Hi Colin,

See this link: https://www.ibm.com/docs/en/zos/3.1.0?topic=actions-tls-group-action   As described there, the AT-TLS group (described by the TTLSGroupAction statement) represents a one instance of the System SSL DLL and the LE and tasking infrastructure within which that DLL will operate.   Every AT-TLS rule is associated with a specific group (i.e., each TTLSRule references a TTLSGroupAction).  So if a group has an issue, it will affect every AT-TLS rule that uses that group.

The EZD1289I message is confirming that ICSF is available to the specified AT-TLS group, which is what you want.  If ICSF were not available, the System SSL DLL associated with that group would be limited in the cipher suites it can support and, in some cases, would have to use its own software implementations for certain algorithms like RSA since System SSL can only access CryptoExpress adapters through ICSF.   For a complete list of the algorithms and capabilities System SSL depends on ICSF to provide, see this link: https://www.ibm.com/docs/en/zos/3.1.0?topic=ssl-overview-hardware-cryptographic-features-system

------------------------------
Chris Meyer, CISSP
IBM STSM, z/OS network security architect
------------------------------

Original Message:
Sent: Mon December 23, 2024 06:05 AM
From: Colin Paice
Subject: With AT-TLS what is so special about groups?

If I start policy agent, I get messages saying

EZD1289I TCPIP ICSF SERVICES ARE CURRENTLY AVAILABLE FOR AT-TLS GROUP GColinTimer   

Within the group is info like

TTLSEnabled:                On
FIPS140:                    Off  

I can't see what useful information the message tells me.   If it was for a rule, that would make a bit more sense.

I could not find any documentation as to why groups are important, and should be mentioned in a message.

Am I missing a concept...  or is it, that's the way it is!

I'm just curious

Colin