TTLSEnvironmentAction statement
Use the TTLSEnvironmentAction statement to specify the attributes for an AT-TLS environment. A TTLSEnvironmentAction statement is required if the TTLSGroupAction statement, referenced on the same TTLSRule statement, specifies TTLSEnabled as On.
Syntax
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this TTLSEnvironmentAction statement.
- TTLSKeyringParms
- An inline specification of a TTLSKeyringParms statement. This is a required parameter.
- TTLSKeyringParmsRef
- The name of a globally defined TTLSKeyringParms statement.
- HandshakeRole
- Specifies the SSL handshake role to be taken for connections in
this AT-TLS environment. For System SSL, the GSK_SESSION_TYPE value
is set to the same value as the HandshakeRole. This is a required
parameter. Valid values are:
- Client
- Perform the SSL handshake as a client.
- Server
- Perform the SSL handshake as a server.
- ServerWithClientAuth
- Perform the SSL handshake as a server requiring client authentication.
- SuiteBProfile
- Specifies the RFC5430 Suite B cipher suites to apply to TLSv1.2
sessions. For more information on Suite B Profiles, see Suite B cryptography
support in
z/OS Cryptographic Services System SSL Programming.For System SSL, the GSK_SUITE_B_PROFILE value is set to the value of
SuiteBProfile. Valid values are:
- Off
- The use of TLS V1.2 and Suite B cipher suites is not required. This is the default.
- 128
- Suite B 128 bit cipher suites will be used.
- 128Min
- AES-GCM ciphers with a minimum 128 bit strength will be used.
- 192
- Suite B 192 bit cipher suites will be used.
- 192Min
- AES-GCM ciphers with a minimum 192 bit strength will be used.
- All
- Both 128 bit and 192 bit Suite B cipher suites will be used.
Result: When 128, 128Min, 192, 192Min, or All is coded, any TTLSCipherParms statements are ignored. Only the ciphers that are defined in the Suite B profile will be used.
- TTLSCipherParms
- An inline specification of a TTLSCipherParms statement.
Tip: TTLSCipherParms statements are ignored if SuiteBProfile is specified with one of the following values:128, 128Min, 192, 192Min, All. Only the ciphers that are defined in the Suite B profile will be used in those cases.
- TTLSCipherParmsRef
- The name of a globally defined TTLSCipherParms statement.
- TTLSSignatureParms
- An inline specification of a TTLSSignatureParms statement.
- TTLSSignatureParmsRef
- The name of a globally defined TTLSSignatureParms statement.
- CtraceClearText
- Specifies whether application data traced using Ctrace or data
trace is shown as unencrypted data. This parameter is applied only
to connections that have active AT-TLS security on the connection.
If this value is specified on the TTLSEnvironmentAction statement,
it is used instead of the value from the TTLSGroupAction statement
referenced by the same TTLSRule statement. Valid values are:
- Off
- Application data is not traced as clear text.
- On
- Application data is traced as clear text.
- Trace
- Specifies the level of AT-TLS tracing. The valid values for n are in
the range 0 - 255. There is no default value. The sum of the numbers
associated with each level of tracing selected is the value that should be specified as
n. If n is an odd number, errors are written to
joblog and all other configured traces are sent to syslogd. If this value is specified on the
TTLSEnvironmentAction statement, it is used instead of the value from the TTLSGroupAction statement
referenced by the same TTLSRule statement. Tip: The Trace parameter can be specified for the TTLSGroupAction, the TTLSEnvironmentAction, and the TTLSConnectionAction. To determine the value in effect for a TTLSRule statement, examine each referenced action. The most specific action with the Trace parameter specified determines the value used. If the value is not specified for any of the referenced actions, the default value of 2 for the TTLSGroupAction is in effect.
- 0
- No tracing is enabled.
- 1 (Error)
- Errors are traced to the TCP/IP joblog
- 2 (Error)
- Errors are traced to syslogd. The messages are issued with syslogd priority code err.
- 4 (Info)
- Tracing of when a connection is mapped to an AT-TLS rule and when a secure connection is successfully initiated is enabled. The messages are issued with syslogd priority code info.
- 8 (Event)
- Tracing of major events is enabled. The messages are issued with syslogd priority code debug.
- 16 (Flow)
- Tracing of system SSL calls is enabled. The messages are issued with syslogd priority code debug.
- 32 (Data)
- Tracing of encrypted negotiation and headers is enabled. This traces the negotiation of secure sessions. The messages are issued with syslogd priority code debug.
- 64
- Reserved.
- 128
- Reserved.
- 255
- All tracing is enabled.
- TTLSEnvironmentAdvancedParms
- An inline specification of a TTLSEnvironmentAdvancedParms statement.
- TTLSEnvironmentAdvancedParmsRef
- The name of a globally defined TTLSEnvironmentAdvancedParms statement.
- TTLSGskAdvancedParms
- An inline specification of a TTLSGskAdvancedParms statement.
- TTLSGskAdvancedParmsRef
- The name of a globally defined TTLSGskAdvancedParms statement.
- EnvironmentUserInstance
- Defines a configurable instance identifier for this TTLSEnvironmentAction statement. The n value can be in the range 0 - 65535. This parameter can be used to signal a change to the Policy Agent without modifying any of the other AT-TLS configuration statements. For example, when the contents of the key ring has changed, but the key ring name is unchanged. Adding or updating the EnvironmentUserInstance parameter would signal Policy Agent to install a new TTLSEnvironmentAction statement. This parameter can also be used as a field to be updated when a change is made to this TTLSEnvironmentAction statement. This enables the user to differentiate TTLSEnvironmentAction statements, based on the instance identifier.