UIMSSL configuration member
The following figure is an example of the UIMSSL member:
<BMCHTTP>
<!-- Definition and Configuration of TLS
======================================================================
%full_filespec: UIMSSL.xml~12:xml:1 %
%version: 12 %
%date_modified: Wed Mar 21 16:58:49 2018 %
======================================================================
======================================================================
Change Log
=========+=========+==================================================
05/10/16 | RGS | Added TLS elements.
=========+=========+==================================================
02/16/17 | RGS | Removed RC4 from table since this is not
| | supported.
=========+=========+==================================================
02/16/17 | RGS | Add Client Certificate Option
=========+=========+==================================================
11/27/17 | RGS | Set default client certificate to NO
=========+=========+==================================================
| |
======================================================================
-->
<!-- ===================================================================
Specify request for client certificate for authentication.
This option will request the client provide a certificate during
the TLS handshake process. If the client provides a certificate,
the certificate is passed to SAF for validation and to use in
logging on the user account associated with the certificate.
This will create and assert an ACEE for the user.
If the setting is CONDITIONAL and the client does not provide a
certificate the user of the TCPChannel code will have to deal
with that condition.
If the setting is REQUIRED and the client does not provide a
certificate the handshake process is terminated.
Defines whether the client certificate should be used and whether
is is mandatory or not. Default is NO.
NO = No Client Certificate
(This is the default)
CONDITIONAL = Client does not have to provide
certificate.
REQUIRED = Client must provide certificate.
=================================================================== -->
<TLS CLIENTCERTIFICATE="NO" />
<!-- =================================================================
TLS Version Selection
================================================================== -->
<TLS VERSION="1.0" ALLOWED="yes" />
<TLS VERSION="1.1" ALLOWED="yes" />
<TLS VERSION="1.2" ALLOWED="yes" />
<!-- =================================================================
Hash Algorithm Selection
================================================================== -->
<TLS HASH="none" ALLOWED="no"/>
<TLS HASH="MD5" ALLOWED="yes"/>
<TLS HASH="SHA" ALLOWED="yes"/>
<TLS HASH="SHA256" ALLOWED="yes"/>
<!-- =================================================================
Cipher Algorithm Selection
================================================================== -->
<TLS CIPHER="none" ALLOWED="no"/>
<TLS CIPHER="3DES_EDE_CBC" ALLOWED="yes"/>
<TLS CIPHER="AES_128_CBC" ALLOWED="yes"/>
<TLS CIPHER="AES_256_CBC" ALLOWED="yes"/>
<TLS CIPHER="DES_CBC" ALLOWED="no"/>
<TLS CIPHER="RC4_128" ALLOWED="no"/>
<!-- =================================================================
CipherSuite Selection
================================================================== -->
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_256_CBC_SHA256"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_256_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_128_CBC_SHA256"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_128_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<!-- =================================================================
Certificate and Private Key Definitions
================================================================== -->
<!--
SSL_STORE Names the storage medium for the certificate and
private key.
Attributes for SSL_STORE provide filtering
HOST Name of host this SSL_STORE definition applies to.
JOBNAME Name of the address space this SSL_STORE definition
applies to.
NOTE:
Certificate and Private key is filtered by HOST and/or JOBNAME.
The filtering will exlude should the values not match.
If there are multiple SSL_STORE definitions that do match, the
last matching entry takes precedence.
Child Entities of SSL_STORE
SSL_CERTIFICATE
SSL_PRIVATE_KEY
Attributes of SSL_CERTIFICATE and SSL_PRIVATE_KEY
LOCATION Storage Medium used for the certificate or
private key
Valid LOCATION values are:
DSN Sequential Dataset
SELF Generated Self-Signed Certificate
ICSF ICSF Key Dataset
R_DATALIB RACF Dataset
Data for the SSL_CERTIFICATE and SSL_PRIVATE_KEY identifies
name of the certificate or private key (value is based on
LOCATION)
If LOCATION="DSN", data value is data set name
If LOCATION="SELF", data value is label for certificate
If LOCATION="ICSF", data value is ICSF label for private key
If LOCATION="R_DATALIB", data value is R_DATALIB label for
certificate or RACF label for private key
-->
<!-- Default options. Subsequent definitions may override.
Used by any Address-Space running on any Host within enterprise -->
<!--
<SSL_STORE>
<SSL_CERTIFICATE LOCATION="DSN">anyany.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anyany.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used only by any Address-Space named "MVESTC"
running on Hostname "SYSP" -->
<!--
<SSL_STORE HOST="SYSP" JOBNAME="MVESTC">
<SSL_CERTIFICATE
LOCATION="DSN">mvestc.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">mvestc.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used only by any Address-Space named "UIMSTC"
running on Hostname "SYSP" -->
<!--
<SSL_STORE HOST="SYSP" JOBNAME="UIMSTC">
<SSL_CERTIFICATE
LOCATION="DSN">sysp.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">sysp.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used by any Address-Space running on "SYSP" -->
<!--
<SSL_STORE HOST="SYSP">
<SSL_CERTIFICATE
LOCATION="DSN">anysysp.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anysysp.ssl.prvt.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used by any Address-Space running on "SJSC" -->
<!--
<SSL_STORE HOST="SJSC">
<SSL_CERTIFICATE
LOCATION="DSN">anysjsc.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anysysc.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
</BMCHTTP>
<!-- Definition and Configuration of TLS
======================================================================
%full_filespec: UIMSSL.xml~12:xml:1 %
%version: 12 %
%date_modified: Wed Mar 21 16:58:49 2018 %
======================================================================
======================================================================
Change Log
=========+=========+==================================================
05/10/16 | RGS | Added TLS elements.
