I use the pasearch output to correct my policy agent rules. Sometimes my coded rules don’t match the pasearch output. It’s very confusing sometimes. Z/osmf is not helpful.
Politics: Poli (many) - tics (blood sucking parasites) On Fri, Dec 13, 2024 at 1:01 PM Colin Paice < [email protected]> wrote: > I found it hard to understand the output of the AT-TLS command pasearch, > and I find it hard to configure AT-TLS manually ( and worse with z/OSMF). > > I was wondering if this is a common problem. > > I've written a small amount of python which takes the output of pasearch > and produces a summary for example > =========CPJES2OUT==================== > policyRule : DEFAULTRULE CPJES2OUT > Weight : 5 > ForLoadDist : 5 > Priority: : 5 > Sequence Actions : 5 > policyAction : DEFAULTTNGA AZFConnAction1 > ActionType : TTLS Group TTLS Connection > FromAddr : All 10.1.0.2 > ToAddr : All 10.1.0.2 > LocalPortFrom : 9999 0 > LocalPortTo : 9999 0 > RemotePortFrom : 0 2175 > RemotePortTo : 0 2175 > ServiceDirection : Both Outbound > TTLS Action : DEFAULTTNGA AZFConnAction1 > Scope : Group Connection > Trace : 2 255 > HandshakeRole : ServerWithClientAuth Client > TLSv1 : Off On > > Where all the common stuff is omitted, and it only shows the delta changes. > > Would people find this useful? If so, please can people send me their > pasearch output for me to test with - and I'll send them the python code. > > I also see it would not be too difficult to specify configuration in YAML > and have some python to generate the AT-TLS definitions automatically. > This would hide all of the internal definitions such > as TTLSSignatureParmsRef. > For example > rule : > name : temp2 > basedon : default > LocalPortFrom : 2252 > LocalPortTo : 2252 > ServiceDirection : Inbound > HandshakeRole : Server > --- > rule : > name : myName > basedon : default2 > LocalPortRange : 8000 > # remove 2 cipher specs and add a new one to the default configuation > V3CipherSuites : > -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > > Would this be of interest? > > If this would be useful to you, please contact me offline. > > Colin > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
