TTLSCipherParms statement
Use the TTLSCipherParms statement to define the cipher specifications for an AT-TLS environment or an AT-TLS connection. A TTLSCipherParms statement can be specified inline in a TTLSEnvironmentAction or TTLSConnectionAction statement or referenced by a TTLSEnvironmentAction or TTLSConnectionAction statement.
Syntax
Parameters
- name
- A string
1 - 32 characters in length specifying the name of this TTLSCipherParms
statement.
Rule: If this TTLSCipherParms statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inline TTLSCipherParms statement, a nonpersistent system name is created.
- V2CipherSuites
- Specifies the SSL version 2 cipher suites in order of preference. If a V2CipherSuites parameter
is specified more than once, the values are concatenated to create a single list of cipher suites.
For System SSL, the GSK_V2_CIPHER_SPECS value is set to the concatenated value. The ciphers value is a string of one or more 1-character SSL version 2 ciphers or a single cipher constant. The cipher string cannot have blanks between each SSL version 2 cipher. If duplicate ciphers are specified, the first instance is used and all other instances are ignored. The maximum number of SSL version 2 ciphers is 10. For System SSL, see gsk_environment_open() in z/OS® Cryptographic Services System SSL Programming for a list of valid cipher suites. Table 1 lists the supported cipher constants.
Table 1. V2CipherSuites Cipher constant Hexadecimal character TLS_RC4_128_WITH_MD5 1 TLS_RC4_128_EXPORT40_WITH_MD5 2 TLS_RC2_CBC_128_CBC_WITH_MD5 3 TLS_RC2_CBC_128_CBC_EXPORT40_WITH_MD5 4 TLS_DES_64_CBC_WITH_MD5 6 TLS_DES_192_EDE3_CBC_WITH_MD5 7 - V3CipherSuites
- Specifies the SSL Version 3, TLS Version 1.0, TLS Version 1.1, TLS Version 1.2, or TLS Version
1.3 cipher suites in order of preference. If a V3CipherSuites or V3CipherSuites4Char parameter is
specified more than once, the values are concatenated to create a single list of cipher suites. For
System SSL, the GSK_V3_CIPHER_SPECS_EXPANDED value is set to the concatenated value.
The ciphers value is a string of one or more 2-hexadecimal character SSL Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 ciphers or a single cipher constant. The cipher string cannot have blanks between each SSL Version 3, TLS version 1.0, TLS Version 1.1, or TLS Version 1.2 cipher. If the string notation is used, you cannot specify any cipher values that require four character representation. Use the V3CipherSuites4Char parameter to specify four character cipher string values. If duplicate ciphers are specified, the first instance is used and all other instances ignored. The maximum number of ciphers that can be specified is 255. For System SSL, see Appendix C. Cipher suite definitions in z/OS Cryptographic Services System SSL Programming for a list of valid cipher suites. Table 2 lists the supported cipher constants.
- V3CipherSuites4Char
- Specifies the SSL Version 3, TLS Version 1.0, TLS Version 1.1, TLS Version 1.2 or TLS Version 1.3 cipher suites in order of
preference. If a V3CipherSuites or V3CipherSuites4Char parameter is specified more than once, the
values are concatenated to create a single list of cipher suites. For System SSL, the
GSK_V3_CIPHER_SPECS_EXPANDED value is set to the concatenated value.
The ciphers value is a string of one or more 4-hexadecimal character SSL Version 3, TLS version 1.0, TLS Version 1.1, TLS Version 1.2 or TLS Version 1.3 ciphers. The cipher string cannot have blanks between each SSL Version 3, TLS version 1.0, TLS Version 1.1, TLS Version 1.2 or TLS Version 1.3 cipher. Use the V3CipherSuites parameter to specify a cipher constant or 2-character cipher string values. If duplicate ciphers are specified, the first instance is used and all other instances ignored. The maximum number of ciphers that can be specified is 255.
