4.6 Using TLS Encryption

TMA TCP Gateway supports TLS encryption when communicating with TMA TCP for CICS or TMA TCP for IMS.

Command line parameter -p must be specified for GWIDOMAIN to identify the network protocol between TMA TCP Gateway and TMA TCP for CICS or TMA TCP for IMS. The following values are supported in the -p command line parameter:

• SSL: means the network communication is TLS/SSL enabled.
• SSL_ONE_WAY: same as SSL, except using one way authenticate, that is, client authenticate is not enabled. This is the default value.
• TCP: No encryption is enabled in the network communication.

  When TLS/SSL is enabled, parameters SEC_PRINCIPAL_NAME, SEC_PRINCIPAL_LOCATION, and SEC_PRINCIPAL_PASSVAR must be specified for TMA TCP Gateway. This may be done in the *RESOURCES, *MACHINES, *GROUPS, or *SERVERS sections in UBBCONFIG.

  Refer to Oracle Tuxedo reference guide Oracle Tuxedo Reference Guide for the details of these three parameters. Refer to Creating an Oracle Wallet on how to create an Oracle Wallet to store the keys and certificates.

  When TLS/SSL is enabled, TLS v1.2 is used and the minimum asymmetric key length is 2048. Below is a list of supported cipher suites:

  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

For Elliptic Curve Cryptography (ECC) based cipher suites, for example, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, the corresponding TLS certificates must also be ECC based, and the environment variable TM_MIN_PUB_KEY_LENGTH must be set to 0.

To enable TLS hostname validation, set environment variable TUX_SSL_HOSTNAME_VALIDATE to Y.