Netstat TTLS/-x report

Displays Application Transparent Transport Layer Security (AT-TLS) information. AT-TLS supports only TCP protocol connections.

TSO syntax


>>---NETSTAT--TTLS--| Modifier |--| Target |--| Output |-------><

Modifier


   .-GRoup--------------------.   
>>-+--------------------------+--------------------------------><
   +-COnn--connid--+--------+-+   
   |               '-DETAIL-' |   
   '-GRoup--+--------+--------'   
            '-DETAIL-'

COnn connid

Displays AT-TLS information for the specified connection. This information includes the name of the AT-TLS policy rule and the names of the associated actions. The specified connid value is a number assigned by the TCP/IP stack to uniquely identify a socket entity. You can determine the connid from the Conn column in the Netstat ALLCOnn/-a report.

DETAIL: Displays the AT-TLS policy rule and the associated action details for the specified connection.

GRoup

Displays summary information for AT-TLS groups. AT-TLS groups are defined using the policy statement TTLSGroupAction. The AT-TLS group remains active as long as the TTLSGroupAction is current or there are active connections using the group.

DETAIL: Displays detailed information for AT-TLS groups.

Target

Provide the report for a specific TCP/IP address space by using TCp tcpname. See The Netstat command target for more information about the TCp parameter.

Output

The default output option displays the output on the user's terminal. For other options, see The TSO NETSTAT command syntax or Netstat command output.

z/OS UNIX syntax


>>---netstat-- -x--| Modifier |--| Target |--| Output |--------><

Modifier


   .-GRoup--------------------.   
>>-+--------------------------+--------------------------------><
   +-COnn--connid--+--------+-+   
   |               '-DETAIL-' |   
   '-GRoup--+--------+--------'   
            '-DETAIL-'

COnn connid

Displays AT-TLS information for the specified connection. This information includes the name of the AT-TLS policy rule and the names of the associated actions. The specified connid is a number assigned by the TCP/IP stack to uniquely identify a socket entity. You can determine the connid from the Conn column in the Netstat ALLCOnn/-a report.

DETAIL: Displays the AT-TLS policy rule and the associated action details for the specified connection.

GRoup

DETAIL: Displays detailed information for AT-TLS groups.

Target

Provide the report for a specific TCP/IP address space by using TCp tcpname. See The Netstat command target for more information about the TCp parameter.

Output

The default output option displays the output on the user's terminal. For other options, see The TSO NETSTAT command syntax or Netstat command output.

Command syntax examples

From TSO environment

NETSTAT TTLS   (defaults to NETSTAT TTLS GROUP)
NETSTAT TTLS CONN 1B TCP TCPCS8
   Display summary AT-TLS information for the specified connection in the TCPCS8
   stack.
NETSTAT TTLS CONN 1B DETAIL TCP TCPCS8
   Display detailed AT-TLS information for the specified connection in the TCPCS8
   stack.
NETSTAT TTLS GROUP
   Display summary information for active AT-TLS groups.
NETSTAT TTLS GROUP DETAIL
   Display detailed information for active AT-TLS groups.

From UNIX shell environment

   netstat -x        (defaults to -x GROUP)                                     
   netstat -x CONN 1b -p tcpcs8                                                 
   netstat -x CONN 1b DETAIL -p tcpcs8                                          
   netstat -x GROUP                                                             
   netstat -x GROUP DETAIL

COnn report examples

The following examples are generated by using TSO NETSTAT command. Using the z/OS UNIX netstat command displays the data in the same format as the TSO NETSTAT command.

MVS TCP/IP NETSTAT CS V2R1       TCPIP Name: TCPCS           19:51:22 
 ConnID: 000000B8                                                      
   JobName:      FTPD1                                                 
   LocalSocket:  ::ffff:127.0.0.1..21                                  
   RemoteSocket: ::ffff:127.0.0.1..1030                                
   SecLevel:     TLS Version 1.2                                       
   Cipher:       C001 TLS_ECDH_ECDSA_WITH_NULL_SHA                     
   CertUserID:   N/A                                                   
   MapType:      Primary                                               
   FIPS140:      Off                                                   
 TTLSRule: ftp_serv_21                                                 
   TTLSGrpAction:  grp_act1                                            
   TTLSEnvAction:  env_act_serv                                        

MVS TCP/IP NETSTAT CS V2R1       TCPIP Name: TCPCS           19:51:53
ConnID: 000000B8                                                     
  JobName:      FTPD1                                                
  LocalSocket:  ::ffff:127.0.0.1..21                                 
  RemoteSocket: ::ffff:127.0.0.1..1030                               
  SecLevel:     TLS Version 1.2                                      
  Cipher:       C001 TLS_ECDH_ECDSA_WITH_NULL_SHA                    
  CertUserID:   N/A                                                  
  MapType:      Primary                                              
  FIPS140:      Off                                                  
TTLSRule: ftp_serv_21                                                
  Priority:       1                                                  
  LocalAddr:      All                                             
  LocalPort:      21                                              
  LocalPort:      2021                                            
  LocalPortFrom:  620                LocalPortTo:  621            
  RemoteAddr:     All                                             
  RemotePort:     All                                             
  Direction:      Inbound                                         
  TTLSGrpAction:  grp_act1                                        
    GroupID:                    00000006                          
    GroupUserInstance:          6                                 
    TTLSEnabled:                On                                
    Envfile:                    /tmp/grp1.env                     
    CtraceClearText:            On                                
    Trace:                      255                               
    SyslogFacility:             Daemon                            
    SecondaryMap:               Off                               
    FIPS140:                    Off                               
  TTLSEnvAction:  env_act_serv                                    
    EnvironmentUserInstance:    8                                 
    HandshakeRole:              Server                            
    Keyring:                    /u/user3/testdb                   
    KeyringPW:                  Yes                               
    V3CipherSuites:             C001 TLS_ECDH_ECDSA_WITH_NULL_SHA 
                                C002 TLS_ECDH_ECDSA_WITH_RC4_128_S
                                     HA                           
                                C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_
                                     CBC_SHA                      
                                C004 TLS_ECDH_ECDSA_WITH_AES_128_C
                                     BC_SHA                       
    CtraceClearText:            On                                
    Trace:                      255                               
    SSLV2:                      Off                               
    SSLV3:                      On                                
    TLSV1:                      On                                
    TLSV1.1:                    On                                
    TLSV1.2:                    On                                
    ResetCipherTimer:           0                                 
    ApplicationControlled:      On                                
    HandshakeTimeout:           10                                
    CertificateLabel:           ecdh_ecdsa_secp384r1              
    SecondaryMap:               On                                
    TruncatedHMAC:              Off   
    ClientMaxSSLFragment:       Off     
    ServerMaxSSLFragment:       Off

ClientHandshakeSNI:         Off     
    ServerHandshakeSNI:         Off     
    ClientAuthType:             Required
    CertValidationMode:         Any     
Renegotiation:              Default 
    RenegotiationIndicator:     Optional
    RenegotiationCertCheck:     Off     
    SuiteBProfile:              Off     
    GSK_CRL_CACHE_TIMEOUT:      0

Report field descriptions

Result: A field in a policy rule or policy action is displayed only when a value was configured for that attribute or when the attribute has a default value. Fields which were left undefined and have no default value are not displayed.

ApplicationControlled: Indicates whether the owning application can request AT-TLS security for the connection using the SIOCTTLSCTL IOCTL call.
Result: For a particular connection, the ApplicationControlled value on the TTLSConnectionAction, if specified, overrides the ApplicationControlled value on the TTLSEnvironmentAction.

CertificateLabel: The label of the authentication key used for the connection.
Result: For a particular connection, the CertificateLabel value on the TTLSConnectionAction statement, if specified, overrides the CertificateLabel value on the TTLSEnvironmentAction statement. If a CertificateLabel value is not specified on either the TTLSConnectionAction statement or the TTLSEnvironmentAction statement, the keyring default certificate is used.

CertUserID

The user ID, if any, that is associated with the partner's certificate. If no associated user ID is available, N/A is displayed.

CertValidationMode

The method of certificate validation that is in use for this connection. See the following possible values:

The default value, any, means that any supported X.509 certificate validation method can be used.
RFC2459, indicates that certificates are validated using the method described in RFC2459.
RFC3280, indicates that certificates are validated using the method described in RFC3280.

