Use
the TTLSRule statement to define an AT-TLS rule.
The FLUSH/NOFLUSH
and PURGE/NOPURGE parameters can be used to specify whether or not
AT-TLS policies are deleted at startup (and when a MODIFY REFRESH
command is entered) and shutdown, respectively.
The information
provided on the TTLSRule statement defines an AT-TLS rule. The AT-TLS
rule must have at least one local IP address, remote IP address,
local port, remote port, job name, or user ID specification. The
AT-TLS rule must have a direction specification and a TTLSGroupActionRef
parameter. The AT-TLS rule can contain a priority, a TTLSConnectionActionRef
parameter, a TTLSEnvironmentActionRef parameter and an IpTimeCondition
specification. An IpTimeCondition specification identifies a time
period when the AT-TLS rule is in effect.
Syntax
>>-TTLSRule--name--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{-----------------------+----------------------------------|
+-| TTLSRule Parameters |-+
'-}-----------------------'
TTLSRule Parameters
.-LocalAddr--All------------------------.
|--+---------------------------------------+-------------------->
+-LocalAddr--+-ipaddress--------------+-+
| +-ipaddress/prefixLength-+ |
| +-ipaddress-ipaddress----+ |
| '-All--------------------' |
+-LocalAddrRef name---------------------+
+-LocalAddrSetRef name------------------+
'-LocalAddrGroupRef name----------------'
.-RemoteAddr--All------------------------.
>--+----------------------------------------+------------------->
+-RemoteAddr--+-ipaddress--------------+-+
| +-ipaddress/prefixLength-+ |
| +-ipaddress-ipaddress----+ |
| '-All--------------------' |
+-RemoteAddrRef name---------------------+
+-RemoteAddrSetRef name------------------+
'-RemoteAddrGroupRef name----------------'
.-LocalPortRange--0-------. .-RemotePortRange--0-------.
>--+-------------------------+--+--------------------------+---->
+-LocalPortRange--+-n---+-+ +-RemotePortRange--+-n---+-+
| '-n m-' | | '-n m-' |
+-LocalPortRangeRef name--+ +-RemotePortRangeRef name--+
'-LocalPortGroupRef name--' '-RemotePortGroupRef name--'
>--+--------------+--+-------------+--Direction--+-Inbound--+--->
'-Jobname name-' '-Userid name-' +-Outbound-+
'-Both-----'
.-----------------------------.
V | .-Priority 1-.
>----+-------------------------+-+--+------------+-------------->
+-IpTimeCondition---------+ '-Priority n-'
'-IpTimeConditionRef name-'
>--TTLSGroupActionRef name--+-------------------------------+--->
'-TTLSEnvironmentActionRef name-'
>--+------------------------------+-----------------------------|
'-TTLSConnectionActionRef name-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
TTLSRule statement.
- LocalAddr
- A local IP address the application is using for the connection
that must match for this rule's action to be performed. The application
can be explicitly bound to the IP address, or it can be chosen by
the TCP/IP stack.
- All
- Any local IP address matches this rule.
- ipaddress
- A single IP address.
- ipaddress/prefixLength
- The number of unmasked leading bits in the ipaddress value.
The prefixLength value can be in the range
0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP address
matches this condition if its unmasked bits are identical to the unmasked
bits defined.
- ipaddress-ipaddress
- A range of IP addresses.
Tip: To create a rule that
matches only on local IPv4 addresses, code 0.0.0.0/0. To create
a rule that matches only on local IPv6 addresses, code ::/0.
- LocalAddrRef
- The name of a globally defined IpAddr statement to be used for
the local IP address specification.
- LocalAddrSetRef
- The name of a globally defined IpAddrSet statement to be used
for the local IP address prefix or range specification.
- LocalAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used
for the local IP address specification.
- RemoteAddr
- A remote IP address specification that must match for this rule's
action to be performed.
- All
- Any remote IP address matches this rule.
- ipaddress
- A single IP address.
- ipaddress/prefixLength
- The number of unmasked leading bits in the ipaddress value.
The prefixLength value can be in the ranges
of 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An
IP packet matches this condition if its unmasked bits are identical
to the unmasked bits defined.
- ipaddress-ipaddress
- A range of IP addresses.
Tip: To create a rule that
matches only on remote IPv4 addresses, code 0.0.0.0/0. To create a
rule that matches only on remote IPv6 addresses, code ::/0.
- RemoteAddrRef
- The name of a globally defined IpAddr statement to be used for
the remote IP address specification.
- RemoteAddrSetRef
- The name of a globally defined IpAddrSet statement to be used
for the remote IP address prefix or range specification.
