I found it hard to understand the output of the AT-TLS command pasearch,
and I find it hard to configure AT-TLS manually ( and worse with z/OSMF).
I was wondering if this is a common problem.
I've written a small amount of python which takes the output of pasearch
and produces a summary for example
=========CPJES2OUT====================
policyRule : DEFAULTRULE CPJES2OUT
Weight : 5
ForLoadDist : 5
Priority: : 5
Sequence Actions : 5
policyAction : DEFAULTTNGA AZFConnAction1
ActionType : TTLS Group TTLS Connection
FromAddr : All 10.1.0.2
ToAddr : All 10.1.0.2
LocalPortFrom : 9999 0
LocalPortTo : 9999 0
RemotePortFrom : 0 2175
RemotePortTo : 0 2175
ServiceDirection : Both Outbound
TTLS Action : DEFAULTTNGA AZFConnAction1
Scope : Group Connection
Trace : 2 255
HandshakeRole : ServerWithClientAuth Client
TLSv1 : Off On
Where all the common stuff is omitted, and it only shows the delta changes.
Would people find this useful? If so, please can people send me their
pasearch output for me to test with - and I'll send them the python code.
I also see it would not be too difficult to specify configuration in YAML
and have some python to generate the AT-TLS definitions automatically.
This would hide all of the internal definitions such
as TTLSSignatureParmsRef.
For example
rule :
name : temp2
basedon : default
LocalPortFrom : 2252
LocalPortTo : 2252
ServiceDirection : Inbound
HandshakeRole : Server
---
rule :
name : myName
basedon : default2
LocalPortRange : 8000
# remove 2 cipher specs and add a new one to the default configuation
V3CipherSuites :
-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Would this be of interest?
If this would be useful to you, please contact me offline.
Colin
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
