TTLSGskAdvancedParms statement

Use the TTLSGskAdvancedParms statement to specify advanced attributes for an AT-TLS environment that are specific to System SSL.

Syntax

Read syntax diagramSkip visual syntax diagramTTLSGskAdvancedParmsnamePut Braces and Parameters on Separate Lines
Put Braces and Parameters on Separate Lines
Read syntax diagramSkip visual syntax diagram{TTLSGskAdvancedParms Parameters}
TTLSGskAdvancedParms Parameters
Read syntax diagramSkip visual syntax diagramTTLSGskLdapParmsTTLSGskLdapParmsRef  nameTTLSGskOcspParmsTTLSGskOcspParmsRef nameTTLSGskHttpCdpParmsTTLSGskHttpCdpParmsRef nameGSK_SYSPLEX_SIDCACHEOnOffGSK_V2_SESSION_TIMEOUT  valueGSK_V2_SIDCACHE_SIZE  valueGSK_V3_SESSION_TIMEOUT 86 400GSK_V3_SESSION_TIMEOUT  valueGSK_V3_SIDCACHE_SIZE 512GSK_V3_SIDCACHE_SIZE  valueGSK_SESSION_TICKET_CLIENT_ENABLE OnGSK_SESSION_TICKET_CLIENT_ENABLE OffGSK_SESSION_TICKET_CLIENT_MAXSIZE 8192GSK_SESSION_TICKET_CLIENT_MAXSIZE  valueGSK_SESSION_TICKET_SERVER_ENABLE OnGSK_SESSION_TICKET_SERVER_ENABLE OffGSK_SESSION_TICKET_SERVER_ALGORITHM AESCBC128GSK_SESSION_TICKET_SERVER_ALGORITHM AESCBC256GSK_SESSION_TICKET_SERVER_COUNT 2GSK_SESSION_TICKET_SERVER_COUNT  valueGSK_SESSION_TICKET_SERVER_KEY_REFRESH 300GSK_SESSION_TICKET_SERVER_KEY_REFRESH  valueGSK_SESSION_TICKET_SERVER_TIMEOUT 300GSK_SESSION_TICKET_SERVER_TIMEOUT  valueAIACDPPriorityOnOffMaxSrcRevExtLocValues valueMaxValidRevExtLocValues valueRevocationSecurityLevelLowMediumHigh

Parameters

name
A string 1 - 32 characters in length specifying the name of this TTLSGskAdvancedParms statement.

Rule: If this TTLSGskAdvancedParms statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inlineTTLSGskAdvancedParms statement, a nonpersistent system name is created.

TTLSGskLdapParms
An inline specification of a TTLSGskLdapParms statement.
TTLSGskLdapParmsRef
The name of a globally defined TTLSGskLdapParms statement.
TTLSGskOcspParms
An inline specification of a TTLSGskOcspParms statement.
TTLSGskOcspParmsRef
The name of a globally defined TTLSGskOcspParms statement.
TTLSGskHttpCdpParms
An inline specification of a TTLSGskHttpCdpParms statement.
TTLSGskHttpCdpParmsRef
The name of a globally defined TTLSGskHttpCdpParms statement.
GSK_SYSPLEX_SIDCACHE
Specifies whether sysplex session identifier caching is to be enabled for connections in this AT-TLS environment. Valid values are as follows:
On
Sysplex session identifier caching is to be enabled. Start of changeSSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocol server session information can be stored in the sysplex session cache.End of change
Off
Sysplex session identifier caching is not to be enabled.
Restriction: Start of changeStoring TLSv1.3 session tickets in the sysplex session cache is not supported.End of change
GSK_V2_SESSION_TIMEOUT
Specifies the SSL Version 2 session timeout. This is the number of seconds until a session identifier expires. Valid values are in the range 0 - 100.
GSK_V2_SIDCACHE_SIZE
Specifies the number of SSL Version 2 session identifiers to cache. Valid values are in the range 0 - 32 000.
GSK_V3_SESSION_TIMEOUT
Specifies the SSL Version 3, TLS Version 1.0, Start of changeTLS Version 1.1, TLS Version 1.2, or TLS Version 1.3End of change session timeout. Start of changeFor SSL Version 3, TLS Version 1.0, TLS Version 1.1 and TLS Version 1.2,End of change this value is the number of seconds that lapse until a session identifier expires. Start of changeFor TLS Version 1.3, this value is the number of seconds that lapse until a session ticket expires.End of change Valid values are in the range 0 - 86 400. Start of changeThe default value is 86 400.End of change
Result: Start of changeIf a value of 0 is specified, session identifiers and session tickets are not remembered.End of change
GSK_V3_SIDCACHE_SIZE
Specifies the number of SSL Versions 3, TLS version 1.0, Start of changeTLS version 1.1, TLS Version 1.2 session identifiers or TLS Version 1.3 session ticketsEnd of change to cache. Start of changeThe oldest entry will be removed when the cache is full to add a new entry.End of change

Valid values are in the range 0 - 64 000. Start of changeThe cache is allocated by using the configured size rounded up to the power of 2, with a minimum of 16. The default value is 512.End of change

Start of changeFor the SSL Version 3, TLS Version 1.0, TLS Version 1.1, and TLS Version 1.2 protocols, the cache is used to store session identifiers on the server and client sides. For the TLS Version 1.3 protocol, the cache is used to store session tickets on the client side, when GSK_SESSION_TICKET_CLIENT_ENABLE is On. End of change

Result: Start of changeIf a value of 0 is specified, session identifiers and session tickets are not remembered.End of change
Start of changeGSK_SESSION_TICKET_CLIENT_ENABLEEnd of change
Start of changeSpecifies if the client supports:
  • caching session tickets received from a server after a TLS Version 1.3 handshake has completed
  • TLS Version 1.3 session resumption attempts to the server
Valid values are:
On
Enables client caching of session tickets and session resumption attempts. On is the default.
Off
Disables client caching of session tickets and session resumption attempts.
Rule: The GSK_V3_SESSION_TIMEOUT and GSK_V3_SIDCACHE_SIZE settings must be set to values greater than 0 to allow client session ticket caching.
End of change
Start of changeGSK_SESSION_TICKET_CLIENT_MAXSIZEEnd of change
Start of changeSpecifies the maximum number of bytes of a session ticket that can be stored in the client session ticket cache. Session tickets sent by the server that exceed this size will be discarded by the client. Valid values are in the range 0 – 2 147 483 647. The default size is 8192 (8K).
Result: A value of 0 disables checking the session ticket size and allows a session ticket of any size.
Tip: Setting the session ticket size too small could implicitly disable the session ticket caching for the client.
End of change
Start of changeGSK_SESSION_TICKET_SERVER_ENABLEEnd of change
Start of changeSpecifies if the server supports:
  • Sending session tickets after a TLS Version 1.3 handshake has completed
  • Receiving TLS Version 1.3 session resumption attempts from the client
Valid values are:
On
Enables TLS Version 1.3 server session resumption. On is the default.
Off
Disables TLS Version 1.3 server session resumption attempts.
End of change
Start of changeGSK_SESSION_TICKET_SERVER_ALGORITHMEnd of change
Start of changeSpecifies the algorithm to be used by the server to encrypt and decrypt the session tickets used for TLS Version 1.3 session resumption.

Valid values are AESCBC128 and AESCBC256. The default is AESCBC128.

End of change
Start of changeGSK_SESSION_TICKET_SERVER_COUNTEnd of change
Start of changeSpecifies the number of TLS Version 1.3 session tickets that is sent by the server to the client after the initial handshake completes. Each session ticket provides the client with the means to request the resumption of a TLS Version 1.3 session. If the value is greater than 0, each subsequent resumed session sends a single session ticket to replace the one used for resumption. Valid values are in the range 0 - 16. The default value is 2.End of change
Start of changeGSK_SESSION_TICKET_SERVER_TIMEOUTEnd of change
Start of changeSpecifies the maximum time, in seconds, that a server will accept a session resumption request from the client measured in seconds from the initial handshake. The server will continue to generate a new session ticket for each new resumed handshake until the timeout has been reached. Each session ticket generated by the server will be valid until the timeout has been reached.

Because the key used to encrypt the session ticket must be available when the client attempts resumption, the GSK_SESSION_TICKET_SERVER_KEY_REFRESH value will impact the lifetime of a session ticket.

Valid values are in the range 1 – 604 800 (7 days). The default value is 300 (5 minutes).

End of change
Start of changeGSK_SESSION_TICKET_SERVER_KEY_REFRESHEnd of change
Start of changeSpecifies the key refresh interval, in seconds, of the encryption key used by the server to encrypt session tickets for TLS Version 1.3 session resumption. When the encryption key is refreshed, a new primary encryption key is generated, and the former encryption key is retained as a secondary key that can be used only for decryption until a subsequent refresh occurs.

