Use
the TTLSGroupAction statement to specify parameters for a Language Environment® process
required to support secure connections. The TTLSGroupAction statement
indicates whether a selected connection should use AT-TLS security.
It can also specify the environment variables the Language Environment process
should be initiated with.
Syntax
>>-TTLSGroupAction--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{------------------------------+---------------------------|
+-| TTLSGroupAction Parameters |-+
'-}------------------------------'
TTLSGroupAction Parameters
.-CtraceClearText Off-----.
|--TTLSEnabled--+-On--+--+-------------------------+------------>
'-Off-' '-CtraceClearText-+-On--+-'
'-Off-'
.-Trace 2--.
>--+----------+--+--------------------------------+------------->
'-Trace n-' +-TTLSGroupAdvancedParms---------+
'-TTLSGroupAdvancedParmsRef name-'
.-FIPS140 Off------.
>--+------------------+--+---------------------+----------------|
'-FIPS140--+-On--+-' '-GroupUserInstance n-'
'-Off-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
TTLSGroupAction statement.
- TTLSEnabled
- Indicates the action that should be applied to connections using
this TTLSGroupAction statement.
- On
- AT-TLS security is active. Data might be encrypted, based on
other policy statements.
- Off
- AT-TLS security is not active. Data is sent in the clear.
- CtraceClearText
- Specifies whether application data traced using Ctrace or data
trace is shown as unencrypted data. This parameter is applied only
to connections that have active AT-TLS security on the connection.
CtraceClearText can be specified on multiple actions referenced by
a common TTLSRule statement. The value specified on the TTLSGroupAction
statement can be overriden for particular AT-TLS environments by specifying
it on the TTLSEnvironmentAction statement, or for particular connections
by specifying it on the TTLSConnectionAction statement. Valid values
are:
- Off
- Application data is not traced as clear text. This is the default.
- On
- Application data is traced as clear text.
- Trace
- Specifies the level of AT-TLS tracing. The valid values for n are
in the range 0 - 255. The sum of the numbers associated with each
level of tracing selected is the value that should be specified as n.
If n is an odd number, errors are written
to joblog and all other configured traces are sent to syslogd.
The
trace parameter can be specified on multiple actions referenced by
a common TTLSRule statement. The value specified on the TTLSGroupAction
statement can be overriden for particular AT-TLS environments by specifying
it on the TTLSEnvironmentAction statement or for particular connections
by specifying it on the TTLSConnectionAction statement.
- 0
- No tracing is enabled.
- 1 (Error)
- Errors are traced to the TCP/IP joblog.
- 2 (Error)
- Errors are traced to syslogd. This is the default. The messages
are issued with syslogd priority code err.
- 4 (Info)
- Tracing of instances when a connection is mapped to an AT-TLS
rule and when a secure connection is successfully initiated is enabled.
The messages are issued with syslogd priority code info.
- 8 (Event)
- Tracing of major events is enabled. The messages are issued with
syslogd priority code debug.
- 16 (Flow)
- Tracing of system SSL calls is enabled. The messages are issued
with syslogd priority code debug.
- 32 (Data)
- Tracing of encrypted negotiation and headers is enabled. This
traces the negotiation of secure sessions. The messages are issued
with syslogd priority code debug.
- 64
- Reserved.
- 128
- Reserved.
- 255
- All tracing is enabled.
- TTLSGroupAdvancedParms
- An inline specification of a TTLSGroupAdvancedParms statement.
- TTLSGroupAdvancedParmsRef
- The name of a globally defined TTLSGroupAdvancedParms statement.
- FIPS140
- Specifies whether FIPS 140 support is enabled for this group.
Enabling FIPS 140 mode provides a higher degree of assurance of the
integrity of the cryptographic modules that AT-TLS uses, including
ICSF and System SSL. However, enabling FIPS 140 mode might require
additional setup and configuration and it will restrict the available
set of cryptographic algorithms. Valid values are:
- Off
- Indicates that FIPS 140 is not supported for this group. This
is the default.
- On
- Indicates that FIPS 140 is supported for this group.
Requirement: ICSF must be active before
starting AT-TLS groups configured to support FIPS140. For information
about configuring ICSF to support FIPS 140-2, see Operating
in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS
#11 Applications.
If the CSFSERV class is defined, give
the userID that is associated with the TCPIP stack and any application
userID using the TTLSGroup READ access to the CSFRNG resource within
the RACF® CSFSERV class. If
the CSFSERV class is defined and Diffie Hellman is being used, give
the application userID READ access to the CSF1TRC, CSF1DVK, CSF1GKP,
CSF1GSK, CSF1GAV, and CSF1TRD resources within the RACF CSFSERV class.
- GroupUserInstance
- Defines a configurable instance identifier for this TTLSGroupAction
statement. The n value can be in the range
0 - 65535. This parameter can be used to signal a change to the
Policy Agent without modifying any of the other AT-TLS configuration
statements. For example, when the contents of the Envfile has changed,
but the Envfile file name is unchanged. Adding or updating the GroupUserInstance
parameter would signal policy agent to install a new TTLSGroupAction
statement. This parameter can also be used as a field to be updated
when a change is made to this TTLSGroupAction statement. This enables
the user to differentiate TTLSGroupAction statements, based on the
instance identifier.