TTLSEnvironmentAction statement

Use the TTLSEnvironmentAction statement to specify the attributes for an AT-TLS environment. A TTLSEnvironmentAction statement is required if the TTLSGroupAction statement, referenced on the same TTLSRule statement, specifies TTLSEnabled as On.

Syntax

Read syntax diagramSkip visual syntax diagramTTLSEnvironmentActionnamePut Braces and Parameters on Separate Lines
Put Braces and Parameters on Separate Lines
Read syntax diagramSkip visual syntax diagram{TTLSEnvironmentAction Parameters}
TTLSEnvironmentAction Parameters
Read syntax diagramSkip visual syntax diagramTTLSKeyringParmsTTLSKeyringParmsRef   nameHandshakeRole ClientServerServerWithClientAuth SuiteBProfileOffSuiteBProfileOff128128Min192192MinAllTTLSCipherParmsTTLSCipherParmsRef   nameTTLSSignatureParmsTTLSSignatureParmsRef  nameCtraceClearTextOffOnTrace  nTTLSEnvironmentAdvancedParmsTTLSEnvironmentAdvancedParmsRef  nameTTLSGskAdvancedParmsTTLSGskAdvancedParmsRef  nameEnvironmentUserInstance  n

Parameters

name
A string 1 - 32 characters in length specifying the name of this TTLSEnvironmentAction statement.
TTLSKeyringParms
An inline specification of a TTLSKeyringParms statement. This is a required parameter.
TTLSKeyringParmsRef
The name of a globally defined TTLSKeyringParms statement.
HandshakeRole
Specifies the SSL handshake role to be taken for connections in this AT-TLS environment. For System SSL, the GSK_SESSION_TYPE value is set to the same value as the HandshakeRole. This is a required parameter. Valid values are:
Client
Perform the SSL handshake as a client.
Server
Perform the SSL handshake as a server.
ServerWithClientAuth
Perform the SSL handshake as a server requiring client authentication.
SuiteBProfile
Specifies the RFC5430 Suite B cipher suites to apply to TLSv1.2 sessions. For more information on Suite B Profiles, see Suite B cryptography support in z/OS Cryptographic Services System SSL Programming.For System SSL, the GSK_SUITE_B_PROFILE value is set to the value of SuiteBProfile. Valid values are:
Off
The use of TLS V1.2 and Suite B cipher suites is not required. This is the default.
128
Suite B 128 bit cipher suites will be used.
128Min
AES-GCM ciphers with a minimum 128 bit strength will be used.
192
Suite B 192 bit cipher suites will be used.
192Min
AES-GCM ciphers with a minimum 192 bit strength will be used.
All
Both 128 bit and 192 bit Suite B cipher suites will be used.

Result: When 128, 128Min, 192, 192Min, or All is coded, any TTLSCipherParms statements are ignored. Only the ciphers that are defined in the Suite B profile will be used.

TTLSCipherParms
An inline specification of a TTLSCipherParms statement.

Tip: TTLSCipherParms statements are ignored if SuiteBProfile is specified with one of the following values:128, 128Min, 192, 192Min, All. Only the ciphers that are defined in the Suite B profile will be used in those cases.

TTLSCipherParmsRef
The name of a globally defined TTLSCipherParms statement.
TTLSSignatureParms
An inline specification of a TTLSSignatureParms statement.
TTLSSignatureParmsRef
The name of a globally defined TTLSSignatureParms statement.
CtraceClearText
Specifies whether application data traced using Ctrace or data trace is shown as unencrypted data. This parameter is applied only to connections that have active AT-TLS security on the connection. If this value is specified on the TTLSEnvironmentAction statement, it is used instead of the value from the TTLSGroupAction statement referenced by the same TTLSRule statement. Valid values are:
Off
Application data is not traced as clear text.
On
Application data is traced as clear text.
Trace
Specifies the level of AT-TLS tracing. The valid values for n are in the range 0 - 255. There is no default value. The sum of the numbers associated with each level of tracing selected is the value that should be specified as n. If n is an odd number, errors are written to joblog and all other configured traces are sent to syslogd. If this value is specified on the TTLSEnvironmentAction statement, it is used instead of the value from the TTLSGroupAction statement referenced by the same TTLSRule statement.
Tip: Start of changeThe Trace parameter can be specified for the TTLSGroupAction, the TTLSEnvironmentAction, and the TTLSConnectionAction. To determine the value in effect for a TTLSRule statement, examine each referenced action. The most specific action with the Trace parameter specified determines the value used. If the value is not specified for any of the referenced actions, the default value of 2 for the TTLSGroupAction is in effect.End of change
0
No tracing is enabled.
1 (Error)
Errors are traced to the TCP/IP joblog
2 (Error)
Errors are traced to syslogd. The messages are issued with syslogd priority code err.
4 (Info)
Tracing of when a connection is mapped to an AT-TLS rule and when a secure connection is successfully initiated is enabled. The messages are issued with syslogd priority code info.
8 (Event)
Tracing of major events is enabled. The messages are issued with syslogd priority code debug.
16 (Flow)
Tracing of system SSL calls is enabled. The messages are issued with syslogd priority code debug.
32 (Data)
Tracing of encrypted negotiation and headers is enabled. This traces the negotiation of secure sessions. The messages are issued with syslogd priority code debug.
64
Reserved.
128
Reserved.
255
All tracing is enabled.
TTLSEnvironmentAdvancedParms
An inline specification of a TTLSEnvironmentAdvancedParms statement.
TTLSEnvironmentAdvancedParmsRef
The name of a globally defined TTLSEnvironmentAdvancedParms statement.
TTLSGskAdvancedParms
An inline specification of a TTLSGskAdvancedParms statement.
TTLSGskAdvancedParmsRef
The name of a globally defined TTLSGskAdvancedParms statement.
EnvironmentUserInstance
Defines a configurable instance identifier for this TTLSEnvironmentAction statement. The n value can be in the range 0 - 65535. This parameter can be used to signal a change to the Policy Agent without modifying any of the other AT-TLS configuration statements. For example, when the contents of the key ring has changed, but the key ring name is unchanged. Adding or updating the EnvironmentUserInstance parameter would signal Policy Agent to install a new TTLSEnvironmentAction statement. This parameter can also be used as a field to be updated when a change is made to this TTLSEnvironmentAction statement. This enables the user to differentiate TTLSEnvironmentAction statements, based on the instance identifier.