data. This parameter is applied only to connections that have active AT-TLS security on the connection. CtraceClearText can be specified on multiple actions referenced by a common TTLSRule statement. The value specified on the TTLSGroupAction statement can be overriden for particular AT-TLS environments by specifying it on the TTLSEnvironmentAction statement, or for particular connections by specifying it on the TTLSConnectionAction statement. Valid values are:

Off

Application data is not traced as clear text. This is the default.

On

Application data is traced as clear text.

Trace

Specifies the level of AT-TLS tracing. The valid values for n are in the range 0 - 255. The sum of the numbers associated with each level of tracing selected is the value that should be specified as n. If n is an odd number, errors are written to joblog and all other configured traces are sent to syslogd.

The trace parameter can be specified on multiple actions referenced by a common TTLSRule statement. The value specified on the TTLSGroupAction statement can be overriden for particular AT-TLS environments by specifying it on the TTLSEnvironmentAction statement or for particular connections by specifying it on the TTLSConnectionAction statement.

0

No tracing is enabled.

1 (Error)

Errors are traced to the TCP/IP joblog.

2 (Error)

Errors are traced to syslogd. This is the default. The messages are issued with syslogd priority code err.

4 (Info)

Tracing of instances when a connection is mapped to an AT-TLS rule and when a secure connection is successfully initiated is enabled. The messages are issued with syslogd priority code info.

8 (Event)

Tracing of major events is enabled. The messages are issued with syslogd priority code debug.

16 (Flow)

Tracing of system SSL calls is enabled. The messages are issued with syslogd priority code debug.

32 (Data)

Tracing of encrypted negotiation and headers is enabled. This traces the negotiation of secure sessions. The messages are issued with syslogd priority code debug.

64

Reserved.

128

Reserved.

255

All tracing is enabled.

TTLSGroupAdvancedParms

An inline specification of a TTLSGroupAdvancedParms statement.

TTLSGroupAdvancedParmsRef

The name of a globally defined TTLSGroupAdvancedParms statement.

FIPS140

Specifies whether FIPS 140 support is enabled for this group. Enabling FIPS 140 mode provides a higher degree of assurance of the integrity of the cryptographic modules that AT-TLS uses, including ICSF and System SSL. However, enabling FIPS 140 mode might require additional setup and configuration and it will restrict the available set of cryptographic algorithms. Valid values are:

Off

Indicates that FIPS 140 is not supported for this group. This is the default.

On

Indicates that FIPS 140 is supported for this group and is enforcing 80 bit security strength size for all operations.

Level1

Functionally equivalent to 'On'.

Level2

Indicates that FIPS 140 is supported for this group and is utilizing 112 bit security strength size when generating new keys, digital signatures, and RSA encryption. However, it allows 80 bit security when performing digital signature verification, RSA decryption and Triple DES decryption when processing information that was protected by the TLS peer.

Level3

Indicates that FIPS 140 is supported for this group and is enforcing 112 bit or higher security strength size for all operations. 80 bit security strength size is not allowed for any operation.

Requirement: ICSF must be active before starting AT-TLS groups configured to support FIPS140. For information about configuring ICSF to support FIPS 140-2, see Operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

If the CSFSERV class is defined, give the userID that is associated with the TCPIP stack and any application userID using the TTLSGroup READ access to the CSFRNG resource within the RACF® CSFSERV class. If the CSFSERV class is defined and Diffie Hellman is being used, give the application userID READ access to the CSF1TRC, CSF1DVK, CSF1GKP, CSF1GSK, CSF1GAV, and CSF1TRD resources within the RACF CSFSERV class.

Restriction: The FIPS 140-2 standard does not define support for TLSv1.3 or the new cipher suites defined for it. Enabling both the TLSv1.3 protocol and FIPS support results in an error.

GroupUserInstance

Defines a configurable instance identifier for this TTLSGroupAction statement. The n value can be in the range 0 - 65535. This parameter can be used to signal a change to the Policy Agent without modifying any of the other AT-TLS configuration statements. For example, when the contents of the Envfile has changed, but the Envfile file name is unchanged. Adding or updating the GroupUserInstance parameter would signal policy agent to install a new TTLSGroupAction statement. This parameter can also be used as a field to be updated when a change is made to this TTLSGroupAction statement. This enables the user to differentiate TTLSGroupAction statements, based on the instance identifier.