When we start a transaction on port 9443 pageant (z/OS 2.2) immediately returns the following message:
15.57.58 STC02568 BPXF024I (TCPIP) Oct 18 13:57:58 TTLS›50397229®: 15:57:58 TC 846 EZD1283I TTLS Event GRPID: 00000001 ENVID: 00000001 CONNID: 846 RC: 5006 Initial Handshake 0000000000000000 0000000000000000 846 0000000000000000 00000000Ö Wireshark shows that a packet arrived at the target, but without response from the server. There is not inbound rule, only outbound. Should we have an inbound one? I also suspect that the problem is with the TLS level. there is only one rule in pageant for port 9443: ################################################################### # xxxxxxxxx TCPIP Pagent Configuration File # # # # # # Prepared by Itschak Mugzach, Securiteam Software Ltd, Israel # # # ################################################################### # TTLSGroupAction grp_Production { TTLSEnabled On # Enable HTTPS Trace 30 # Log Errors to syslogd } # # ---------------------------------------------------------- # # Enable AT-TLS for CICS Transaction on port 9443 # #----------------------------------------------------------- # # TTLSRule xxxxxxxxx_Api_Caller { RemotePortRange 9443 # Server secure port Direction Outbound TTLSGroupActionRef grp_Production TTLSEnvironmentActionRef xxxxxxxxx_Api_Caller_Env } # # ---------------------------------------------------------- # # Set the keyring # #----------------------------------------------------------- # # TTLSEnvironmentAction xxxxxxxxx_Api_Caller_Env { HandshakeRole Client TTLSEnvironmentAdvancedParmsRef Secure_API_Caller_Env TTLSKeyRingParms { Keyring CICSR.CICSRKEYRING } TTLSCipherParmsRef RequireEncryption } # # ---------------------------------------------------------- # # Set of TLS Ciphers with Encryption # #----------------------------------------------------------- # # TTLSCipherParms RequireEncryption { V3CipherSuites4Char 003500380039002F00320033003D003CC02FC030CCA8 } # ---------------------------------------------------------- # # Set TLS supported levels # #----------------------------------------------------------- # TTLSEnvironmentAdvancedParms Secure_API_Caller_Env { SSLv2 Off SSLv3 Off TLSv1 Off TLSV1.1 Off TLSV1.2 On TLSV1.3 Off ClientHandshakeSNI Optional ClientHandshakeSNIMatch Optional # ClientHandshakeSNIList xxxxxxxxx ? } ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Fri, Oct 14, 2022 at 9:53 AM ITschak Mugzach <imugz...@gmail.com> wrote: > We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to > an external server. > We copied the default PAGENT configuration for AT-TLS and modified it as > below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I > TCPIP INSTALLED TTLS POLICY HAS NO RULES" > > We wanted 943 to be encrypted by the CICSR userid certificate placed on > ring CICSRKEYRING. > > What is wrong with the below definitions (*and the others copied from the > sample directory)? > > > TTLSRule Our_Outbound_Application > { > Userid CICSR > RemotePortRange 9443 > Direction Outbound > TTLSGroupActionRef grp_Production > TTLSKeyRingParms > { > Keyring CICSRKEYRING > } > TTLSConnectionActionRef grp_Production > #TTLSEnvironmentActionRef Generic_Client_App > } > > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN