Use the TTLSCipherParms statement to define the cipher specifications for an AT-TLS environment or an AT-TLS connection. A TTLSCipherParms statement can be specified inline in a TTLSEnvironmentAction or TTLSConnectionAction statement or referenced by a TTLSEnvironmentAction or TTLSConnectionAction statement.
Syntax
>>-TTLSCipherParms--+------+--| Put Braces and Parameters on Separate Lines |->< '-name-' Put Braces and Parameters on Separate Lines |--+-{------------------------------+---------------------------| +-| TTLSCipherParms Parameters |-+ '-}------------------------------' TTLSCipherParms Parameters .----------------------------. .----------------------------. .----------------------------------. V | V | V | |----+------------------------+-+----+------------------------+-+----+------------------------------+-+--| '-V2CipherSuites ciphers-' '-V3CipherSuites ciphers-' '-V3CipherSuites4Char ciphers4-'
Parameters
- name
- A string
1 - 32 characters in length specifying the name of this TTLSCipherParms
statement.
Rule: If this TTLSCipherParms statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inline TTLSCipherParms statement, a nonpersistent system name is created.
- V2CipherSuites
- Specifies the SSL version 2 cipher suites in order of preference.
If a V2CipherSuites parameter is specified more than once, the values
are concatenated to create a single list of cipher suites. For System
SSL, the GSK_V2_CIPHER_SPECS value is set to the concatenated value.
The ciphers value is a string of one or more 1-character SSL version 2 ciphers or a single cipher constant. The cipher string cannot have blanks between each SSL version 2 cipher. If duplicate ciphers are specified, the first instance is used and all other instances are ignored. The maximum number of SSL version 2 ciphers is 10. For System SSL, see gsk_environment_open() in z/OS Cryptographic Services System SSL Programming for a list of valid cipher suites. Table 1 lists the supported cipher constants.
Table 1. V2CipherSuites Cipher constant Hexadecimal character TLS_RC4_128_WITH_MD5 1 TLS_RC4_128_EXPORT40_WITH_MD5 2 TLS_RC2_CBC_128_CBC_WITH_MD5 3 TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 4 TLS_DES_64_CBC_WITH_MD5 6 TLS_DES_192_EDE3_CBC_WITH_MD5 7 - V3CipherSuites
- Specifies the SSL ciphers Version 3,
TLS Version 1.0, TLS Version 1.1, or TLS Version 1.2 cipher suites
in order of preference. If a V3CipherSuites or V3CipherSuites4Char
parameter is specified more than once, the values are concatenated
to create a single list of cipher suites. For System SSL, the GSK_V3_CIPHER_SPECS_EXPANDED
value is set to the concatenated value.
The ciphers value is a string of one or more 2-hexadecimal character SSL ciphers Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 ciphers or a single cipher constant. The cipher string cannot have blanks between each SSL ciphers Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 cipher. If the string notation is used, you cannot specify any cipher values that require four character representation. Use the V3CipherSuites4Char parameter to specify four character cipher string values. If duplicate ciphers are specified, the first instance is used and all other instances ignored. The maximum number of ciphers that can be specified is 255. For System SSL, see gsk_environment_open() in z/OS Cryptographic Services System SSL Programming for a list of valid cipher suites. Table 2 lists the supported cipher constants.
- V3CipherSuites4Char
- Specifies the SSL ciphers Version 3,
TLS Version 1.0, TLS Version 1.1, or TLS Version 1.2 cipher suites
in order of preference. If a V3CipherSuites or V3CipherSuites4Char
parameter is specified more than once, the values are concatenated
to create a single list of cipher suites. For System SSL, the GSK_V3_CIPHER_SPECS_EXPANDED
value is set to the concatenated value.
The ciphers value is a string of one or more 4-hexadecimal character SSL ciphers Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 ciphers. The cipher string cannot have blanks between each SSL ciphers Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 cipher. Use the V3CipherSuites parameter to specify a cipher constant or 2-character cipher string values. If duplicate ciphers are specified, the first instance is used and all other instances ignored. The maximum number of ciphers that can be specified is 255.
