TTLSSignatureParms statement

Use the TTLSSignatureParms statement to define the client elliptic curve preferences and the signature algorithm pair specifications for an AT-TLS environment or an AT-TLS connection. A TTLSSignatureParms statement can be specified inline in a TTLSEnvironmentAction or TTLSConnectionAction statement or referenced by a TTLSEnvironmentAction or TTLSConnectionAction statement.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-TTLSSignatureParms--+------+--| Put Braces and Parameters on Separate Lines |-><
                       '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{---------------------------------+------------------------|
   +-| TTLSSignatureParms Parameters |-+   
   '-}---------------------------------'   

TTLSSignatureParms Parameters

|--+--------------------------------+--------------------------->
   +-ClientECurves -Any-------------+   
   '-ClientECurveParms - parameters-'   

>--+---------------------------------+--------------------------|
   '-SignaturePairsParms -parameters-'   

ClientECurveParms Parameters

   .---------------------------.   
   V                           |   
|------ClientECurves -curves---+--------------------------------|

SignaturePairsParms Parameters

   .--------------------------------.   
   V                                |   
|------SignaturePairs -algorithms---+---------------------------|

Parameters

name
A string 1 - 32 characters in length that specifies the name of this TTLSSignatureParms statement.

Rule: If this TTLSSignatureParms statement is not specified inline in another statement, a name value must be provided. If a name is not specified for an inline TTLSSignatureParms statement, a nonpersistent system name is created.

ClientECurves
Specifies the list of elliptic curves that are supported by the client, in order of preference for use. The elliptical curve specifications are used by the client to tell the server which elliptical curves can be used when using cipher suites that use elliptical curve cryptography for the TLSv1.0 protocol or later.

Only curves that are recommended by NIST can be specified. To allow the use of Brainpool standard curves in addition to NIST standard curves for an SSL connection, the list must contain only the ANY curve name constant. If a ClientECurves parameter is specified more than once, the values are concatenated to create a single list of elliptic curve enumerators. The ANY curve name constant cannot be specified in combination with any NIST curves. For System SSL, the GSK_CLIENT_ECURVE_LIST value is set to the concatenated value or to NULL if ANY is specified.

The curves value is a string of one or more 4-character curve enumerators or a single curve name constant. The curve string cannot have blanks between the curve enumerators. If duplicate curves are specified, the first instance is used and all other instances are ignored. The maximum number of curves is 16. For System SSL, see Table 16. Supported elliptic curve definitions for TLS V1.0, TLS V1.1 and TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid elliptic curves. Table 1 lists the supported elliptic curve name constants.

Table 1. ClientEcurves
Elliptic curve name constants Elliptic Curve Enumerator
secp192r1 0019
secp224r1 0021
secp256r1 0023
secp384r1 0024
secp521r1 0025

Requirement: Elliptic Curve requires ICSF to be active. See Elliptic Curve Cryptography Support in z/OS Cryptographic Services System SSL Programming for more information.

SignaturePairs
Specifies the TLS version 1.2 signature algorithm pairs supported for the server certificate. These pairs are sent by the client when proposing use of the TLSv1.2 protocol to indicate to the server which signature/hash algorithm pairs may be used in digital signatures of the server certificate. SignaturePairs is only meaningful when performing a handshake with a Server that supports the TLSv1.2 protocol and will be ignored by any Server that only supports TLSv1.1 or earlier.

If a SignaturePairs parameter is specified more than once, the values are concatenated to create a single list of signature algorithm pairs. For System SSL, the GSK_TLS_SIG_ALG_PAIRS value is set to the concatenated value. If not specified, then System SSL will use a default list of acceptable signature algorithm pairs.

The algorithms value is a string of one or more 4-character TLS version 1.2 signature algorithm pairs or a single signature algorithm pair constant. The algorithm string cannot have blanks between each TLS version 1.2 signature algorithm pair. If duplicate signature algorithm pairs are specified, the first instance is used and all other instances are ignored. The maximum number of TLS version 1.2 signature algorithm pairs is 64. For System SSL, see Table 17. Signature Algorithm pair definitions for TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid signature algorithm pairs. Table 2 lists the supported signature algorithm pair constants.

Table 2. SignaturePairs
Signature algorithm pair constant Hexadecimal characters
TLS_SIGALG_MD5_WITH_RSA 0101
TLS_SIGALG_SHA1_WITH_RSA 0201
TLS_SIGALG_SHA1_WITH_DSA 0202
TLS_SIGALG_SHA1_WITH_ECDSA 0203
TLS_SIGALG_SHA224_WITH_RSA 0301
TLS_SIGALG_SHA224_WITH_DSA 0302
TLS_SIGALG_SHA224_WITH_ECDSA 0303
TLS_SIGALG_SHA256_WITH_RSA 0401
TLS_SIGALG_SHA256_WITH_DSA 0402
TLS_SIGALG_SHA256_WITH_ECDSA 0403
TLS_SIGALG_SHA384_WITH_RSA 0501
TLS_SIGALG_SHA384_WITH_ECDSA 0503
TLS_SIGALG_SHA512_WITH_RSA 0601
TLS_SIGALG_SHA512_WITH_ECDSA 0603