This topic contains information about the following AT-TLS
policy statements:
Consider the following guidelines when using the AT-TLS
policy statements.
Guidelines: - While configuring AT-TLS policy, see z/OS Cryptographic Services System SSL Programming for a detailed description of each of the
System SSL attributes that are being configured using the AT-TLS policy
statements (System SSL attributes are those that begin with GSK).
See the information describing the gsk_attribute_set_buffer API,
the gsk_attribute_set_enum API, and the gsk_attribute_set_numeric_value
API descriptions of how each attribute is used by System SSL, as well
as the meaning of available attribute settings and default attribute
settings.
- AT-TLS requires a valid z/OS® UNIX key database, SAF key ring,
or z/OS PKCS #11 token. For
more information about AT-TLS configuration,
see z/OS Communications Server: IP Configuration
Guide.
- AT-TLS can be configured to write trace data to syslogd. AT-TLS
writes messages to syslogd using the daemon or auth facility. See Syslog daemon for more information about configuring
syslogd.
- If System SSL needs to access ICSF, ICSF must be started before
you start the Policy Agent. For information about using hardware Cryptographic
Features with System SSL, see z/OS Cryptographic Services System SSL Programming.
Note the following results when using the AT-TLS policy
statements.
Results: When using AT-TLS
policy statements, consider the following results:
- When an IpAddrGroup statement contains non-continuous ranges of
IP addresses, or a PortGroup statement contains non-continuous ranges
of port numbers, Policy Agent cannot merge these conditions into a
single condition. The group's ranges are displayed by pasearch, as
configured, with the summary condition for each of these respective
attributes equal to the lowest from value in the group to the
highest to value in the group. If an IP address of value 0.0.0.0
exists in an IpAddrGroup statement, the summary condition for this
attribute is set to All. If a Port of value 0 exists in a
PortGroup statement, the summary condition for this attribute is set
to the range 0-0. When an IpAddrGroup statement contains a
mixture of IPv4 and IPv6 addresses, a summary condition cannot be
created. The group's ranges are displayed by pasearch, as configured,
with a summary condition for this attribute of All.
- For optional parameters that have default values and are not specified,
pasearch displays the default value when the parameter is not configured.
- For optional parameters that do not have default values and are
not specified, pasearch does not display the parameter.
- If an optional parameter is not specified for a GSK statement,
System SSL uses its default value.
- For parameters that can be specified in multiple action types,
the value used by a connection is determined by the following hierarchical
rule set.
- If the parameter is specified in the TTLSConnectionAction statement
that is the value used.
- If the parameter is specified in the TTLSEnvironmentAction statement
that is the value used.
- If the parameter is specified in the TTLSGroupAction statement
that is the value used.
- If a default value is defined, that is the value used.
- No value is used by AT-TLS and no parameter is explicitly passed
to System SSL.
- Each AT-TLS action has a user instance variable (GroupUserInstance,
EnvironmentUserInstance, and ConnectionUserInstance). These parameters
can be used to cause Policy Agent to refresh a specific action, when
using the -i startup option or when a refresh
interval is coded.
Tip: For an example of AT-TLS policy definitions
see /usr/lpp/tcpip/samples/pagent_TTLS.conf