Diagnose AT-TLS problems.

Perform the following steps:

1. Issue pasearch -t to see all AT-TLS policies that are active in Policy Agent. See z/OS Communications Server: IP System Administrator's Commands for more information about the pasearch -t command. If you are running multiple stacks, ensure that pasearch is reporting on the stack you are interested in. If you do not see the AT-TLS policies that you expected, see z/OS Communications Server: IP System Administrator's Commands for more information about displaying policy based networking information.
2. Issue Netstat TTLS COnn connid or Netstat -x COnn connid to determine whether the stack mapped a connection to AT-TLS policy and, if so, to which policy it was mapped. For more information about the netstat commands, see z/OS Communications Server: IP System Administrator's Commands. Ensure that your AT-TLS policies are correctly defined. See the AT-TLS information in z/OS Communications Server: IP Configuration Guide and the AT-TLS Policy statements in z/OS Communications Server: IP Configuration Reference for more information about configuring AT-TLS policies.
3. In cases where AT-TLS connections do not map to any policy, verify that TCPCONFIG TTLS has been specified. Netstat configuration shows the current setting of AT-TLS.
   AT-TLS connection mapping is performed based on the following attributes:

   • Local IP Address
   • Remote IP address
   • Local Port
   • Remote Port
   • Direction
   • Job name
   • User ID

   The AT-TLS policy rules are searched, starting with the highest priority rules, for the first match.

   Then the internal SecondaryMap table is searched by process ID and the two IP addresses used on the connection. The SecondaryMap table contains entries for active connections that are mapped by the AT-TLS policy rule to a policy with the SecondaryMap attribute specified as On. If entries are found using both methods, the one found by the AT-TLS policy rule is used unless the one found by the SecondaryMap value has a higher priority.

   If a TCP connection is not matching the expected rule, do one of the following:

   • Ensure that the AT-TLS policies are active and that no errors occurred. Message EZZ8438I is issued if Policy Agent encountered any errors while processing the AT-TLS policy. If errors occurred, review the Policy Agent logs for details on the error and correct the AT-TLS policy. You can use OBJERR to search the Policy Agent logs to find the errors.
   • Verify the rule and actions that the policy mapped to and the priority of the rule. You can use the pasearch command can be used to view the active AT-TLS policy. AT-TLS message EZD1281I is issued with all the parameters used to map to the AT-TLS policy, if trace level 4 is on.
4. If an error message was issued by AT-TLS, review the syslogd files for message EZD1286I or the TCP/IP joblog for message EZD1287I. The error message might provide information about correcting the problem.
5. If the error is recreatable, turn on an AT-TLS trace for the connection. Turn on the trace by coding a TTLSRule specific to the failing connection. Include a TTLSConnectionAction statement that has the Trace statement set to 255 (All). If configuring using the IBM® Configuration Assistant for z/OS® Communications Server, the trace level can be set in each Connectivity Rule.
6. If the problem cannot be resolved from the trace, perform a packet trace or a CTRACE with option TCP to provide additional debugging information and contact IBM service.