Hello Joyce,
Thanks for your comments - I've made some progress. I see the "tip" arrived in 3.1, which is a good start.
With pasearch -n -r -I I get
policyRule: DEFAULTRULE12
with pasearch -n -e -I I get
No policies retrieved
_______________
Reading the doc,
-eDisplay all policy entries (policy rules and policy actions) that match the input options for the pasearch command. If policy action matches, then the associated policy rule is returned. This is the default.
This implies to me that options -e -I should display inactive ones, so I am clearly missing something.
The more I read, the more I get confused. I'll raise some doc comments on it.
Thanks for your comments on the iptime - I didn't think it was much used.
Colin
Original Message:
Sent: 12/18/2024 6:59:00 AM
From: Joyce Anne Porter
Subject: RE: ATTLS question
Colin,
For the pasearch -I option the pasearch documentation has the following explanation (note the Tip):
https://www.ibm.com/docs/en/zos/3.1.0?topic=information-zos-unix-pasearch-command-display-policies
-I
Display inactive policy entries that match input options for the pasearch command. If all policy entries are requested (pasearch -e -I, pasearch -I, or pasearch -I -a -r) and the policy rule and its associated policy action are inactive, then inactive policy rules and actions are returned. Policies on the policy server that are loaded on behalf of policy clients always display as active policies.
Tip:
Actions for most policy types are always active. To display inactive rules use 'pasearch -r -I'. You can include additional qualifiers to see only the inactive rule names (-n) or to see only inactive rules for a specific type of policy ( -i, -q, -R, -t, or -v ).
Are you specifying "pasearch -r -I" to get the inactive rules? Or "pasearch -r -I -t" to get the inactive TTLS rules?
-----------------------------
For your question on the DaysOfTheMonth mask: It appears that when the field was first created for use with QOS LDAP policies, the encoding of the 62 significant bits in the octet string was created to match the value used for the schedDay object in the DISMAN-SCHEDULE-MIB. (RFC 2591)
I am not aware of a particular use case where the reverse order is needed. The IpTimeCondition is not widely used by customers.
Joyce Anne Porter, IBM z/OS Communications Server
------------------------------
Joyce Anne Porter
------------------------------
Original Message:
Sent: Wed December 18, 2024 01:55 AM
From: Colin Paice
Subject: ATTLS question
Hi Chris,
Thanks for your response. This can wait till the new year - I've several projects on the go...
It is the pasearch command which is not displaying the configuration.
I've been looking at
DayOfMonthMaskThis string field specifies which days of the month the policy rule is valid. The day of month mask can be 31 or 62 bits. The second 31 bits specify the days of the month in reverse order. Bit 32 is the last day of the month, bit 33 is the second from last day of month, and so on
Do you know why there is the second lots of 31 bits?. Is this to handle situations such as the last day of the month - which you cannot specify with 31 bits because months have different lengths.
I'll raise a doc comment on this
Colin
Original Message:
Sent: 12/17/2024 4:57:00 PM
From: Chris Meyer
Subject: RE: ATTLS question
Hi Colin,
When you say it doesn't work as you expect -- do you mean it's not enforcing the time conditions properly, or just that the pasearch display does not show the rule when it's inactive due to the time condition? It sounds like the latter - is that correct?
Regarding the pasearch command, I don't see any other option beyond -I. I am out of the office starting tomorrow through January 5, but once I'm back, I can check with the developers (who are also out of the office) as to the expected behavior. Does that work?
Chris
------------------------------
Chris Meyer, CISSP
IBM STSM, z/OS network security architect
Original Message:
Sent: Tue December 17, 2024 05:04 AM
From: Colin Paice
Subject: ATTLS question
Hi Chris,
Thanks for the pointer to the doc.
If I try using it, it doesn't work as I expect.
I have
TTLSRule DEFAULTRULE12
{
LocalPortRange 9999
Direction BOTH
TTLSEnvironmentActionRef DEFAULTTNEA
TTLSConnectionActionRef DEFAULTTNCA12
TTLSGroupActionRef DEFAULTTNGA
IpTimeCondition
{
ConditionTimeRange 20140101080000:20150131120000
TimeofDayRange 0-10:30
}
}
The pagent traces shows process_time_condition: Entry='DEFAULTRULE12' inactive, next check in 141 minutes
If I use pasearch -I to display inactive entries I get
No policies retrieved
It only gets returned as active if both the conditions are true.
Is there another option I need to use to display the rules which are inactive because they are out-of-time-scope?
I'll raise doc comments on other lack of clarity problems I've found.
Colin
Original Message:
Sent: 12/16/2024 3:39:00 AM
From: Colin Paice
Subject: RE: ATTLS question
Hi Chris,
Thanks for your reply.
I could not find documentation for this under ttlsrule.
For example if I search for DayOfWeekMasky in the 2.5 IP reference, it finds it under
QoS policy statements -> PolicyRule statement (page 1080)
IpProtocolRange statement on page 1116
and in some LDAP definitions.
It does not exist under TTLSRULE. Is this just missing documentation?
If I specify it I get
process_TTLS_attribute_table: Unknown attribute 'DayOfWeekMask' for TTLSRule
regards
Colin
Original Message:
Sent: 12/13/2024 10:11:00 AM
From: Chris Meyer
Subject: RE: ATTLS question
Hi Colin,
The day of week and time conditions are configured using the policy agent's reusable IpTimeCondition statement (see https://www.ibm.com/docs/en/zos/3.1.0?topic=statements-iptimecondition-statement). Time conditions are available in most of the different policy agent technologies (AT-TLS, IPSecurity, IDS, zERT Enforcement, etc.). You can code one or more of these conditions within a TTLSRule statement. If you are using the z/OSMF Network Configuration Assistant, time conditions can be set under the Connectivity Rule->Advanced Settings dialog. There, select the relevant Traffic Descriptor, click on Actions->Modify, and then select the Effective Times tab.
As for the "Negative Indicator," pasearch displays several fields that are related to the way policy agent can enforce rules, but are pretty meaningless to the average user. This is one of those fields. You can just ignore it.
------------------------------
Chris Meyer, CISSP
IBM STSM, z/OS network security architect
Original Message:
Sent: Fri December 13, 2024 06:36 AM
From: Colin Paice
Subject: ATTLS question
I'm struggling to define policy information for AT-TLS rules
If I use pasearch to display the ATTLS configuration I get info like
policyRule: DEFAULTRULE
Rule Type: TTLS
Version: 3 Status: Active
Weight: 1 ForLoadDist: False
Priority: 1 Sequence Actions: Don't Care
- - - - - - - - - - - - - - - - - - - - - - - - - - -
Day of Week Mask: 1111111 (Sunday - Saturday)
- - - - - - - - - - - - - - - - - - - - - - - - - - -
TTLS Condition Summary: NegativeIndicator: Off
Local Address:
FromAddr: All
ToAddr: All
- - - - - - - - - - - - - - - - - - - - - - - - - - -
TTLS Action: TNEA
Version: 3
Status: Active
Scope: Environment
HandshakeRole: ServerWithClientAuth
I cannot see how to configure the policy information such as Day of Week Mask, forr ttls rules - it is there in the display - but how do I configure it. definepolicy is only for QOS.
Also I could not find what "NegativeIndicator" means
------------------------------
Colin Paice
Retired
Stromness
------------------------------