Use
the TTLSConnectionAction statement to specify attributes for a subset
of connections that need attributes different from those specified
on the TTLSEnvironmentAction or TTLSGroupAction statement that is
referenced by the same TTLSRule statement.
Syntax
>>-TTLSConnectionAction--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{-----------------------------------+----------------------|
+-| TTLSConnectionAction Parameters |-+
'-}-----------------------------------'
TTLSConnectionAction Parameters
|--+-----------------------------------------+------------------>
'-HandshakeRole--+-Client---------------+-'
+-Server---------------+
'-ServerWithClientAuth-'
>--+--------------------------+--------------------------------->
+-TTLSCipherParms----------+
'-TTLSCipherParmsRef name-'
>--+-----------------------------+------------------------------>
+-TTLSSignatureParms----------+
'-TTLSSignatureParmsRef name-'
>--+--------------------------+--+---------+-------------------->
'-CtraceClearText--+-Off-+-' '-Trace n-'
'-On--'
>--+-------------------------------------+---------------------->
+-TTLSConnectionAdvancedParms---------+
'-TTLSConnectionAdvancedParmsRef name-'
>--+--------------------------+---------------------------------|
'-ConnectionUserInstance n-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
TTLSConnectionAction statement.
- HandshakeRole
- Specifies the SSL handshake role to be taken. For System SSL,
the GSK_SESSION_TYPE value is set to the same value as the HandshakeRole.
If this value is specified on the TTLSConnectionAction statement,
it is used instead of the value from the TTLSEnvironmentAction statement
referenced by the same TTLSRule statement. Valid values are:
- Client
- Perform the SSL handshake as a client.
- Server
- Perform the SSL handshake as a server.
- ServerWithClientAuth
- Perform the SSL handshake as a server requiring client authentication.
- TTLSCipherParms
- An inline specification of a TTLSCipherParms statement. If this
value is specified on the TTLSConnectionAction statement, it is used
instead of the value from the TTLSEnvironmentAction statement referenced
by the same TTLSRule statement.
- TTLSCipherParmsRef
- The name of a globally defined TTLSCipherParms statement. If this
value is specified on the TTLSConnectionAction statement, it is used
instead of the value from the TTLSEnvironmentAction statement referenced
by the same TTLSRule statement.
- TTLSSignatureParms
- An inline specification of a TTLSSignatureParms statement. If
this value is specified on the TTLSConnectionAction statement, it
is used instead of the value from the TTLSEnvironmentAction statement
that is referenced by the same TTLSRule statement.
- TTLSSignatureParmsRef
- The name of a globally defined TTLSSignatureParms statement. If
this value is specified on the TTLSConnectionAction statement, it
is used instead of the value from the TTLSEnvironmentAction statement
that is referenced by the same TTLSRule statement.
- CtraceClearText
- Specifies whether application data traced using Ctrace or data
trace are shown as unencrypted data. This parameter is applied only
to connections that have active AT-TLS security on the connection.
If this value is specified on the TTLSConnectionAction statement,
it is used instead of the value from the TTLSEnvironmentAction or
TTLSGroupAction statement referenced by the same TTLSRule statement.
Valid values are:
- Off
- Application data is not traced as clear text.
- On
- Application data is traced as clear text.
- Trace
- Specifies the level of Application Transparent Transport Layer
Security (AT-TLS) tracing. The valid values for n are
in the range 0 - 255. The sum of the numbers associated with each
level of tracing selected is the value that should be specified as n.
If n is an odd number, errors are written
to joblog, and all other configured traces are sent to syslogd. If
this value is specified on the TTLSConnectionAction statement, it
is used instead of the value from the TTLSEnvironmentAction or TTLSGroupAction
statement referenced by the same TTLSRule statement.
- 0
- No tracing is enabled.
- 1 (Error)
- Errors are traced to the TCP/IP joblog.
- 2 (Error)
- Errors are traced to syslogd. The messages are issued with syslogd
priority code err.
- 4 (Info)
- Tracing of when a connection is mapped to an AT-TLS rule and
when a secure connection is successfully initiated is enabled. The
messages are issued with syslogd priority code info.
- 8 (Event)
- Tracing of major events is enabled. The messages are issued with
syslogd priority code debug.
- 16 (Flow)
- Tracing of system SSL calls is enabled. The messages are issued
with syslogd priority code debug.
- 32 (Data)
- Tracing of encrypted negotiation and headers is enabled. This
traces the negotiation of secure sessions. The messages are issued
with syslogd priority code debug.
- 64
- Reserved.
- 128
- Reserved.
- 255
- All tracing is enabled.
- TTLSConnectionAdvancedParms
- An inline specification of a TTLSConnectionAdvancedParms statement.
- TTLSConnectionAdvancedParmsRef
- The name of a globally defined TTLSConnectionAdvancedParms statement.
- ConnectionUserInstance
- Defines a configurable instance identifier for this TTLSConnectionAction
statement. The n value can be in the range
0 - 65535. This parameter can be used to signal a change to the
Policy Agent without modifying any of the other AT-TLS configuration
statements. This parameter can also be used as a field to be updated
when a change is made to this TTLSConnectionAction statement. This
enables the user to differentiate TTLSConnectionAction statements,
based on the instance identifier.