Use the TTLSSignatureParms statement to define the client elliptic curve preferences and the signature algorithm pair specifications for an AT-TLS environment or an AT-TLS connection. A TTLSSignatureParms statement can be specified inline in a TTLSEnvironmentAction or TTLSConnectionAction statement or referenced by a TTLSEnvironmentAction or TTLSConnectionAction statement.
>>-TTLSSignatureParms--+------+--| Put Braces and Parameters on Separate Lines |->< '-name-' Put Braces and Parameters on Separate Lines |--+-{---------------------------------+------------------------| +-| TTLSSignatureParms Parameters |-+ '-}---------------------------------' TTLSSignatureParms Parameters |--+--------------------------------+---------------------------> +-ClientECurves -Any-------------+ '-ClientECurveParms - parameters-' >--+---------------------------------+--------------------------| '-SignaturePairsParms -parameters-' ClientECurveParms Parameters .---------------------------. V | |------ClientECurves -curves---+--------------------------------| SignaturePairsParms Parameters .--------------------------------. V | |------SignaturePairs -algorithms---+---------------------------|
Rule: If this TTLSSignatureParms statement is not specified inline in another statement, a name value must be provided. If a name is not specified for an inline TTLSSignatureParms statement, a nonpersistent system name is created.
Only curves that are recommended by NIST can be specified. To allow the use of Brainpool standard curves in addition to NIST standard curves for an SSL connection, the list must contain only the ANY curve name constant. If a ClientECurves parameter is specified more than once, the values are concatenated to create a single list of elliptic curve enumerators. The ANY curve name constant cannot be specified in combination with any NIST curves. For System SSL, the GSK_CLIENT_ECURVE_LIST value is set to the concatenated value or to NULL if ANY is specified.
The curves value is a string of one or more 4-character curve enumerators or a single curve name constant. The curve string cannot have blanks between the curve enumerators. If duplicate curves are specified, the first instance is used and all other instances are ignored. The maximum number of curves is 16. For System SSL, see Table 16. Supported elliptic curve definitions for TLS V1.0, TLS V1.1 and TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid elliptic curves. Table 1 lists the supported elliptic curve name constants.
Elliptic curve name constants | Elliptic Curve Enumerator |
---|---|
secp192r1 | 0019 |
secp224r1 | 0021 |
secp256r1 | 0023 |
secp384r1 | 0024 |
secp521r1 | 0025 |
Requirement: Elliptic Curve requires ICSF to be active. See Elliptic Curve Cryptography Support in z/OS Cryptographic Services System SSL Programming for more information.
If a SignaturePairs parameter is specified more than once, the values are concatenated to create a single list of signature algorithm pairs. For System SSL, the GSK_TLS_SIG_ALG_PAIRS value is set to the concatenated value. If not specified, then System SSL will use a default list of acceptable signature algorithm pairs.
The algorithms value is a string of one or more 4-character TLS version 1.2 signature algorithm pairs or a single signature algorithm pair constant. The algorithm string cannot have blanks between each TLS version 1.2 signature algorithm pair. If duplicate signature algorithm pairs are specified, the first instance is used and all other instances are ignored. The maximum number of TLS version 1.2 signature algorithm pairs is 64. For System SSL, see Table 17. Signature Algorithm pair definitions for TLS V1.2 in z/OS Cryptographic Services System SSL Programming for a list of valid signature algorithm pairs. Table 2 lists the supported signature algorithm pair constants.
Signature algorithm pair constant | Hexadecimal characters |
---|---|
TLS_SIGALG_MD5_WITH_RSA | 0101 |
TLS_SIGALG_SHA1_WITH_RSA | 0201 |
TLS_SIGALG_SHA1_WITH_DSA | 0202 |
TLS_SIGALG_SHA1_WITH_ECDSA | 0203 |
TLS_SIGALG_SHA224_WITH_RSA | 0301 |
TLS_SIGALG_SHA224_WITH_DSA | 0302 |
TLS_SIGALG_SHA224_WITH_ECDSA | 0303 |
TLS_SIGALG_SHA256_WITH_RSA | 0401 |
TLS_SIGALG_SHA256_WITH_DSA | 0402 |
TLS_SIGALG_SHA256_WITH_ECDSA | 0403 |
TLS_SIGALG_SHA384_WITH_RSA | 0501 |
TLS_SIGALG_SHA384_WITH_ECDSA | 0503 |
TLS_SIGALG_SHA512_WITH_RSA | 0601 |
TLS_SIGALG_SHA512_WITH_ECDSA | 0603 |