4.6 Using TLS Encryption
TMA TCP Gateway supports TLS encryption when communicating with TMA TCP for CICS or TMA TCP for IMS.
-p
must be specified for GWIDOMAIN to identify the network protocol between TMA TCP Gateway and TMA TCP for CICS or TMA TCP for IMS. The following values are supported in the -p
command line parameter:
SSL
: means the network communication is TLS/SSL enabled.SSL_ONE_WAY
: same asSSL
, except using one way authenticate, that is, client authenticate is not enabled. This is the default value.- TCP: No encryption is enabled in the network communication.
When TLS/SSL is enabled, parameters
SEC_PRINCIPAL_NAME
,SEC_PRINCIPAL_LOCATION
, andSEC_PRINCIPAL_PASSVAR
must be specified for TMA TCP Gateway. This may be done in the *RESOURCES, *MACHINES, *GROUPS, or *SERVERS sections in UBBCONFIG.Refer to Oracle Tuxedo reference guide Oracle Tuxedo Reference Guide for the details of these three parameters. Refer to Creating an Oracle Wallet on how to create an Oracle Wallet to store the keys and certificates.
When TLS/SSL is enabled, TLS v1.2 is used and the minimum asymmetric key length is 2048. Below is a list of supported cipher suites:- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
For Elliptic Curve Cryptography (ECC) based cipher suites, for example, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, the corresponding TLS certificates must also be ECC based, and the environment variable TM_MIN_PUB_KEY_LENGTH
must be set to 0.
To enable TLS hostname validation, set environment variable TUX_SSL_HOSTNAME_VALIDATE
to Y.
Parent topic: Setting Up Security for Oracle TMA TCP Gateway