It was so much easier with th Windows policy agent configurator. Politics: Poli (many) - tics (blood sucking parasites)
On Fri, Dec 13, 2024 at 2:01 PM roscoe5 < 0000056b62686b81-dmarc-requ...@listserv.ua.edu> wrote: > You are not alone. > I am on that learning curve climb. > > Sent from [Proton Mail](https://proton.me/mail/home) for iOS > > On Fri, Dec 13, 2024 at 12:00 PM, Colin Paice <[ > 0000059d4daca697-dmarc-requ...@listserv.ua.edu](mailto:On Fri, Dec 13, > 2024 at 12:00 PM, Colin Paice <<a href=)> wrote: > > > I found it hard to understand the output of the AT-TLS command pasearch, > > and I find it hard to configure AT-TLS manually ( and worse with z/OSMF). > > > > I was wondering if this is a common problem. > > > > I've written a small amount of python which takes the output of pasearch > > and produces a summary for example > > =========CPJES2OUT==================== > > policyRule : DEFAULTRULE CPJES2OUT > > Weight : 5 > > ForLoadDist : 5 > > Priority: : 5 > > Sequence Actions : 5 > > policyAction : DEFAULTTNGA AZFConnAction1 > > ActionType : TTLS Group TTLS Connection > > FromAddr : All 10.1.0.2 > > ToAddr : All 10.1.0.2 > > LocalPortFrom : 9999 0 > > LocalPortTo : 9999 0 > > RemotePortFrom : 0 2175 > > RemotePortTo : 0 2175 > > ServiceDirection : Both Outbound > > TTLS Action : DEFAULTTNGA AZFConnAction1 > > Scope : Group Connection > > Trace : 2 255 > > HandshakeRole : ServerWithClientAuth Client > > TLSv1 : Off On > > > > Where all the common stuff is omitted, and it only shows the delta > changes. > > > > Would people find this useful? If so, please can people send me their > > pasearch output for me to test with - and I'll send them the python code. > > > > I also see it would not be too difficult to specify configuration in YAML > > and have some python to generate the AT-TLS definitions automatically. > > This would hide all of the internal definitions such > > as TTLSSignatureParmsRef. > > For example > > rule : > > name : temp2 > > basedon : default > > LocalPortFrom : 2252 > > LocalPortTo : 2252 > > ServiceDirection : Inbound > > HandshakeRole : Server > > --- > > rule : > > name : myName > > basedon : default2 > > LocalPortRange : 8000 > > # remove 2 cipher specs and add a new one to the default configuation > > V3CipherSuites : > > -TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 > > -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > > +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > > > > Would this be of interest? > > > > If this would be useful to you, please contact me offline. > > > > Colin > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