Valid values are in the range 0 – 604 800 (7 days). The default value is 300 (5 minutes).

Result: If a value of 0 is specified, the encryption key never refreshes.
End of change
AIACDPPriority
Specifies the priority order that the AIA and CRL Distribution Point (CDP) extensions, in the certificate, are checked for revocation information.
Valid values are as follows:
On
The AIA extension is processed before the CDP extension during certificate revocation checking. Any OCSP responders specified in the AIA extension or in OcspUrl are contacted before any attempt is made to contact the HTTP servers specified in the HTTP URL values in the CDP extension.
Off
The CDP extension is queried before the AIA extension. The HTTP servers specified in the HTTP URL values in the CDP extension are contacted before any attempt is made to contact the OCSP responders specified in the AIA extension or in OcspUrl.

This parameter sets System SSL's GSK_AIA_CDP_PRIORITY attribute.

Tips:
  • The HttpCdpEnable parameter must be set to On on the TTLSGskHttpCdpParms statement to enable searching HTTP URL values in the certificate's CDP extension.
  • If GSK_LDAP_SERVER is specified on the TTLSGskLdapParms statement, certificate revocation checking by using LDAP is available as a fallback. GSK_LDAP_SERVER is checked last for certificate revocation information.
MaxSrcRevExtLocValues
Sets the maximum number of location values that are contacted per HTTP CDP or AIA extension when an attempt is made to validate a certificate. Valid location values are in the range 0 - 256. A value of 0 indicates that no limit is set on the number of locations contacted. This parameter sets System SSL's GSK_MAX_SOURCE_REV_EXT_LOC_VALUES attribute.
Result: The locations for revocation information are specified by accessLocation in the AIA certificate extension for OCSP and by distributionPoint in the CDP extension for HTTP CRLs. When locations are available in an AIA or CDP extension, certificate validation processing attempts to contact the OCSP or HTTP server. Both AIA and CDP extensions can contain multiple location values. A large number of locations can impact performance.
MaxValidRevExtLocValues
Sets the maximum number of location values that are contacted when validation of a certificate is performed. Valid location values are in the range 0 - 1024. A value of 0 indicates that no limit is set on the number of locations contacted. This parameter sets System SSL's GSK_MAX_VALIDATION_REV_EXT_LOC_VALUES attribute.
Result: The locations for revocation information are specified by accessLocation in the AIA certificate extension for OCSP and by distributionPoint in the CDP extension for HTTP CRLs. When locations are available in an AIA or CDP extension, certificate validation processing attempts to contact the OCSP or HTTP server. Both AIA and CDP extensions can contain multiple location values. A large number of locations can impact performance.
RevocationSecurityLevel
Specifies the level of security to use when an OCSP responder or an HTTP server specified in an HTTP URL value in the CDP extension is contacted.

This parameter sets System SSL's GSK_REVOCATION_SECURITY_LEVEL attribute.

The following levels of security are available:
Low
Certificate validation does not fail if the OCSP responder or HTTP server specified in the HTTP URL value in the CDP extension cannot be contacted.
Medium
Certificate validation requires the OCSP responder or the HTTP server in an HTTP URL value in the CDP extension to be able to be contacted. For an OCSP responder, it must be able to provide a valid certificate revocation status. If the certificate status is revoked or unknown, certificate validation fails. For an HTTP server in the CDP extension, it must be able to be contacted and provide a CRL.
High
Certificate validation requires revocation information to be provided by the OCSP responder or HTTP server. If OCSP revocation checking by using the AIA extension is enabled, the OCSP responder specified in the certificate must be able to be contacted and provide valid certificate revocation status. If HTTP CRL checking is enabled, the HTTP server specified in the HTTP URL values in the CDP extension must be able to be contacted and provide a CRL.
Tips:
  • When revocation information is not found in cache, an attempt to contact an OCSP responder or an HTTP server is performed. To enforce contact with the OCSP responder or the HTTP server for each validation, caching must be disabled.
  • If GSK_LDAP_SERVER is specified, it is checked last for certificate revocation information if OCSP or HTTP CDP is enabled. If the OCSP responders or the HTTP servers cannot be contacted, you can enable fallback to an LDAP server by setting the RevocationSecurityLevel parameter to Low. This enables contact to the LDAP server specified in the GSK_LDAP_SERVER parameter.