TTLSGskAdvancedParms statement
Use the TTLSGskAdvancedParms statement to specify advanced attributes for an AT-TLS environment that are specific to System SSL.
Syntax
Parameters
- name
- A string
1 - 32 characters in length specifying the name of this TTLSGskAdvancedParms
statement.
Rule: If this TTLSGskAdvancedParms statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inlineTTLSGskAdvancedParms statement, a nonpersistent system name is created.
- TTLSGskLdapParms
- An inline specification of a TTLSGskLdapParms statement.
- TTLSGskLdapParmsRef
- The name of a globally defined TTLSGskLdapParms statement.
- TTLSGskOcspParms
- An inline specification of a TTLSGskOcspParms statement.
- TTLSGskOcspParmsRef
- The name of a globally defined TTLSGskOcspParms statement.
- TTLSGskHttpCdpParms
- An inline specification of a TTLSGskHttpCdpParms statement.
- TTLSGskHttpCdpParmsRef
- The name of a globally defined TTLSGskHttpCdpParms statement.
- GSK_SYSPLEX_SIDCACHE
- Specifies whether sysplex session identifier caching is to be enabled for connections in this
AT-TLS environment. Valid values are as follows:
- On
- Sysplex session identifier caching is to be enabled. SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 protocol server session information can be stored in the sysplex session cache.
- Off
- Sysplex session identifier caching is not to be enabled.
Restriction: Storing TLSv1.3 session tickets in the sysplex session cache is not supported. - GSK_V2_SESSION_TIMEOUT
- Specifies the SSL Version 2 session timeout. This is the number of seconds until a session identifier expires. Valid values are in the range 0 - 100.
- GSK_V2_SIDCACHE_SIZE
- Specifies the number of SSL Version 2 session identifiers to cache. Valid values are in the range 0 - 32 000.
- GSK_V3_SESSION_TIMEOUT
- Specifies the SSL Version 3, TLS Version 1.0, TLS
Version 1.1, TLS Version 1.2, or TLS Version 1.3 session timeout. For SSL
Version 3, TLS Version 1.0, TLS Version 1.1 and TLS Version 1.2, this value is the number of
seconds that lapse until a session identifier expires. For TLS Version 1.3,
this value is the number of seconds that lapse until a session ticket expires. Valid values are in the range 0 - 86 400. The default value is 86 400.Result: If a value of 0 is specified, session identifiers and session tickets are not remembered.
- GSK_V3_SIDCACHE_SIZE
- Specifies the number of SSL Versions 3, TLS version 1.0, TLS version 1.1, TLS Version 1.2 session identifiers or TLS Version 1.3 session
tickets to cache. The oldest entry will be removed when the cache is full
to add a new entry.
Valid values are in the range 0 - 64 000. The cache is allocated by using the configured size rounded up to the power of 2, with a minimum of 16. The default value is 512.
For the SSL Version 3, TLS Version 1.0, TLS Version 1.1, and TLS Version 1.2 protocols, the cache is used to store session identifiers on the server and client sides. For the TLS Version 1.3 protocol, the cache is used to store session tickets on the client side, when GSK_SESSION_TICKET_CLIENT_ENABLE is On.
Result: If a value of 0 is specified, session identifiers and session tickets are not remembered. - GSK_SESSION_TICKET_CLIENT_ENABLE
- Specifies if the client supports:
- caching session tickets received from a server after a TLS Version 1.3 handshake has completed
- TLS Version 1.3 session resumption attempts to the server
Valid values are:- On
- Enables client caching of session tickets and session resumption attempts. On is the default.
- Off
- Disables client caching of session tickets and session resumption attempts.
Rule: The GSK_V3_SESSION_TIMEOUT and GSK_V3_SIDCACHE_SIZE settings must be set to values greater than 0 to allow client session ticket caching. - GSK_SESSION_TICKET_CLIENT_MAXSIZE
- Specifies the maximum number of bytes of a session ticket that can be stored in the client
session ticket cache. Session tickets sent by the server that exceed this size will be discarded by
the client. Valid values are in the range 0 – 2 147 483 647. The default size is 8192 (8K).Result: A value of 0 disables checking the session ticket size and allows a session ticket of any size.Tip: Setting the session ticket size too small could implicitly disable the session ticket caching for the client.
- GSK_SESSION_TICKET_SERVER_ENABLE
- Specifies if the server supports:
- Sending session tickets after a TLS Version 1.3 handshake has completed
- Receiving TLS Version 1.3 session resumption attempts from the client
Valid values are:- On
- Enables TLS Version 1.3 server session resumption. On is the default.
- Off
- Disables TLS Version 1.3 server session resumption attempts.
- GSK_SESSION_TICKET_SERVER_ALGORITHM
- Specifies the algorithm to be used by the server to encrypt and decrypt the session tickets used
for TLS Version 1.3 session resumption.
Valid values are AESCBC128 and AESCBC256. The default is AESCBC128.
- GSK_SESSION_TICKET_SERVER_COUNT
- Specifies the number of TLS Version 1.3 session tickets that is sent by the server to the client after the initial handshake completes. Each session ticket provides the client with the means to request the resumption of a TLS Version 1.3 session. If the value is greater than 0, each subsequent resumed session sends a single session ticket to replace the one used for resumption. Valid values are in the range 0 - 16. The default value is 2.
- GSK_SESSION_TICKET_SERVER_TIMEOUT
- Specifies the maximum time, in seconds, that a server will accept a session resumption request
from the client measured in seconds from the initial handshake. The server will continue to generate
a new session ticket for each new resumed handshake until the timeout has been reached. Each session
ticket generated by the server will be valid until the timeout has been reached.
Because the key used to encrypt the session ticket must be available when the client attempts resumption, the GSK_SESSION_TICKET_SERVER_KEY_REFRESH value will impact the lifetime of a session ticket.
Valid values are in the range 1 – 604 800 (7 days). The default value is 300 (5 minutes).
- GSK_SESSION_TICKET_SERVER_KEY_REFRESH
- Specifies the key refresh interval, in seconds, of the encryption key used by the server to
encrypt session tickets for TLS Version 1.3 session resumption. When the encryption key is
refreshed, a new primary encryption key is generated, and the former encryption key is retained as a
secondary key that can be used only for decryption until a subsequent refresh occurs.
Valid values are in the range 0 – 604 800 (7 days). The default value is 300 (5 minutes).
Result: If a value of 0 is specified, the encryption key never refreshes. - AIACDPPriority
- Specifies the priority order that the AIA and CRL Distribution
Point (CDP) extensions, in the certificate, are checked for
revocation information.Valid values are as follows:
- On
- The AIA extension is processed before the CDP extension during certificate revocation checking. Any OCSP responders specified in the AIA extension or in OcspUrl are contacted before any attempt is made to contact the HTTP servers specified in the HTTP URL values in the CDP extension.
- Off
- The CDP extension is queried before the AIA extension. The HTTP servers specified in the HTTP URL values in the CDP extension are contacted before any attempt is made to contact the OCSP responders specified in the AIA extension or in OcspUrl.
This parameter sets System SSL's GSK_AIA_CDP_PRIORITY attribute.
Tips:- The HttpCdpEnable parameter must be set to On on the TTLSGskHttpCdpParms statement to enable searching HTTP URL values in the certificate's CDP extension.
- If GSK_LDAP_SERVER is specified on the TTLSGskLdapParms statement, certificate revocation checking by using LDAP is available as a fallback. GSK_LDAP_SERVER is checked last for certificate revocation information.
- MaxSrcRevExtLocValues
- Sets the maximum number of location values that are contacted
per HTTP CDP or AIA extension when an attempt is made to validate
a certificate. Valid location values are in the range 0 - 256.
A value of 0 indicates that no limit is set on the number of locations
contacted. This parameter sets System SSL's GSK_MAX_SOURCE_REV_EXT_LOC_VALUES
attribute.Result: The locations for revocation information are specified by accessLocation in the AIA certificate extension for OCSP and by distributionPoint in the CDP extension for HTTP CRLs. When locations are available in an AIA or CDP extension, certificate validation processing attempts to contact the OCSP or HTTP server. Both AIA and CDP extensions can contain multiple location values. A large number of locations can impact performance.
- MaxValidRevExtLocValues
- Sets the maximum number of location values that are contacted
when validation of a certificate is performed. Valid location
values are in the range 0 - 1024. A value of 0 indicates that no
limit is set on the number of locations contacted. This parameter
sets System SSL's GSK_MAX_VALIDATION_REV_EXT_LOC_VALUES attribute.Result: The locations for revocation information are specified by accessLocation in the AIA certificate extension for OCSP and by distributionPoint in the CDP extension for HTTP CRLs. When locations are available in an AIA or CDP extension, certificate validation processing attempts to contact the OCSP or HTTP server. Both AIA and CDP extensions can contain multiple location values. A large number of locations can impact performance.
- RevocationSecurityLevel
- Specifies the level of security to use when an OCSP responder
or an HTTP server specified in an HTTP URL value in the CDP
extension is contacted.
This parameter sets System SSL's GSK_REVOCATION_SECURITY_LEVEL attribute.
The following levels of security are available:- Low
- Certificate validation does not fail if the OCSP responder or HTTP server specified in the HTTP URL value in the CDP extension cannot be contacted.
- Medium
- Certificate validation requires the OCSP responder or the HTTP server in an HTTP URL value in the CDP extension to be able to be contacted. For an OCSP responder, it must be able to provide a valid certificate revocation status. If the certificate status is revoked or unknown, certificate validation fails. For an HTTP server in the CDP extension, it must be able to be contacted and provide a CRL.
- High
- Certificate validation requires revocation information to be provided by the OCSP responder or HTTP server. If OCSP revocation checking by using the AIA extension is enabled, the OCSP responder specified in the certificate must be able to be contacted and provide valid certificate revocation status. If HTTP CRL checking is enabled, the HTTP server specified in the HTTP URL values in the CDP extension must be able to be contacted and provide a CRL.
Tips:- When revocation information is not found in cache, an attempt to contact an OCSP responder or an HTTP server is performed. To enforce contact with the OCSP responder or the HTTP server for each validation, caching must be disabled.
- If GSK_LDAP_SERVER is specified, it is checked last for certificate revocation information if OCSP or HTTP CDP is enabled. If the OCSP responders or the HTTP servers cannot be contacted, you can enable fallback to an LDAP server by setting the RevocationSecurityLevel parameter to Low. This enables contact to the LDAP server specified in the GSK_LDAP_SERVER parameter.