For System SSL, see Appendix C. Cipher suite definitions in z/OS Cryptographic Services System SSL Programming for a list of valid cipher suites by supported protocol. Table 2 lists the supported cipher constants.
| Cipher constant | Hexadecimal character | Expanded character |
|---|---|---|
| TLS_NULL_WITH_NULL_NULL | 00 | 0000 |
| TLS_RSA_WITH_NULL_MD5 | 01 | 0001 |
| TLS_RSA_WITH_NULL_SHA | 02 | 0002 |
| TLS_RSA_EXPORT_WITH_RC4_40_MD5 | 03 | 0003 |
| TLS_RSA_WITH_RC4_128_MD5 | 04 | 0004 |
| TLS_RSA_WITH_RC4_128_SHA | 05 | 0005 |
| TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | 06 | 0006 |
| TLS_RSA_WITH_DES_CBC_SHA | 09 | 0009 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | 0A | 000A |
| TLS_DH_DSS_WITH_DES_CBC_SHA | 0C | 000C |
| TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 0D | 000D |
| TLS_DH_RSA_WITH_DES_CBC_SHA | 0F | 000F |
| TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 10 | 0010 |
| TLS_DHE_DSS_WITH_DES_CBC_SHA | 12 | 0012 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 13 | 0013 |
| TLS_DHE_RSA_WITH_DES_CBC_SHA | 15 | 0015 |
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 16 | 0016 |
| TLS_RSA_WITH_AES_128_CBC_SHA | 2F | 002F |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA | 30 | 0030 |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA | 31 | 0031 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 32 | 0032 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 33 | 0033 |
| TLS_RSA_WITH_AES_256_CBC_SHA | 35 | 0035 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA | 36 | 0036 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA | 37 | 0037 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 38 | 0038 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 39 | 0039 |
| TLS_RSA_WITH_NULL_SHA256 | 3B | 003B |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 3C | 003C |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 3D | 003D |
| TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | 3E | 003E |
| TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | 3F | 003F |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 40 | 0040 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 67 | 0067 |
| TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | 68 | 0068 |
| TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | 69 | 0069 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 6A | 006A |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 6B | 006B |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 9C | 009C |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 9D | 009D |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 9E | 009E |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 9F | 009F |
| TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | A0 | 00A0 |
| TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | A1 | 00A1 |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | A2 | 00A2 |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | A3 | 00A3 |
| TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | A4 | 00A4 |
| TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | A5 | 00A5 |
| TLS_AES_128_GCM_SHA256 | 1301 | |
| TLS_AES_256_GCM_SHA384 | 1302 | |
| TLS_CHACHA20_POLY1305_SHA256 | 1303 | |
| TLS_ECDH_ECDSA_WITH_NULL_SHA | C001 | |
| TLS_ECDH_ECDSA_WITH_RC4_128_SHA | C002 | |
| TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | C003 | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | C004 | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | C005 | |
| TLS_ECDHE_ECDSA_WITH_NULL_SHA | C006 | |
| TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | C007 | |
| TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | C008 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | C009 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | C00A | |
| TLS_ECDH_RSA_WITH_NULL_SHA | C00B | |
| TLS_ECDH_RSA_WITH_RC4_128_SHA | C00C | |
| TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | C00D | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | C00E | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | C00F | |
| TLS_ECDHE_RSA_WITH_NULL_SHA | C010 | |
| TLS_ECDHE_RSA_WITH_RC4_128_SHA | C011 | |
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | C012 | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | C013 | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | C014 | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | C023 | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | C024 | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | C025 | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | C026 | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | C027 | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | C028 | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | C029 | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | C02A | |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | C02B | |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | C02C | |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | C02D | |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | C02E | |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | C02F | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | C030 | |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | C031 | |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | C032 |
Requirement: If you plan to control access to the ICSF cryptographic support, TCP/IP and other applications must be permitted to access the ICSF/MVS cryptographic services (CSFSERV).
Guideline: If you do not have any reason to restrict access to the ICSF cryptographic support, you should not activate the CSFSERV resource class, define any of the profiles listed below, or permit any applications or users to these profiles. If you do need to set up controls in the CSFSERV resource class, enable the following resources.
Requirement: Elliptic Curve ciphers, defined as TLS_ECDH, TLS_ECDHE or TLS_ECDSA, require ICSF to be active.Ciphers TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384 and TLS_CHACHA20_POLY1305_SHA256 also require ICSF to be active.
- CSF1DVK
- CSF1GKP
- CSF1GAV
- CSF1PKS
- CSF1PKV
- CSF1TRC
- CSF1TRD
See Elliptic Curve Cryptography SupportElliptic Curve Cryptography Support in z/OS Cryptographic Services System SSL Programming for additional information.
Requirement: AES-GCM ciphers require ICSF to be active.
- CSF1TRC
- CSF1SKD
- CSF1SKE
- CSF1TRD