- RemoteAddrGroupRef
- The name of a globally defined IpAddrGroup statement to be used
for the remote IP address specification.
- LocalPortRange
- A local port the application is bound to for this rule's action
to be performed.
Valid values for n are
in the range 0 - 65535. If 0 is specified for n then
the rule applies to any local port. If n
is specified as the beginning value for a range, then 0 is not a valid
value.
If
an m value is specified, it must be greater
than or equal to n and less than 65536.
Rule: Include
a blank, a colon (:), or a dash (-) as a delimiter.
- LocalPortRangeRef
- The name of a globally defined PortRange statement to be used
for the local port specification.
- LocalPortGroupRef
- The name of a globally defined PortGroup statement to be used
for the local port specification.
- RemotePortRange
- A remote port the application must be connecting to for this rule's
action to be performed.
Valid values for n are
in the range 0 - 65535. If 0 is specified for n,
then the rule applies to any remote port. If n is
specified as the beginning value for a range, then 0 is not a valid
value.
If
an m value is specified, then it must be
greater than or equal to n and less than
65536.
Rule: Include a blank, a colon (:), or a dash
(-) as a delimiter.
- RemotePortRangeRef
- The name of a globally defined PortRange statement to be used
for the remote port specification.
- RemotePortGroupRef
- The name of a globally defined PortGroup statement to be used
for the remote port specification.
- Jobname
- The name value specifies the job name
of the application. This optional value specifies that, when the
traffic is mapped to an AT-TLS security level, a packet must be flowing
to or from an application with this job name for that packet to match
the set of traffic characteristics. The name value
must be 1 to 8 characters in length. It cannot include blanks or the "#"
characters. A trailing asterisk indicates a wildcard specification.
The specified job name is not case sensitive, and is translated to
uppercase before being compared.
- Userid
- The name value specifies the corresponding
user name. This optional value specifies that, when the traffic
is mapped to an AT-TLS security level, a packet must be flowing to
or from an application that is running under this user ID for that
packet to match the set of traffic characteristics. The name value
must be 1 to 8 characters in length. It cannot include blanks or the "#"
characters. A trailing asterisk indicates a wildcard specification.
The specified user ID is not case sensitive, and is translated to
uppercase before being compared.
- Direction
- Specifies the direction the connection must be initiated from
for this rule's action to be performed.
- Inbound
- A connection request has arrived inbound to the local host. An
application must do an accept to service this connection.
- Outbound
- A connection request is being initiated by the local host. An
application must have done a connect to initiate this connection.
- Both
- Inbound and Outbound connection requests match this rule.
- IpTimeCondition
- An inline specification of a IpTimeCondition statement. There
is a limit of 25 IpTimeCondition specifications on the TTLSRule statement.
- IpTimeConditionRef
- The name of a globally defined IpTimeCondition statement. There
is a limit of 25 IpTimeCondition references on the TTLSRule statement.
- Priority
- An integer value in the range 1 - 2000000000 that represent the
priority associated with the rule. The highest priority value is
2000000000.
Only one rule is ever mapped per connection. Rules
are searched for a match starting at the highest priority, so if multiple
rules could possibly be matched for a connection, the rule with the
highest priority is matched first. If multiple rules of the same
priority match, the rule that is mapped is difficult to predict.
If this attribute is not specified, the default priority is 1.
Guideline: When
setting the priority for multiple rules, do not set the priority as
a sequential value, for example, 2, 3 ,4, 5. Instead, set the priority
to provide space to change the priority or to insert additional rules,
such that this rule is preferred over another rule, without duplicating
a priority. For example, the priorities could be configured as 20,
30, 40, 50.
- TTLSGroupActionRef
- The name of a globally defined TTLSGroupAction statement.
- TTLSEnvironmentActionRef
- The name of a globally defined TTLSEnvironmentAction statement.
- TTLSConnectionActionRef
- The name of a globally defined TTLSConnectionAction statement.
Rules: - One of the following values must be specified:
- Local address
- Remote address
- Local port
- Remote port
- Job name
- Userid
- A TTLSEnvironmentActionRef is required if the TTLSGroupAction
specifies TTLSEnabled as On.
- CNF logic is used to evaluate complex AT-TLS rules (rules containing
multiple conditions). For a detailed description of AT-TLS condition evaluation using CNF logic,
see z/OS Communications Server: IP Configuration
Guide. An AT-TLS condition is comprised of the
following values from the TTLSRule statement:
- Local IP Address
- Remote IP Address
- Local Port
- Remote Port
- Jobname
- Userid
- Service Direction