Bill.
A AT-TLS rule consists of a number of tests and pointers to actions which are
performed if all of the tests are true. One of the actions specifies if TLS is
to be enabled or not. You can test on local and remote port numbers , local
and remote IP addresses, connection direction (inbound or outbound) , local
address space name etc. you may have a rule which says “if the remote port is
443 (https ?) and direction is outbound then enable TLS”. This would enable
TLS for an SMPE batch job connecting to an https server. To check you can
either view the AT-TLS policy or, to get a better formatted list, use the unix
command “pasearch -t > mylist.txt” and then view mylist.txt. See Comms Server
IP diagnosis for details of pasearch and how to list a subset of the policy. If
this is in fact the problem you could add add another rule which says “if the
remote IP address is the IBM https server then do not enable TLS“.
Keith
> On 1 May 2023, at 20:29, Michael Babcock <bigironp...@gmail.com> wrote:
>
> Here's our simple DB2 Secure port definition in AT-TLS:
>
> TTLSRule DBRTSecureServer # Secure DBRT
> {
> LocalPortRange 4450 # DBRT Secure Port
> Direction Inbound # Inbound Only
> Priority 1 # Lowest priority rule
> TTLSGroupActionRef grp_Production # Uncomment once
> debugging
> TTLSEnvironmentActionRef DBRT_SecureServer_Action # DBRT Env Action
> }
>
> TTLSEnvironmentAction DBRT_SecureServer_Action
> {
> HandshakeRole Server
> TTLSKeyRingParmsRef DBRT_Keyring_Parms
> TTLSCipherParmsRef DB2_CipherParms
> TTLSEnvironmentAdvancedParms
> {
> ClientAuthType PassThru
> SSLv2 Off
> SSLv3 Off
> TLSv1 Off
> TLSv1.1 Off
> TLSv1.2 On
> }
> }
>
> TTLSKeyRingParms DBRT_Keyring_Parms
> {
> Keyring DBRT/DBRT.KEYRING
> }
>>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
