AT-TLS traces

AT-TLS writes messages to syslogd using the jobname of the TCP/IP started task. The AT-TLS default behavior is to write syslogd messages to the daemon facility. Other TCP/IP functions, for example the SNMP TCP/IP subagent, also use the job name of the TCP/IP started task and specify the daemon facility name when writing records to syslogd. Because the job name and syslog facility name of the AT-TLS records and the TCP/IP function records are the same, filters cannot be used to direct the AT-TLS records to a different output file. If you want AT-TLS records to go to a different output file, configure SyslogFacility Auth on the TTLSGroupAdvancedParms statement to direct the messages from that group to the Auth facility. The job name will remain the job name of the TCP/IP started task. You can then set up filtering based on the job name of the TCP/IP started task and the auth facility in the syslogd configuration file to direct AT-TLS records to a different output file.

If you are configuring using the IBM® Configuration Assistant for z/OS® Communications Server, you can modify the syslog facility name from the AT-TLS: Image Level Settings panel.

AT-TLS traces are enabled by setting the AT-TLS policy statement Trace to a nonzero value. A Trace statement can be configured on a TTLSGroupAction, TTLSEnvironmentAction or TTLSConnectionAction statement. See the z/OS Communications Server: IP Configuration Reference for more details about AT-TLS policy statements. The Trace levels enable different AT-TLS messages to be issued. The sum of the numbers associated with each level of tracing that you want is the value that should be specified.

If you are configuring using the IBM Configuration Assistant for z/OS Communications Server, you can set the default trace level on the AT-TLS: Image Level Settings panel, and you can override the trace level for each Connectivity Rule.

Table 1 lists the trace level, the generated AT-TLS messages, and the syslog priority.
Table 1. AT-TLS trace levels
Trace level Traced information Syslog priority
1 Error (to Joblog) EZD1287I NA
2 Error EZD1286I err
4 - Info EZD1281I, EZD1283I info
8 - Event EZD1282I, EZD1283I debug
16 - Flow EZD1282I, EZD1283I, EZD1284I debug
32 - Data EZD1285I debug
Tip: Setting the Trace level to 6 enables both error messages and info messages.

The information messages trace when an AT-TLS connection is mapped to a policy (EZD1281I) and when the secure connection is successfully negotiated (EZD1283I), including the security protocol and cipher used. Using syslogd's filtering parameters, a separate log file could be kept for AT-TLS info and error messages, enabling AT-TLS connections to be tracked.

Tip: Trace level 32 shows all the SSL headers sent and received.

Each secure connection is uniquely identified by its connection ID (ConnID). You can use the ConnID to follow a connection through the AT-TLS trace.

Parent topic: Diagnosing Application Transparent Transport Layer Security (AT-TLS)