|
SSL_CLIENT_DNLABEL
|
Defines the label name of certificate that is used for client connections (for example, Initiator).
If this parameter is not specified, the certificate defined by the
SSL_DNLABEL is used.
|
|
SSL_DNLABEL
|
Defines the label name of certificate that is used.
If you want to use the default certificate, you must specify this parameter as
NULL in upper case. This certificate is used for both the server and client unless the
SSL_CLIENT_DNLABEL parameter is specified.
|
|
SSL_ENCRYPT
|
Defines the default encryption type that is used for SSL requests.
|
|
SSL_KEY_DBNAME
|
Defines the name of the key database created by the
gskkyman utility, or the ring file name created by the RACF
RACDCERT command.
|
|
SSL_NETWORK_IPADDR
|
Defines the IP address of the local system used to decide whether a request must be an SSL request.
The default value is the IP address of the local system.
|
|
SSL_NETWORK_IPADDR_IPV6
|
Defines the IPv6 address used to define whether a request must be an SSL request.
The platform server takes the IPv6 address of the local system and the IP address of the target system, and determines the subnet of these two addresses by using the
SSL_NETWORK_SUBNET_IPV6 parameter.
The platform server then compares the two values to determine if a request is within the subnet, or outside the subnet. If inside the subnet, then the request does not have to be an SSL request. If outside the subnet, then the request must be an SSL request.
|
|
SSL_NETWORK_SUBNET
|
Defines the subnet of the
SSL_NETWORK_IPADDR that is used when checking if a request must use SSL.
|
|
SSL_REQUEST
|
Defines whether SSL must be used.
|
|
SSL_REQUEST_IPV6
|
Defines when or whether SSL must be used on IPv6 networks.
|
|
SSLIPPORT_IPV6
|
Defines the IPv6 port that the platform server listens on for SSL requests.
If non-SSL requests are received on this port, then an error message is sent to the initiator and the request is terminated.
This field must be different than the
IPPORT parameter, and unique on the z/OS system. It has no default value. If this parameter is not defined, then responder IPv6 SSL processing is disabled.
|
|
SLLISTEN_ADAPTER_IPADDR
|
Defines the IP address of the TCP network interface that the platform server started task listens for incoming connections.
The default is to listen to all TCP network interfaces.
|
|
SSLLISTEN_ADAPTER_IPADDR_IPV6
|
Defines the IPv6 address of the TCP network interface that the platform server started task listens to for incoming SSL connections.
By default, the platform server started task listens to all TCP network interfaces. If you want to listen to only a single network interface, specify the IPv6 address of the network interface. Then the platform server only listens to that network interface for incoming requests.
This parameter is used only for incoming (responder) SSL requests. It is ignored for outgoing (initiator) requests.
|
|
SSLIPPORT
|
Defines the IP port that the platform server listens on for SSL requests.
If non-SSL requests are received on this IP port, then an error message is sent to the initiator and the request is terminated. This field must be different than the
IPPORT parameter, and unique on the z/OS system.
|
|
TLSCIPHERS
|
Defines the TLS ciphers that are supported by MFT. The ciphers must be defined as 4 alphanumeric digits. The ciphers are documented in Appendix C of the IBM manualz/OS Cryptographic Services System Secure Sockets Layer Programming. If not defined, MFT uses the default SSL ciphers.
If FIPS140 is specified, only FIPS approved ciphers are used.
Ciphers that meet the following criteria are specified in the sample GLOBAL member:
- FIPS approved
- AES256
- SHA or higher message digest
Multiple TLSCIPHERS parameters can be defined. One TLS Cipher can be defined for each TLSCIPHERS parameter. The text after the 4 alphanumeric digits is used for documentation only and is ignored.
|
| TLSENABLEDPROTOCOLS
|
Defines the TLS protocols that are supported when running in SSL Mode. Multiple TLS parameters can be entered separated by a comma.
Valid values are:
- TLSV1: TLSV1 is supported
- TLSV1_1: TLSV1_1 is supported
- TLSV1_2: TLSV1_2 is supported
- ALL
Note: SSLV2 and SSLV3 are not supported.
Example: TLSENABLEDPROTOCOLS=TLSV1_1,TLSV1_2
If this parameter is not entered, the default is
ALL.
|
| TLSTUNNELIPPORT
|
Defines the IPPORT that MFT Platform Server listens on for IPV4 TLS tunnel requests. Only TLS tunnel requests are received on this port. If a non-SSL or an SSL request is received on this port, an error is displayed and the request fails. Because a transfer has not been initiated, no audit record is written. This field must be unique on the z/OS system. There is no default for this parameter. If this parameter is not defined, then IPV4 TLS tunnel processing is disabled.
|
| TLSTUNNELIPPORT_IPV6
|
Defines the IPPORT that MFT Platform Server listens on for IPV6 TLS tunnel requests. Only TLS tunnel requests are received on this port. If a non-SSL or an SSL request is received on this port, an error is displayed and the request fails. Because a transfer has not been initiated, no audit record is written. This field must be unique on the z/OS system. There is no default for this parameter. If this parameter is not defined, then IPV6 TLS tunnel processing is disabled.
|