For System SSL, see gsk_environment_open() in z/OS Cryptographic Services System SSL Programming for a list of valid cipher suites. Table 2 lists the supported cipher constants.
| Cipher constant | Hexadecimal character | Expanded character |
|---|---|---|
| TLS_NULL_WITH_NULL_NULL | 00 | 0000 |
| TLS_RSA_WITH_NULL_MD5 | 01 | 0001 |
| TLS_RSA_WITH_NULL_SHA | 02 | 0002 |
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 | 03 | 0003 |
| TLS_RSA_WITH_RC4_128_MD5 | 04 | 0004 |
| TLS_RSA_WITH_RC4_128_SHA | 05 | 0005 |
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | 06 | 0006 |
| TLS_RSA_WITH_DES_CBC_SHA | 09 | 0009 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | 0A | 000A |
| TLS_DH_DSS_WITH_DES_CBC_SHA | 0C | 000C |
| TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 0D | 000D |
| TLS_DH_RSA_WITH_DES_CBC_SHA | 0F | 000F |
| TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 10 | 0010 |
| TLS_DHE_DSS_WITH_DES_CBC_SHA | 12 | 0012 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 13 | 0013 |
| TLS_DHE_RSA_WITH_DES_CBC_SHA | 15 | 0015 |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 16 | 0016 |
| TLS_RSA_WITH_AES_128_CBC_SHA | 2F | 002F |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA | 30 | 0030 |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA | 31 | 0031 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 32 | 0032 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 33 | 0033 |
| TLS_RSA_WITH_AES_256_CBC_SHA | 35 | 0035 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA | 36 | 0036 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA | 37 | 0037 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 38 | 0038 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 39 | 0039 |
| TLS_RSA_WITH_NULL_SHA256 | 3B | 003B |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 3C | 003C |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 3D | 003D |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | 3E | 003E |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | 3F | 003F |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 40 | 0040 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 67 | 0067 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | 68 | 0068 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | 69 | 0069 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 6A | 006A |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 6B | 006B |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 9C | 009C |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 9D | 009D |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 9E | 009E |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 9F | 009F |
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | A0 | 00A0 |
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | A1 | 00A1 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | A2 | 00A2 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | A3 | 00A3 |
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | A4 | 00A4 |
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | A5 | 00A5 |
| TLS_ECDH_ECDSA_WITH_NULL_SHA | C001 | |
| TLS_ECDH_ECDSA_WITH_RC4_128_SHA | C002 | |
| TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | C003 | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | C004 | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | C005 | |
| TLS_ECDHE_ECDSA_WITH_NULL_SHA | C006 | |
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | C007 | |
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | C008 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | C009 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | C00A | |
| TLS_ECDH_RSA_WITH_NULL_SHA | C00B | |
| TLS_ECDH_RSA_WITH_RC4_128_SHA | C00C | |
| TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | C00D | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | C00E | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | C00F | |
| TLS_ECDHE_RSA_WITH_NULL_SHA | C010 | |
| TLS_ECDHE_RSA_WITH_RC4_128_SHA | C011 | |
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | C012 | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | C013 | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | C014 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | C023 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | C024 | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | C025 | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | C026 | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | C027 | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | C028 | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | C029 | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | C02A | |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | C02B | |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | C02C | |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | C02D | |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | C02E | |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | C02F | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | C030 | |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | C031 | |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | C032 |
Requirement: If you plan to control access to the ICSF cryptographic support, TCP/IP and other applications must be permitted to access the ICSF/MVS cryptographic services (CSFSERV).
Guideline: If you do not have any reason to restrict access to the ICSF cryptographic support, you should not activate the CSFSERV resource class, define any of the profiles listed below, or permit any applications or users to these profiles. If you do need to set up controls in the CSFSERV resource class, enable the following resources.
Requirement: Elliptic Curve ciphers, defined as TLS_ECDH, TLS_ECDHE or TLS_ECDSA, require ICSF to be active.
- CSF1DVK
- CSF1GKP
- CSF1GAV
- CSF1PKS
- CSF1PKV
- CSF1TRC
- CSF1TRD
See Elliptic Curve Cryptography Support in z/OS Cryptographic Services System SSL Programming for additional information.
Requirement: AES-GCM ciphers require ICSF to be active.
- CSF1TRC
- CSF1SKD
- CSF1SKE
- CSF1TRD