Use the TTLSRule statement to define an AT-TLS rule.
The FLUSH/NOFLUSH and PURGE/NOPURGE parameters can be used to specify whether or not AT-TLS policies are deleted at startup (and when a MODIFY REFRESH command is entered) and shutdown, respectively.
The information provided on the TTLSRule statement defines an AT-TLS rule. The AT-TLS rule must have at least one local IP address, remote IP address, local port, remote port, job name, or user ID specification. The AT-TLS rule must have a direction specification and a TTLSGroupActionRef parameter. The AT-TLS rule can contain a priority, a TTLSConnectionActionRef parameter, a TTLSEnvironmentActionRef parameter and an IpTimeCondition specification. An IpTimeCondition specification identifies a time period when the AT-TLS rule is in effect.
Syntax
>>-TTLSRule--name--| Put Braces and Parameters on Separate Lines |->< Put Braces and Parameters on Separate Lines |--+-{-----------------------+----------------------------------| +-| TTLSRule Parameters |-+ '-}-----------------------' TTLSRule Parameters .-LocalAddr--All------------------------. |--+---------------------------------------+--------------------> +-LocalAddr--+-ipaddress--------------+-+ | +-ipaddress/prefixLength-+ | | +-ipaddress-ipaddress----+ | | '-All--------------------' | +-LocalAddrRef name---------------------+ +-LocalAddrSetRef name------------------+ '-LocalAddrGroupRef name----------------' .-RemoteAddr--All------------------------. >--+----------------------------------------+-------------------> +-RemoteAddr--+-ipaddress--------------+-+ | +-ipaddress/prefixLength-+ | | +-ipaddress-ipaddress----+ | | '-All--------------------' | +-RemoteAddrRef name---------------------+ +-RemoteAddrSetRef name------------------+ '-RemoteAddrGroupRef name----------------' .-LocalPortRange--0-------. .-RemotePortRange--0-------. >--+-------------------------+--+--------------------------+----> +-LocalPortRange--+-n---+-+ +-RemotePortRange--+-n---+-+ | '-n m-' | | '-n m-' | +-LocalPortRangeRef name--+ +-RemotePortRangeRef name--+ '-LocalPortGroupRef name--' '-RemotePortGroupRef name--' >--+--------------+--+-------------+--Direction--+-Inbound--+---> '-Jobname name-' '-Userid name-' +-Outbound-+ '-Both-----' .-----------------------------. V | .-Priority 1-. >----+-------------------------+-+--+------------+--------------> +-IpTimeCondition---------+ '-Priority n-' '-IpTimeConditionRef name-' >--TTLSGroupActionRef name--+-------------------------------+---> '-TTLSEnvironmentActionRef name-' >--+------------------------------+-----------------------------| '-TTLSConnectionActionRef name-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this TTLSRule statement.
- LocalAddr
- A local IP address the application is using for the connection
that must match for this rule's action to be performed. The application
can be explicitly bound to the IP address, or it can be chosen by
the TCP/IP stack.
- All
- Any local IP address matches this rule.
- ipaddress
- A single IP address.
- ipaddress/prefixLength
- The number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP address matches this condition if its unmasked bits are identical to the unmasked bits defined.
- ipaddress-ipaddress
- A range of IP addresses.
Tip: To create a rule that matches only on local IPv4 addresses, code 0.0.0.0/0. To create a rule that matches only on local IPv6 addresses, code ::/0.
- LocalAddrRef
- The name of a globally defined IpAddr statement to be used for the local IP address specification.
- LocalAddrSetRef
- The name of a globally defined IpAddrSet statement to be used for the local IP address prefix or range specification.
- LocalAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used for the local IP address specification.
- RemoteAddr
- A remote IP address specification that must match for this rule's
action to be performed.
- All
- Any remote IP address matches this rule.
- ipaddress
- A single IP address.
- ipaddress/prefixLength
- The number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the ranges of 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP packet matches this condition if its unmasked bits are identical to the unmasked bits defined.
- ipaddress-ipaddress
- A range of IP addresses.
Tip: To create a rule that matches only on remote IPv4 addresses, code 0.0.0.0/0. To create a rule that matches only on remote IPv6 addresses, code ::/0.
- RemoteAddrRef
- The name of a globally defined IpAddr statement to be used for the remote IP address specification.