Cipher: The cipher currently in use for encryption and decryption of data for the connection.

ClientAuthType

The level of Client Authentication used when the HandshakeRole is set to a value of ServerWithClientAuth. See the following possible values:

The default value, Required, means that the client must present a certificate and that the certificate must pass verification.
PassThru indicates that a certificate is not required and that no verification is attempted.
Full indicates that the certificate is validated if the client presents one, but that the client is not required to present one.
SAFCheck indicates that the client must present a certificate that must pass validation and be associated with a user ID in the security product.

ClientECurves: The list of elliptic curves that are supported by the client in the sequence of preference for use. The elliptic curve specifications are used by the client to guide the server as to which elliptical curves can be used when using cipher suites that use elliptical curve cryptography for the TLSv1.0 and higher protocols. Both the four-character value of the elliptic curve and the constant of the elliptic curve name are shown for each member of the list. The curve name Any indicates that both Brainpool standard curves and NIST standard curves can be used.

ClientMaxSSLFragment

For TLSv1.0 and higher protocols, this field specifies the client level of support for client-specified SSL fragment size on the connection. See the following possible values:

Required indicates that maximum SSL fragment size support must be accepted by the server. Connections are closed if the server does not support the maximum SSL fragment size extension.
Optional indicates that maximum SSL fragment size support is used if the server supports the function, but connections to servers that do not support this extension are accepted.
Off indicates that maximum SSL fragment size support is not available; the TLS extension is not enabled. If the server requires SSL fragment size support, the client will be unable to connect. This is the default.

Result: For a particular connection, the ClientMaxSSLFragment value on the TTLSConnectionAction statement, if specified, overrides the ClientMaxSSLFragment value on the TTLSEnvironmentAction statement.

ClientMaxSSLFragmentLength

For SSL clients that use TLSv1.0 or higher protocols, specifies the maximum SSL fragment size to request on the connection, in bytes. See the following possible values:

512
1024
2048
4096

Result: For a particular connection, the ClientMaxSSLFragmentLength value on the TTLSConnectionAction statement, if specified, overrides the ClientMaxSSLFragmentLength value on the TTLSEnvironmentAction statement.

ClientHandshakeSNI

For TLSv1.0 and higher protocols, this field specifies the client level of support for client-specified server names on the connection handshake. See the following possible values:

Required indicates that client-specified server name support must be accepted by the server. Connections are closed if the server does not support the client-specified server name extension.
Optional indicates that client-specified server name support is used if the server supports the function, but connections to servers that do not support this extension are accepted.
Off indicates that client-specified server name support is not available; the TLS extension is not enabled. If the server requires client-specified server name support, the client is unable to connect. This is the default value.

Result: For a particular connection, the ClientHandshakeSNI value on the TTLSConnectionAction statement, if specified, overrides the ClientHandshakeSNI value on the TTLSEnvironmentAction statement.

ClientHandshakeSNIMatch

For SSL clients using TLSv1.0 or higher protocols that might negotiate server name indication, this field specifies the level at which the client requires the client-specified server name to match a server name in the list of names that is maintained by the TLS server. See the following possible values:

Required indicates that a server name in the list of server names provided by the TLS client must match a server name in the server name/certificate label list at the TLS server. The connection ends if no match can be found for the server name.
optional indicates that connections are allowed to continue if no match is found for the server name. This is the default value.

Result: For a particular connection, the ClientHandshakeSNIMatch value on the TTLSConnectionAction statement, if specified, overrides the ClientHandshakeSNIMatch value on the TTLSEnvironmentAction statement.

ClientHandshakeSNIList

For SSL clients using TLSv1.0 or higher protocols that might negotiate server name indication, specifies a server name or names the client will pass to the server.

Result: For a particular connection, the ClientHandshakeSNIList value on the TTLSConnectionAction statement, if specified, overrides the ClientHandshakeSNIList value on the TTLSEnvironmentAction statement.

ConnID: The TCP/IP stack defined unique connection ID representing the connection.

ConnectionUserInstance: The instance identifier configured for the TTLSConnectionAction statement that is in use by the connection. The instance number can be used to signal a change without modifying other configuration statements. Valid values are in the range 0–65535.

CtraceClearText: Indicates whether application data traced for the connection, using Ctrace or datatrace, is shown as unencrypted data.
Result: For a particular connection, the CtraceClearText value on the TTLSConnectionAction statement, if specified, overrides the CtraceClearText value on the TTLSEnvironmentAction statement which, in turn, (if specified) overrides the CtraceClearText value on the TTLSGroupAction statement.

Direction

The connection direction condition specified in the policy rule that was mapped to the connection. See the following possible values:

Inbound indicates that a connection request must arrive inbound to the local host to satisfy the rule.
Outbound indicates that a connection request must be initiated by the local host to satisfy the rule.
Both indicates that both Inbound and Outbound connection requests will match the rule.

The connection must match this condition.

Envfile: The name of the file that contains environment variables that are in use by the connection's language environment. The language environment was initialized with the CEE_ENVFILE environment variable set to this file. Environment variables such as CEE_RUNOPTS can be set in this file.

EnvironmentUserInstance: The instance identifier that is configured for the TTLSEnvironmentAction statement in use by the connection. The instance number can be used to signal a change without modifying other configuration statements. Valid values are in the range 0 – 65 535.
FIPS140: Indicates whether FIPS 140 support is enabled for the AT-TLS group to which the connection belongs.

GroupID: A value generated by AT-TLS that uniquely identifies the group of AT-TLS language environments (the AT-TLS group) to which the connection belongs.

GroupUserInstance: The instance identifier that is configured for the TTLSGroupAction statement in use by the connection. The instance number can be used to signal a change without modifying other configuration statements. Valid values are in the range 0 – 65 535.

GSK_CRL_CACHE_TIMEOUT

The certificate revocation list (CRL) cache timeout for the AT-TLS environment to which the connection belongs. This is the number of hours that a cached CRL remains valid. The value 0 indicates that CRL caching is disabled. See z/OS Cryptographic Services System SSL Programming for details.

GSK_CRL_SECURITY_LEVEL

The certificate revocation list (CRL) security level for the AT-TLS environment to which the connection belongs. See the following possible values:

Low indicates that certificate validation does not fail if the LDAP server cannot be contacted.
Medium indicates that certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This is the default
High indicates that certificate validation requires the LDAP server to be contactable, and a CRL to be defined.

GSK_LDAP_SERVER: The LDAP server host names for the AT-TLS environment to which the connection belongs. Each name can contain an optional port number separated from the name by a colon. See z/OS Cryptographic Services System SSL Programming for details.

GSK_LDAP_SERVER_PORT: The LDAP server port for the AT-TLS environment to which the connection belongs. See z/OS Cryptographic Services System SSL Programming for details.

GSK_LDAP_USER: The distinguished name used when connecting to the LDAP server for the AT-TLS environment to which the connection belongs. See z/OS Cryptographic Services System SSL Programming for details.

GSK_LDAP_USER_PW: Indicates whether the AT-TLS environment to which the connection belongs uses a password when connecting to the LDAP server. See z/OS Cryptographic Services System SSL Programming for details.

GSK_SYSPLEX_SIDCACHE: Indicates whether sysplex session caching is enabled for the AT-TLS environment to which the connection belongs. See z/OS Cryptographic Services System SSL Programming for details.

GSK_V2_SESSION_TIMEOUT: The SSL version 2 session timeout for the AT-TLS environment to which the connection belongs. This is the number of seconds until a session identifier expires. See z/OS Cryptographic Services System SSL Programming for details.

GSK_V2_SIDCACHE_SIZE: The size of the SSL version 2 session identifier cache for an AT-TLS environment. See z/OS Cryptographic Services System SSL Programming for details.

GSK_V3_SESSION_TIMEOUT: The SSL version 3 or TLS version 1 session timeout for an AT-TLS environment. This is the number of seconds until a session identifier expires. See z/OS Cryptographic Services System SSL Programming for details.

GSK_V3_SIDCACHE_SIZE: The size of the SSL version 3 or TLS version 1 session identifier cache for an AT-TLS environment. See z/OS Cryptographic Services System SSL Programming for details.

HandshakeTimeout

The number of seconds that the connection waits for the initial handshake to complete. Valid values are in the range 0 – 600.

For connections with HandshakeRole set to Client, the timer is initially set to 5 times this value, allowing for network delay and any delay on the server in processing the connection. When the initial response is received from the server, the timer is reset to this value so that the initial handshake can complete.

For connections with HandshakeRole set to Server or ServerWithClientAuth, when the server starts to process the new connection, the timer is set to this value and the server then waits for the initial request from the client. When the server sends the initial response, the timer is reset to this value so that the initial handshake can complete.

If the timer expires, the TCP connection is reset. A value of 0 indicates that the connection does not time out waiting for the initial handshake to complete.

Result: For a particular connection the HandshakeTimeout value on the TTLSConnectionAction, if specified, overrides the HandshakeTimeout value on the TTLSEnvironmentAction.

HandshakeRole

The SSL handshake role for the connection. See the following possible values:

Client indicates that the handshake is to be performed as a client.
Server indicates that the handshake is to be performed as a server.
ServerWithClientAuth indicates that the handshake is to be performed as a server requiring client authentication.

Result: For a particular connection, the HandshakeRole value on the TTLSConnectionAction, if specified, overrides the HandshakeRole value on the TTLSEnvironmentAction statement.

JobName: When part of the ConnID section, the JobName value is the procedure name of the local application.
When part of the TTLSRule section, the JobName value is the job name condition that was specified in the policy rule that was mapped to the connection. If no JobName value is specified for a policy rule, all job names is the default. If specified, the connection must match this condition. A trailing asterisk indicates a wildcard specification.

Keyring: The path and file name of the key database z/OS UNIX file, z/OS® PKCS #11 token name, or the RACF® ring name for the AT-TLS environment to which the connection belongs.

KeyringPw: Indicates whether a z/OS UNIX file system key database password was configured for the AT-TLS environment to which the connection belongs.

KeyringStashFile: The path and file name of the z/OS UNIX file system key database password stash file for the AT-TLS environment to which the connection belongs.

LocalAddr

A single local IP address (or a range of local IP addresses when the range was configured using the format ipv4_addr/num_mask_bits or the format ipv6_addr/prefixLength) that is a condition specified in the policy rule that was mapped to the connection. If specified, the connection must match this condition.

If 0.0.0.0/0 is specified, this rule applies to all IPv4 addresses.
If ::/0 is specified, the rule applies to all IPv6 addresses.
If All is displayed, any address matches this condition.

LocalAddrFrom/LocalAddrTo: A range of local IP addresses, when the range was configured using a start and end address pair, that is a condition specified in the policy rule that was mapped to the connection. If neither LocalAddr nor LocalAddrFrom/LocalAddrTo is specified, all addresses is the default. If specified, the connection must match this condition.

LocalPort: A single local port that is a condition specified in the policy rule that was mapped to the connection. If specified, the connection must match this condition. If All is displayed, any port matches this condition.

LocalPortFrom/LocalPortTo: A range of local ports, configured using a start and end pair, that is a condition specified in the policy rule that was mapped to the connection. If neither LocalPort nor LocalPortFrom/LocalPortTo is specified, all ports is the default. If specified, the connection must match this condition.

LocalSocket: The local socket of the connection. See the Local Socket information Netstat report general concept for a detailed description.

MapType

The mapping method used to locate this policy. See the following possible values:

Primary indicates that this connection matched the rule conditions of the indicated policy rule.
Secondary indicates that this connection was established between the same two IP addresses by the same process that has a connection that used the primary mapping method to locate this policy that has SecondaryMap set On.

Priority: The priority associated with the policy rule that was mapped to the connection. A higher priority value indicates a higher priority rule. Priority can be used to differentiate between rules when a connection could match more than one of the configured rules. Valid values are in the range 1–255. The default value is 0.

RemoteAddr

A single remote IP address (or a range of remote IP addresses when the range was configured using the format ipv4_addr/num_mask_bits or the format ipv6_addr/prefixLength) that is a condition specified in the policy rule that was mapped to the connection. If specified, the connection must match this condition.

If 0.0.0.0/0 is specified, this rule applies to all IPv4 addresses.
If ::/0 is specified, the rule applies to all IPv6 addresses.
If All is displayed, any address matches this condition.

RemoteAddrFrom/RemoteAddrTo: A range of remote IP addresses, configured using a start and end address pair, that is a condition specified in the policy rule that was mapped to the connection. If neither RemoteAddr nor RemoteAddrFrom/RemoteAddrTo is specified, all addresses is the default. If specified, the connection must match this condition.

RemotePort: A single remote port that is a condition specified in the policy rule that was mapped to the connection. If specified, the connection must match this condition. If All is displayed, any port matches this condition.

RemotePortFrom/RemotePortTo: A range of remote ports, configured using a start and end pair, that is a condition specified in the policy rule that was mapped to the connection. If neither RemotePort nor RemotePortFrom/RemotePortTo is specified, all ports is the default. If specified, the connection must match this condition.

RemoteSocket: The remote socket of the connection. See the Foreign Socket information in Netstat report general concept for a detailed description.

Renegotiation

The type of the session key renegotiation that is allowed by server.

Default: Indicates that SSLv3 and TLS handshake renegotiation is disabled and RFC 5746 renegotiation is enabled.
Disable: Indicates that all renegotiation is disabled.
Abbreviated: Indicates that SSLv3 and TLS abbreviated handshake renegotiation only for the current session is allowed; SSLv3 and TLS full handshake renegotiation is disabled; and RFC 5746 renegotiation is allowed.
All: Indicates that all forms of renegotiation are allowed.

RenegotiationCertCheck

Indicates whether the peer's certificate is checked during renegotiation to prevent change to a different certificate.

RenegotiationIndicator

Indicates whether the partner must indicate the support for RFC 5746 renegotiation for initial handshake to proceed.

ResetCipherTimer: The number of minutes a secure connection can be active before a rehandshake is initiated by AT-TLS to establish a new session key for the connection. If not specified or specified as 0, cipher reset is not initiated by AT-TLS. Valid values are in the range 0 – 1440.
Result: For a particular connection the ResetCipherTimer value on the TTLSConnectionAction statement, if specified, overrides the ResetCipherTimer value on the TTLSEnvironmentAction statement.

SecLevel: The security level being used by the connection: SSL Version 2, SSL Version 3, or TLS Version 1.

SecondaryMap: Indicates whether the application establishes secondary connections using dynamic port numbers. If so, the primary connection maps to this policy using rule conditions. Subsequent connections established by the same process between the same two IP addresses that do not map to their own policy or map to a policy with a lower priority than the primary connection are considered secondary connections. Secondary connections use the same policy as the associated primary connection.

ServerMaxSSLFragment

For TLSv1.0 and higher protocols, this field specifies the server level of support for client-specified SSL fragment size on the connection. See the following possible values:

Required indicates that maximum SSL fragment size support must be accepted by the client. Connections are closed if the client does not support the maximum SSL fragment size extension.
Optional indicates that maximum SSL fragment size support is used if the client supports the function, but connections to clients that do not support this extension are accepted.
Off indicates that maximum SSL fragment size support is not available; the TLS extension is not enabled. If the client requires SSL fragment size support, the client is unable to connect. This is the default value.
Result: For a particular connection, the ServerMaxSSLFragment value on the TTLSConnectionAction statement, if specified, overrides the MaximumSSLFragment value on the TTLSEnvironmentAction statement.

ServerHandshakeSNI

For TLSv1.0 and higher protocols, this field specifies the server level of support for client-specified server names on the connection handshake. See the following possible values:

Required indicates that client-specified server name support must be accepted by the client. Connections are closed if the client does not support the client-specified server name extension.
Optional indicates that client-specified server name support is used if the client supports the function, but connections to clients that do not support this extension are accepted.
Off indicates that client-specified server name support is not available; the TLS extension is not enabled. If the client requires client-specified server name support, the client is unable to connect. This is the default value.

Result: For a particular connection, the ServerHandshakeSNI value on the TTLSConnectionAction statement, if specified, overrides the ServerHandshakeSNI value on the TTLSEnvironmentAction statement.

ServerHandshakeSNIMatch

For SSL servers that are using TLSv1.0 or higher protocols that might negotiate server name indication, this field specifies the level at which the server requires the client-specified server name to match a server name in the list of names that is maintained by the TLS server. See the following possible values:

Required indicates that a server name in the list of server names that is provided by the TLS client must match a server name in the server name and certificate label list at the TLS server. The connection ends if no match can be found for the server name.
optional indicates that connections are allowed to continue if no match is found for the server name. This is the default.

Result: For a particular connection, the ServerHandshakeSNIMatch value on the TTLSConnectionAction statement, if specified, overrides the ServerHandshakeSNIMatch value on the TTLSEnvironmentAction statement.

ServerHandshakeSNIList

For SSL servers that use TLSv1.0 or higher protocols that might negotiate server name indication, specifies server name and certificate label pairs to be used by the server when matching a name from the client.

Result: For a particular connection, the ServerHandshakeSNIList value on the TTLSConnectionAction statement, if specified, overrides the ServerHandshakeSNIList value on the TTLSEnvironmentAction statement.

SignaturePairs: The list of the pairs of TLSv1.2 signature and hash algorithm that are sent from the client to the server to indicate which pairs can be used in digital signatures of the server certificate. This field is ignored by servers that do not support TLSv1.2. Both the four-character value of signature/hash algorithm and the constant of the signature/hash algorithm name are shown for each member of the list.

SSLV2: Indicates whether SSL version 2 protocol is acceptable for the connection.
Result: For a particular connection the SSLV2 value on the TTLSConnectionAction statement, if specified, overrides the SSLV2 value on the TTLSEnvironmentAction statement.

SSLV3: Indicates whether SSL version 3 protocol is acceptable for the connection.
Result: For a particular connection the SSLV3 value on the TTLSConnectionAction statement, if specified, overrides the SSLV3 value on the TTLSEnvironmentAction statement.

SuiteBProfile: Indicates whether a Suite B profile of cipher suites should be used.

SyslogFacility: The syslog facility name this group uses when writing records to syslogd.

TLSV1: Indicates whether TLS version 1.0 protocol is acceptable for the connection.
Result: For a particular connection, the TLSV1 value on the TTLSConnectionAction statement, if specified, overrides the TLSV1 value on the TTLSEnvironmentAction statement.

TLSV1.1

Indicates whether TLS version 1.1 protocol is acceptable for the connection.

Result: For a particular connection the TLSV1.1 value on the TTLSConnectionAction statement, if specified, overrides the TLSV1.1 value on the TTLSEnvironmentAction statement.

TLSV1.2

Indicates whether TLS version 1.2 protocol is acceptable for the connection.

Result: For a particular connection, the TLSV1.2 value on the TTLSConnectionAction statement, if specified, overrides the TLSV1.2 value on the TTLSEnvironmentAction statement.

TruncatedHMAC

Indicates whether clients and servers can negotiate the use of 80-bit truncated MAC addresses. See the following possible values:

Required indicates that 80-bit truncated MAC addresses must be accepted by both endpoints.
Optional indicates that the use of 80-bit truncated MAC addresses is negotiated.
Off indicates that 80-bit truncated MAC addresses are not supported. This is the default.

Result: For a particular connection, the TruncatedHMAC value on the TTLSConnectionAction statement, if specified, overrides the TruncatedHMAC value on the TTLSEnvironmentAction statement.

TTLSConnAction: The name of the policy action used to specify attribute differences between what is required for the connection and what is specified for the AT-TLS environment to which the connection belongs. This name was configured to Policy Agent using the TTLSConnectionAction statement. The name is followed by (Stale) when the action is no longer available for use by new connections.

TTLSEnabled: Indicates whether AT-TLS services are used by the connection.

TTLSEnvAction: The name of the policy action used to specify attributes for the AT-TLS environment to which the connection belongs. This name was configured to Policy Agent using the TTLSEnvironmentAction statement. The name is followed by (Stale) when the action is no longer available for use by new connections.

TTLSGrpAction

The name of the policy action used to specify attributes for the AT-TLS group to which the connection belongs. This name was configured to Policy Agent using the TTLSGroupAction statement.

The name is followed by (Stale) when the action is no longer available for use by new connections.
The name is followed by (Failed) if the group failed to initialize properly or experienced an unrecoverable abend.

TTLSRule: The name of the policy rule, configured to Policy Agent using the TTLSRule statement, that was mapped to the connection. For connections that match a rule, the determination of whether to use AT-TLS for the connection and how AT-TLS attributes are set when AT-TLS is used are determined by the policy actions associated with the policy rule. The name is followed by (Stale) when the rule is no longer available for use by new connections.

Trace

The level of AT-TLS tracing for the connection.

Result: For a particular connection the Trace value on the TTLSConnectionAction, if specified, overrides the Trace value on the TTLSEnvironmentAction statement which in turn, if specified, overrides the Trace value on the TTLSGroupAction statement.

The level of tracing is a sum of the following numbers:

0: No tracing is enabled.

1: Error - Errors are traced to the TCP/IP job log.

2: Error - Errors are traced to syslogd. This is the default.

4: Info - Tracing of when a connection is mapped to an AT-TLS rule (and when a secure connection is successfully initiated) is enabled.

8: Event - Tracing of major events is enabled.

16: Flow - Tracing of system SSL calls is enabled.

32: Data - Tracing of encrypted negotiation is enabled. This traces the negotiation of secure sessions.

255: All tracing is enabled.

UserID: The application user ID condition specified in the policy rule that was mapped to the connection. A trailing asterisk indicates a wildcard specification. If not specified, all user IDs is the default. If specified, the connection must match this condition.

V2CipherSuites: The SSL version 2 cipher suite list (also known as cipher specifications), in order of preference, to be used for the connection. See gsk_environment_open() in z/OS Cryptographic Services System SSL Programming for a list of valid cipher specifications.
Result: For a particular connection the V2CipherSuites value on the TTLSConnectionAction statement, if specified, overrides the V2CipherSuites value on the TTLSEnvironmentAction statement.

V3CipherSuites: The SSL version 3 or TLS version 1 cipher suite list (also known as cipher specifications), in order of preference, to be used for the connection. Both the four-character value of the cipher and the constant of the cipher name are shown for each member of the list. See gsk_environment_open() in z/OS Cryptographic Services System SSL Programming for a list of valid cipher specifications.
Result: For a particular connection, the V3CipherSuites value on the TTLSConnectionAction statement, if specified, overrides the V3CipherSuites value on the TTLSEnvironmentAction statement.

Result: A field in a policy rule or policy action is displayed only when a value was configured for that attribute or when the attribute has a default value. Fields that were left undefined and have no default value are not displayed.

Group report examples

NETSTAT TTLS GROUP

MVS TCP/IP NETSTAT CS V2R1       TCPIP Name: TCPCS           12:55:20
TTLSGrpAction                             Group ID           Conns
----------------------------------------  -----------------  -----
TTLSGrpAction15 (Stale)                   00000004              25
TTLSGrpAction5                            00000007 (Failed)      0

NETSTAT TTLS GROUP DETAIL
MVS TCP/IP NETSTAT CS V2R1      TCPIP Name: TCPCS           12:55:20
TTLSGrpAction:   TTLSGrpAction15 (Stale)
  GroupID:         00000004
  Tasks:           10                   GroupConns:      25
  WorkQElements:   7                    SyslogQElements: 1
    Env: TTLSEnvAction9                            EnvConns: 25
TTLSGrpAction:   TTLSGrpAction5
  GroupID:         00000007 (Failed)
  Tasks:           0                    GroupConns:      0
  WorkQElements:   0                    SyslogQElements: 0

Report field descriptions

EnvConns: The number of connections currently created within the AT-TLS environment.

GroupConns: The number of connections currently created within the AT-TLS group.

GroupID: A value generated by AT-TLS that uniquely identifies a group of AT-TLS language environments (an AT-TLS group) in a TCP/IP stack.

SyslogQElements: The number of AT-TLS tracing work elements waiting to be processed in the group.

Tasks: The number of MVS™ tasks currently allocated to support the AT-TLS work in the group.

Env: The name of a policy action used to specify attributes for an AT-TLS environment. This name was configured to Policy Agent using the TTLSEnvironmentAction statement. The name is followed by (Stale) when the action is no longer available for use by new connections.

TTLSGrpAction: The name of a policy action used to specify attributes for a group of AT-TLS environments. This name was configured to Policy Agent using the TTLSGroupAction statement. The name is followed by (Stale) when the action is no longer available for use by new connections.

WorkQElements: The number of work elements waiting to be processed in the group.