=========+=========+==================================================
02/16/17 | RGS | Removed RC4 from table since this is not
| | supported.
=========+=========+==================================================
02/16/17 | RGS | Add Client Certificate Option
=========+=========+==================================================
11/27/17 | RGS | Set default client certificate to NO
=========+=========+==================================================
| |
======================================================================
-->
<!-- ===================================================================
Specify request for client certificate for authentication.
This option will request the client provide a certificate during
the TLS handshake process. If the client provides a certificate,
the certificate is passed to SAF for validation and to use in
logging on the user account associated with the certificate.
This will create and assert an ACEE for the user.
If the setting is CONDITIONAL and the client does not provide a
certificate the user of the TCPChannel code will have to deal
with that condition.
If the setting is REQUIRED and the client does not provide a
certificate the handshake process is terminated.
Defines whether the client certificate should be used and whether
is is mandatory or not. Default is NO.
NO = No Client Certificate
(This is the default)
CONDITIONAL = Client does not have to provide
certificate.
REQUIRED = Client must provide certificate.
=================================================================== -->
<TLS CLIENTCERTIFICATE="NO" />
<!-- =================================================================
TLS Version Selection
================================================================== -->
<TLS VERSION="1.0" ALLOWED="yes" />
<TLS VERSION="1.1" ALLOWED="yes" />
<TLS VERSION="1.2" ALLOWED="yes" />
<!-- =================================================================
Hash Algorithm Selection
================================================================== -->
<TLS HASH="none" ALLOWED="no"/>
<TLS HASH="MD5" ALLOWED="yes"/>
<TLS HASH="SHA" ALLOWED="yes"/>
<TLS HASH="SHA256" ALLOWED="yes"/>
<!-- =================================================================
Cipher Algorithm Selection
================================================================== -->
<TLS CIPHER="none" ALLOWED="no"/>
<TLS CIPHER="3DES_EDE_CBC" ALLOWED="yes"/>
<TLS CIPHER="AES_128_CBC" ALLOWED="yes"/>
<TLS CIPHER="AES_256_CBC" ALLOWED="yes"/>
<TLS CIPHER="DES_CBC" ALLOWED="no"/>
<TLS CIPHER="RC4_128" ALLOWED="no"/>
<!-- =================================================================
CipherSuite Selection
================================================================== -->
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.0" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.1" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_256_CBC_SHA256"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_256_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_128_CBC_SHA256"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_AES_128_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_RC4_128_SHA"
ALLOW="yes"/>
<TLS VERS="1.2" CIPHERSUITE="TLS_RSA_WITH_RC4_128_MD5"
ALLOW="yes"/>
<!-- =================================================================
Certificate and Private Key Definitions
================================================================== -->
<!--
SSL_STORE Names the storage medium for the certificate and
private key.
Attributes for SSL_STORE provide filtering
HOST Name of host this SSL_STORE definition applies to.
JOBNAME Name of the address space this SSL_STORE definition
applies to.
NOTE:
Certificate and Private key is filtered by HOST and/or JOBNAME.
The filtering will exlude should the values not match.
If there are multiple SSL_STORE definitions that do match, the
last matching entry takes precedence.
Child Entities of SSL_STORE
SSL_CERTIFICATE
SSL_PRIVATE_KEY
Attributes of SSL_CERTIFICATE and SSL_PRIVATE_KEY
LOCATION Storage Medium used for the certificate or
private key
Valid LOCATION values are:
DSN Sequential Dataset
SELF Generated Self-Signed Certificate
ICSF ICSF Key Dataset
R_DATALIB RACF Dataset
Data for the SSL_CERTIFICATE and SSL_PRIVATE_KEY identifies
name of the certificate or private key (value is based on
LOCATION)
If LOCATION="DSN", data value is data set name
If LOCATION="SELF", data value is label for certificate
If LOCATION="ICSF", data value is ICSF label for private key
If LOCATION="R_DATALIB", data value is R_DATALIB label for
certificate or RACF label for private key
-->
<!-- Default options. Subsequent definitions may override.
Used by any Address-Space running on any Host within enterprise -->
<!--
<SSL_STORE>
<SSL_CERTIFICATE LOCATION="DSN">anyany.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anyany.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used only by any Address-Space named "MVESTC"
running on Hostname "SYSP" -->
<!--
<SSL_STORE HOST="SYSP" JOBNAME="MVESTC">
<SSL_CERTIFICATE
LOCATION="DSN">mvestc.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">mvestc.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used only by any Address-Space named "UIMSTC"
running on Hostname "SYSP" -->
<!--
<SSL_STORE HOST="SYSP" JOBNAME="UIMSTC">
<SSL_CERTIFICATE
LOCATION="DSN">sysp.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">sysp.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used by any Address-Space running on "SYSP" -->
<!--
<SSL_STORE HOST="SYSP">
<SSL_CERTIFICATE
LOCATION="DSN">anysysp.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anysysp.ssl.prvt.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
<!-- Used by any Address-Space running on "SJSC" -->
<!--
<SSL_STORE HOST="SJSC">
<SSL_CERTIFICATE
LOCATION="DSN">anysjsc.ssl.cert</SSL_CERTIFICATE>
<SSL_PRIVATE_KEY
LOCATION="ICSF">anysysc.ssl.private.key.label</SSL_PRIVATE_KEY>
</SSL_STORE>
-->
</BMCHTTP>
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*