When we start a transaction on port 9443 pageant (z/OS 2.2) immediately
returns the following message:
15.57.58 STC02568 BPXF024I (TCPIP) Oct 18 13:57:58 TTLS›50397229®: 15:57:58 TC
846 EZD1283I TTLS Event GRPID: 00000001 ENVID: 00000001 CONNID:
846 RC: 5006 Initial Handshake 0000000000000000 0000000000000000
846 0000000000000000 00000000Ö
Wireshark shows that a packet arrived at the target, but without response
from the server. There is not inbound rule, only outbound. Should we have
an inbound one? I also suspect that the problem is with the TLS level.
there is only one rule in pageant for port 9443:
###################################################################
# xxxxxxxxx TCPIP Pagent Configuration File #
# #
# #
# Prepared by Itschak Mugzach, Securiteam Software Ltd, Israel #
# #
###################################################################
#
TTLSGroupAction grp_Production
{
TTLSEnabled On # Enable HTTPS
Trace 30 # Log Errors to syslogd
}
#
# ---------------------------------------------------------- #
# Enable AT-TLS for CICS Transaction on port 9443 #
#----------------------------------------------------------- #
#
TTLSRule xxxxxxxxx_Api_Caller
{
RemotePortRange 9443 # Server secure port
Direction Outbound
TTLSGroupActionRef grp_Production
TTLSEnvironmentActionRef xxxxxxxxx_Api_Caller_Env
}
#
# ---------------------------------------------------------- #
# Set the keyring #
#----------------------------------------------------------- #
#
TTLSEnvironmentAction xxxxxxxxx_Api_Caller_Env
{
HandshakeRole Client
TTLSEnvironmentAdvancedParmsRef Secure_API_Caller_Env
TTLSKeyRingParms
{
Keyring CICSR.CICSRKEYRING
}
TTLSCipherParmsRef RequireEncryption
}
#
# ---------------------------------------------------------- #
# Set of TLS Ciphers with Encryption #
#----------------------------------------------------------- #
#
TTLSCipherParms RequireEncryption
{
V3CipherSuites4Char 003500380039002F00320033003D003CC02FC030CCA8
}
# ---------------------------------------------------------- #
# Set TLS supported levels #
#----------------------------------------------------------- #
TTLSEnvironmentAdvancedParms Secure_API_Caller_Env
{
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSV1.1 Off
TLSV1.2 On
TLSV1.3 Off
ClientHandshakeSNI Optional
ClientHandshakeSNIMatch Optional
# ClientHandshakeSNIList xxxxxxxxx ?
}
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring
for z/OS, x/Linux & IBM I **| z/VM coming soon *
On Fri, Oct 14, 2022 at 9:53 AM ITschak Mugzach <[email protected]> wrote:
> We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to
> an external server.
> We copied the default PAGENT configuration for AT-TLS and modified it as
> below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I
> TCPIP INSTALLED TTLS POLICY HAS NO RULES"
>
> We wanted 943 to be encrypted by the CICSR userid certificate placed on
> ring CICSRKEYRING.
>
> What is wrong with the below definitions (*and the others copied from the
> sample directory)?
>
>
> TTLSRule Our_Outbound_Application
> {
> Userid CICSR
> RemotePortRange 9443
> Direction Outbound
> TTLSGroupActionRef grp_Production
> TTLSKeyRingParms
> {
> Keyring CICSRKEYRING
> }
> TTLSConnectionActionRef grp_Production
> #TTLSEnvironmentActionRef Generic_Client_App
> }
>
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous Monitoring
> for z/OS, x/Linux & IBM I **| z/VM coming soon *
>
>
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
