Sysplex session ticket cache support

The sysplex session ticket cache support stores the TLS V1.3 session ticket information available across the sysplex. A TLS V1.3 session established with a server on one system in the sysplex can be resumed using a server on another system in the sysplex if the TLS client includes the session ticket obtained for the first session when initiating the second session. This also works with multiple servers running on the same system that are presented to the client as a single server. The session information for the TLS V1.3 session is stored in the GSKSRVR and it is made available to other like-servers in the sysplex. Without access to the session ticket information, other like-servers in the sysplex would be unable to resume a previously established TLS V1.3 session and would need to perform a full TLS V1.3 handshake. Ensure that the SSL started task is configured with the appropriate service class and priority. Start of change Verify that the GSK_XCF_TIMEOUT setting is appropriate for the server applications contacting the SSL started task. For more information, see Configuring the SSL started task. End of change

A client which established a TLS V1.3 session with negotiated TLS extensions to a server can only be resumed on a server which supports the same set of TLS extensions established in the original session. For example, if the original session negotiates the use of the maximum fragment length TLS extension, but the session is later resumed with a server that does not support the maximum fragment length TLS extension, a full handshake occurs.

In order to use the sysplex session ticket cache, each system in the sysplex must be using the same external security manager (for example, z/OS Security Server RACF) and a user ID on one system in the sysplex must represent the same user on all other systems in the sysplex (that is, user ID ZED on System A has the same access rights as user ID ZED on System B). The external security manager must support the RACROUTE REQUEST=EXTRACT,TYPE=ENVRXTR and RACROUTE REQUEST=FASTAUTH functions.

The sysplex session ticket cache must be enabled for each application server that is to use the support. This can be done by defining the GSK_SYSPLEX_SESSION_TICKET_CACHE environment variable or by calling the gsk_attribute_set_enum() routine to set the GSK_SYSPLEX_SESSION_TICKET_CACHE attribute. The session information for each new TLS V1.3 session created by the SSL server is then stored in the sysplex session ticket cache and can be referenced by other SSL servers in the sysplex. The RACF user associated with the TLS server becomes the owner of the session ticket information. Any TLS server running with the same RACF user can access the session ticket information during TLS V1.3 resumption attempts. TLS servers running with a different RACF user can access the session information if they have at least READ access to the GSK.SIDCACHE.<owner> profile in the FACILITY class.

For example, session ticket cache information created by RACF user APPLSRV1 can be accessed by RACF user APPLSRV2 if APPLSRV2 has READ access to the GSK.SIDCACHE.APPLSRV1 profile in the FACILITY class. These RACF commands grant this access:


RDEFINE FACILITY GSK.SIDCACHE.APPLSRV1 UACC(NONE)
PERMIT GSK.SIDCACHE.APPLSRV1 CLASS(FACILITY) ID(APPLSRV2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH