GLOBAL SSL Parameter Definitions

You must define some GLOBAL parameters when using SSL.

The following table lists the parameters for SSL usage.
Parameter Description
SSL_CLIENT_DNLABEL Defines the label name of certificate that is used for client connections (for example, Initiator).

If this parameter is not specified, the certificate defined by the SSL_DNLABEL is used.

SSL_DNLABEL Defines the label name of certificate that is used.

If you want to use the default certificate, you must specify this parameter as NULL in upper case. This certificate is used for both the server and client unless the SSL_CLIENT_DNLABEL parameter is specified.

SSL_ENCRYPT Defines the default encryption type that is used for SSL requests.
SSL_KEY_DBNAME Defines the name of the key database created by the gskkyman utility, or the ring file name created by the RACF RACDCERT command.
SSL_NETWORK_IPADDR Defines the IP address of the local system used to decide whether a request must be an SSL request.

The default value is the IP address of the local system.

SSL_NETWORK_IPADDR_IPV6 Defines the IPv6 address used to define whether a request must be an SSL request.

The Platform Server takes the IPv6 address of the local system and the IP address of the target system, and determines the subnet of these two addresses by using the SSL_NETWORK_SUBNET_IPV6 parameter.

The Platform Server then compares the two values to determine if a request is within the subnet, or outside the subnet. If inside the subnet, then the request does not have to be an SSL request. If outside the subnet, then the request must be an SSL request.

SSL_NETWORK_SUBNET Defines the subnet of the SSL_NETWORK_IPADDR that is used when checking if a request must use SSL.
SSL_REQUEST Defines whether SSL must be used.

Valid values are:

  • NO: SSL is not required but can be used. This is the default value.
  • YES: SSL must be used for both initiator and responder requests.
  • OUTSIDE_NETWORK: SSL usage depends on the IP address of the target system and how it compares with the address of the local system.

    If the target system address is outside the subnet defined by the SSL_NETWORK_IPADDRESS and SSL_NETWORK_SUBNET parameters, then the request must use SSL.

SSL_REQUEST_IPV6Defines when or whether SSL must be used on IPv6 networks.

Valid values are:

  • NO: SSL is not required but can be used. This is the default value.
  • YES: SSL must be used for both initiator and responder requests.
  • OUTSIDE_NETWORK: SSL usage depends on the IPv6 address of the target system and how it compares with the address of the local system.

    If the target system address is outside the subnet defined by the SSL_NETWORK_IPADDR_IPV6 and SSL_NETWORK_SUBNET_IPV6 parameters, then the request must use SSL.

SSLIPPORT_IPV6 Defines the IPv6 port that the Platform Server listens on for SSL requests.

If non-SSL requests are received on this port, then an error message is sent to the initiator and the request is terminated.

This field must be different than the IPPORT parameter, and unique on the z/OS system. It has no default value. If this parameter is not defined, then responder IPv6 SSL processing is disabled.

SLLISTEN_ADAPTER_IPADDR Defines the IP address of the TCP network interface that the Platform Server started task listens for incoming connections.

The default is to listen to all TCP network interfaces.

SSLLISTEN_ADAPTER_IPADDR_IPV6 Defines the IPv6 address of the TCP network interface that the Platform Server started task listens to for incoming SSL connections.

By default, the Platform Server started task listens to all TCP network interfaces. If you want to listen to only a single network interface, specify the IPv6 address of the network interface. Then the Platform Server only listens to that network interface for incoming requests.

This parameter is used only for incoming (responder) SSL requests. It is ignored for outgoing (initiator) requests.

SSLIPPORT Defines the IP port that the Platform Server listens on for SSL requests.

If non-SSL requests are received on this IP port, then an error message is sent to the initiator and the request is terminated. This field must be different than the IPPORT parameter, and unique on the z/OS system.

TLSCIPHERS Defines the TLS ciphers that are supported by MFT. The ciphers must be defined as 4 alphanumeric digits. The ciphers are documented in Appendix C of the IBM manual: z/OS Cryptographic Services System Secure Sockets Layer Programming. If not defined, MFT uses the default SSL ciphers.

If FIPS140 is specified, only FIPS approved ciphers are used.

Ciphers that meet the following criteria are specified in the sample GLOBAL member:

  • FIPS approved
  • AES256
  • SHA or higher message digest

Multiple TLSCIPHERS parameters can be defined. One TLS Cipher can be defined for each TLSCIPHERS parameter. The text after the 4 alphanumeric digits is used for documentation only and is ignored.

TLSENABLEDPROTOCOLS Defines the TLS protocols that are supported when running in SSL Mode. Multiple TLS parameters can be entered separated by a comma.

Valid values are:

  • TLSV1: TLSV1 is supported
  • TLSV1_1: TLSV1_1 is supported
  • TLSV1_2: TLSV1_2 is supported
  • ALL
Note: SSLV2 and SSLV3 are not supported.

Example: TLSENABLEDPROTOCOLS=TLSV1_1,TLSV1_2

If this parameter is not entered, the default is ALL.

TLSTUNNELIPPORT Defines the IPPORT that MFT Platform Server listens on for IPV4 TLS tunnel requests. Only TLS tunnel requests are received on this port. If a non-SSL or an SSL request is received on this port, an error is displayed and the request fails. Because a transfer has not been initiated, no audit record is written. This field must be unique on the z/OS system. There is no default for this parameter. If this parameter is not defined, then IPV4 TLS tunnel processing is disabled.
TLSTUNNELIPPORT_IPV6 Defines the IPPORT that MFT Platform Server listens on for IPV6 TLS tunnel requests. Only TLS tunnel requests are received on this port. If a non-SSL or an SSL request is received on this port, an error is displayed and the request fails. Because a transfer has not been initiated, no audit record is written. This field must be unique on the z/OS system. There is no default for this parameter. If this parameter is not defined, then IPV6 TLS tunnel processing is disabled.