- RemoteAddrSetRef
- The name of a globally defined IpAddrSet statement to be used for the remote IP address prefix or range specification.
- RemoteAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used for the remote IP address specification.
- LocalPortRange
- A local port the application is bound to for this rule's action
to be performed.
Valid values for n are in the range 0 - 65535. If 0 is specified for n then the rule applies to any local port. If n is specified as the beginning value for a range, then 0 is not a valid value.
If an m value is specified, it must be greater than or equal to n and less than 65536.
Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.
- LocalPortRangeRef
- The name of a globally defined PortRange statement to be used for the local port specification.
- LocalPortGroupRef
- The name of a globally defined PortGroup statement to be used for the local port specification.
- RemotePortRange
- A remote port the application must be connecting to for this rule's
action to be performed.
Valid values for n are in the range 0 - 65535. If 0 is specified for n, then the rule applies to any remote port. If n is specified as the beginning value for a range, then 0 is not a valid value.
If an m value is specified, then it must be greater than or equal to n and less than 65536.
Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.
- RemotePortRangeRef
- The name of a globally defined PortRange statement to be used for the remote port specification.
- RemotePortGroupRef
- The name of a globally defined PortGroup statement to be used for the remote port specification.
- Jobname
- The name value specifies the job name of the application. This optional value specifies that, when the traffic is mapped to an AT-TLS security level, a packet must be flowing to or from an application with this job name for that packet to match the set of traffic characteristics. The name value must be 1 to 8 characters in length. It cannot include blanks or the "#" characters. A trailing asterisk indicates a wildcard specification. The specified job name is not case sensitive, and is translated to uppercase before being compared.
- Userid
- The name value specifies the corresponding user name. This optional value specifies that, when the traffic is mapped to an AT-TLS security level, a packet must be flowing to or from an application that is running under this user ID for that packet to match the set of traffic characteristics. The name value must be 1 to 8 characters in length. It cannot include blanks or the "#" characters. A trailing asterisk indicates a wildcard specification. The specified user ID is not case sensitive, and is translated to uppercase before being compared.
- Direction
- Specifies the direction the connection must be initiated from
for this rule's action to be performed.
- Inbound
- A connection request has arrived inbound to the local host. An application must do an accept to service this connection.
- Outbound
- A connection request is being initiated by the local host. An application must have done a connect to initiate this connection.
- Both
- Inbound and Outbound connection requests match this rule.
- IpTimeCondition
- An inline specification of a IpTimeCondition statement. There is a limit of 25 IpTimeCondition specifications on the TTLSRule statement.
- IpTimeConditionRef
- The name of a globally defined IpTimeCondition statement. There is a limit of 25 IpTimeCondition references on the TTLSRule statement.
- Priority
- An integer value in the range 1 - 2000000000 that represent the
priority associated with the rule. The highest priority value is
2000000000.
Only one rule is ever mapped per connection. Rules are searched for a match starting at the highest priority, so if multiple rules could possibly be matched for a connection, the rule with the highest priority is matched first. If multiple rules of the same priority match, the rule that is mapped is difficult to predict. If this attribute is not specified, the default priority is 1.
Guideline: When setting the priority for multiple rules, do not set the priority as a sequential value, for example, 2, 3 ,4, 5. Instead, set the priority to provide space to change the priority or to insert additional rules, such that this rule is preferred over another rule, without duplicating a priority. For example, the priorities could be configured as 20, 30, 40, 50.
- TTLSGroupActionRef
- The name of a globally defined TTLSGroupAction statement.
- TTLSEnvironmentActionRef
- The name of a globally defined TTLSEnvironmentAction statement.
- TTLSConnectionActionRef
- The name of a globally defined TTLSConnectionAction statement.
- One of the following values must be specified:
- Local address
- Remote address
- Local port
- Remote port
- Job name
- Userid
- A TTLSEnvironmentActionRef is required if the TTLSGroupAction specifies TTLSEnabled as On.
- CNF logic is used to evaluate complex AT-TLS rules (rules containing
multiple conditions). For a detailed description of AT-TLS condition evaluation using CNF logic,
see z/OS Communications Server: IP Configuration
Guide. An AT-TLS condition is comprised of the
following values from the TTLSRule statement:
- Local IP Address
- Remote IP Address
- Local Port
- Remote Port
- Jobname
- Userid
- Service Direction