Use the TTLSSignatureParms statement to define the client elliptic curve preferences and the signature algorithm pair specifications for an AT-TLS environment or an AT-TLS connection. A TTLSSignatureParms statement can be specified inline in a TTLSEnvironmentAction or TTLSConnectionAction statement or referenced by a TTLSEnvironmentAction or TTLSConnectionAction statement.
Syntax
>>-TTLSSignatureParms--+------+--| Put Braces and Parameters on Separate Lines |->< '-name-' Put Braces and Parameters on Separate Lines |--+-{---------------------------------+------------------------| +-| TTLSSignatureParms Parameters |-+ '-}---------------------------------' TTLSSignatureParms Parameters |--+--------------------------------+---------------------------> +-ClientECurves -Any-------------+ '-ClientECurveParms - parameters-' >--+---------------------------------+--------------------------| '-SignaturePairsParms -parameters-' ClientECurveParms Parameters .---------------------------. V | |------ClientECurves -curves---+--------------------------------| SignaturePairsParms Parameters .--------------------------------. V | |------SignaturePairs -algorithms---+---------------------------|
Parameters
- name
- A string 1 - 32 characters in length that specifies the name of
this TTLSSignatureParms statement.
Rule: If this TTLSSignatureParms statement is not specified inline in another statement, a name value must be provided. If a name is not specified for an inline TTLSSignatureParms statement, a nonpersistent system name is created.
- ClientECurves
- Specifies the list of elliptic curves that are supported by the
client, in order of preference for use. The elliptical curve specifications
are used by the client to tell the server which elliptical curves
can be used when using cipher suites that use elliptical curve cryptography
for the TLSv1.0 protocol or later.
Only curves that are recommended by NIST can be specified. To allow the use of Brainpool standard curves in addition to NIST standard curves for an SSL connection, the list must contain only the ANY curve name constant. If a ClientECurves parameter is specified more than once, the values are concatenated to create a single list of elliptic curve enumerators. The ANY curve name constant cannot be specified in combination with any NIST curves. For System SSL, the GSK_CLIENT_ECURVE_LIST value is set to the concatenated value or to NULL if ANY is specified.
The curves value is a string of one or more 4-character curve enumerators or a single curve name constant. The curve string cannot have blanks between the curve enumerators. If duplicate curves are specified, the first instance is used and all other instances are ignored. The maximum number of curves is 16. For System SSL, see Table 16. Supported elliptic curve definitions for TLS V1.0, TLS V1.1 and TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid elliptic curves. Table 1 lists the supported elliptic curve name constants.
Table 1. ClientEcurves Elliptic curve name constants Elliptic Curve Enumerator secp192r1 0019 secp224r1 0021 secp256r1 0023 secp384r1 0024 secp521r1 0025 Requirement: Elliptic Curve requires ICSF to be active. See Elliptic Curve Cryptography Support in z/OS Cryptographic Services System SSL Programming for more information.
- SignaturePairs
- Specifies the TLS version 1.2 signature algorithm pairs supported
for the server certificate. These pairs are sent by the client when
proposing use of the TLSv1.2 protocol to indicate to the server which
signature/hash algorithm pairs may be used in digital signatures of
the server certificate. SignaturePairs is only meaningful when performing
a handshake with a Server that supports the TLSv1.2 protocol and will
be ignored by any Server that only supports TLSv1.1 or earlier.
If a SignaturePairs parameter is specified more than once, the values are concatenated to create a single list of signature algorithm pairs. For System SSL, the GSK_TLS_SIG_ALG_PAIRS value is set to the concatenated value. If not specified, then System SSL will use a default list of acceptable signature algorithm pairs.
The algorithms value is a string of one or more 4-character TLS version 1.2 signature algorithm pairs or a single signature algorithm pair constant. The algorithm string cannot have blanks between each TLS version 1.2 signature algorithm pair. If duplicate signature algorithm pairs are specified, the first instance is used and all other instances are ignored. The maximum number of TLS version 1.2 signature algorithm pairs is 64. For System SSL, see Table 17. Signature Algorithm pair definitions for TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid signature algorithm pairs. Table 2 lists the supported signature algorithm pair constants.
Table 2. SignaturePairs Signature algorithm pair constant Hexadecimal characters TLS_SIGALG_MD5_WITH_RSA 0101 TLS_SIGALG_SHA1_WITH_RSA 0201 TLS_SIGALG_SHA1_WITH_DSA 0202 TLS_SIGALG_SHA1_WITH_ECDSA 0203 TLS_SIGALG_SHA224_WITH_RSA 0301 TLS_SIGALG_SHA224_WITH_DSA 0302 TLS_SIGALG_SHA224_WITH_ECDSA 0303 TLS_SIGALG_SHA256_WITH_RSA 0401 TLS_SIGALG_SHA256_WITH_DSA 0402 TLS_SIGALG_SHA256_WITH_ECDSA 0403 TLS_SIGALG_SHA384_WITH_RSA 0501 TLS_SIGALG_SHA384_WITH_ECDSA 0503 TLS_SIGALG_SHA512_WITH_RSA 0601 TLS_SIGALG_SHA512_WITH_ECDSA 0603