This is what I have for our cics attls policy. I have one inbound
TTLSRule xxxx_Listener_MAL1
{
LocalPortRange xxxx # CICS listener port
Direction Inbound # Direction
Priority 1 # Base Priority
TTLSGroupActionRef grp_StartUp
TTLSEnvironmentActionRef xxxx_Listener_Env
}
#============
TTLSEnvironmentAction xxxx_Listener_Env
{
HandshakeRole Server
TTLSKeyringParms
{
Keyring xxx_TEST_KEYRING
}
TTLSCipherParmsRef Test_In_Cipher_list
TTLSEnvironmentAdvancedParms
{
# ApplicationControlled On # <<<<====
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSv1.1 On # <<<<====
TLSv1.2 On # <<<<====
HandshakeTimeout 5
}
Hope this helps
Shelia Chalk
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
ITschak Mugzach
Sent: Monday, October 31, 2022 3:40 AM
To: [email protected]
Subject: Re: CICS client transaction and AT-TLS
When we start a transaction on port 9443 pageant (z/OS 2.2) immediately returns
the following message:
15.57.58 STC02568 BPXF024I (TCPIP) Oct 18 13:57:58 TTLS›50397229®: 15:57:58 TC
846 EZD1283I TTLS Event GRPID: 00000001 ENVID: 00000001 CONNID:
846 RC: 5006 Initial Handshake 0000000000000000 0000000000000000
846 0000000000000000 00000000Ö
Wireshark shows that a packet arrived at the target, but without response from
the server. There is not inbound rule, only outbound. Should we have an inbound
one? I also suspect that the problem is with the TLS level.
there is only one rule in pageant for port 9443:
###################################################################
# xxxxxxxxx TCPIP Pagent Configuration File #
# #
# #
# Prepared by Itschak Mugzach, Securiteam Software Ltd, Israel #
# #
###################################################################
#
TTLSGroupAction grp_Production
{
TTLSEnabled On # Enable HTTPS
Trace 30 # Log Errors to syslogd
}
#
# ---------------------------------------------------------- #
# Enable AT-TLS for CICS Transaction on port 9443 #
#----------------------------------------------------------- #
#
TTLSRule xxxxxxxxx_Api_Caller
{
RemotePortRange 9443 # Server secure port
Direction Outbound
TTLSGroupActionRef grp_Production
TTLSEnvironmentActionRef xxxxxxxxx_Api_Caller_Env
}
#
# ---------------------------------------------------------- #
# Set the keyring #
#----------------------------------------------------------- #
#
TTLSEnvironmentAction xxxxxxxxx_Api_Caller_Env {
HandshakeRole Client
TTLSEnvironmentAdvancedParmsRef Secure_API_Caller_Env
TTLSKeyRingParms
{
Keyring CICSR.CICSRKEYRING
}
TTLSCipherParmsRef RequireEncryption
}
#
# ---------------------------------------------------------- #
# Set of TLS Ciphers with Encryption #
#----------------------------------------------------------- # #
TTLSCipherParms RequireEncryption {
V3CipherSuites4Char 003500380039002F00320033003D003CC02FC030CCA8
}
# ---------------------------------------------------------- #
# Set TLS supported levels #
#----------------------------------------------------------- #
TTLSEnvironmentAdvancedParms Secure_API_Caller_Env {
SSLv2 Off
SSLv3 Off
TLSv1 Off
TLSV1.1 Off
TLSV1.2 On
TLSV1.3 Off
ClientHandshakeSNI Optional
ClientHandshakeSNIMatch Optional
# ClientHandshakeSNIList xxxxxxxxx ?
}
ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring for
z/OS, x/Linux & IBM I **| z/VM coming soon *
On Fri, Oct 14, 2022 at 9:53 AM ITschak Mugzach <[email protected]> wrote:
> We have a CICS transaction that opens a socket (EZASOCKET) on port
> 9443 to an external server.
> We copied the default PAGENT configuration for AT-TLS and modified it
> as below. However, TCPIP (that starts that PAGENT task claims
> "EZZ4249I TCPIP INSTALLED TTLS POLICY HAS NO RULES"
>
> We wanted 943 to be encrypted by the CICSR userid certificate placed
> on ring CICSRKEYRING.
>
> What is wrong with the below definitions (*and the others copied from
> the sample directory)?
>
>
> TTLSRule Our_Outbound_Application
> {
> Userid CICSR
> RemotePortRange 9443
> Direction Outbound
> TTLSGroupActionRef grp_Production
> TTLSKeyRingParms
> {
> Keyring CICSRKEYRING
> }
> TTLSConnectionActionRef grp_Production #TTLSEnvironmentActionRef
> Generic_Client_App }
>
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous
> Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon *
>
>
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
