Once a session has been established using AT-TLS to do end to end TLS encryption, you can use netstat to display information about the session, and what configuration is being used. It feels slightly incomplete, in that some of the data I expected is not available.
- Which rules are being used? I cannot see how to get this directly.
- What sessions are using a port – and display their TTLSPolicy information
- From the clientid for a session, display TTLS information, cipher spec, and level of TLS
- Display keyring, certificate and other host related information
- Which AT-TLS groups are being used?
What sessions are using a Port? – and display TTLSPolicy information
tso netstat all (port 1414
You can use other filter statements, using port 1414 was easy to specify.
This displays the high level TTLS information, see the blue text below
EZZ2350I MVS TCP/IP NETSTAT CS V2R4 TCPIP Name: TCPIP 16:40:39 EZZ2550I Client Name: CSQ9CHIN Client Id: 000000BB EZZ2551I Local Socket: 10.1.1.2..1414 Foreign Socket: 10.1.0.2..51844 EZZ2577I BytesIn: 0000002248 BytesOut: 0000002076 EZZ2574I SegmentsIn: 0000000020 SegmentsOut: 0000000014 EZZ2536I StartDate: 05/31/2022 StartTime: 16:31:54 EZZ2552I Last Touched: 16:36:57 State: Establsh EZZ2553I RcvNxt: 0626077759 SndNxt: 3598815082 EZZ2554I ClientRcvNxt: 0626076574 ClientSndNxt: 3598812426 EZZ2555I InitRcvSeqNum: 0626074325 InitSndSeqNum: 3598810349 EZZ2556I CongestionWindow: 0000018720 SlowStartThreshold: 0000065535 EZZ2557I IncomingWindowNum: 0626208746 OutgoingWindowNum: 3598877418 EZZ2558I SndWl1: 0626077759 SndWl2: 3598815082 EZZ2559I SndWnd: 0000062336 MaxSndWnd: 0000064256 EZZ2560I SndUna: 3598815082 rtt_seq: 3598814997 EZZ2561I MaximumSegmentSize: 0000001440 DSField: 00 EZZ2563I Round-trip information: EZZ2564I Smooth trip time: 7.000 SmoothTripVariance: 19.000 EZZ2565I ReXmt: 0000000000 ReXmtCount: 0000000000 EZZ2572I DupACKs: 0000000000 RcvWnd: 0000130987 EZZ2566I SockOpt: 88 TcpTimer: 00 EZZ2567I TcpSig: 04 TcpSel: 40 EZZ2568I TcpDet: E4 TcpPol: 00 EZZ2593I TcpPrf: 89 TcpPrf2: 20 EZZ2593I TcpPrf3: 00 EZZ2593I DelayAck: Yes EZZ2537I QOSPolicy: No EZZ2545I TTLSPolicy: Yes EZZ2546I TTLSRule: REMOTE-TO-CSQ1 EZZ2547I TTLSGrpAction: CSQ1-GROUP-ACTION EZZ2548I TTLSEnvAction: CSQ1-INBOUND-ENVIRONMENT-ACTION EZZ2542I RoutingPolicy: No EZZ2570I ReceiveBufferSize: 0000065536 SendBufferSize: 0000065536 EZZ2538I ReceiveDataQueued: 0000000000 EZZ2539I SendDataQueued: 0000000000 EZZ2611I SendStalled: No EZZ2609I Ancillary Input Queue: N/A ...
From the clientid (connection id) display any TTLS information
From the netstat allconn (port 1414 command, you get each session, and its clientid (see above for clientid 000000BB).
From the tso netstat allconn (port 1414 command, you get one line per session with the connection ID and remote IP address and port.
EZZ2350I MVS TCP/IP NETSTAT CS V2R4 TCPIP Name: TCPIP 16:55:18 EZZ2585I User Id Conn Local Socket Foreign Socket State EZZ2586I ------- ---- ------------ -------------- ----- EZZ2587I CSQ9CHIN 000000BB 10.1.1.2..1414 10.1.0.2..51844 Establsh EZZ2587I CSQ9CHIN 00000022 0.0.0.0..1414 0.0.0.0..0 Listen
Issue the command to display the TTLS information details about connection.
tso netstat ttls conn 000000BB detail
MVS TCP/IP NETSTAT CS V2R4 TCPIP Name: TCPIP
ConnID: 000000bb
JobName: CSQ9CHIN
LocalSocket: 10.1.1.2..1414
RemoteSocket: 10.1.0.2..53230
SecLevel: TLS Version 1.2
Cipher: 003C TLS_RSA_WITH_AES_128_CBC_SHA256
KeyShare: N/A
CertUserID: N/A
MapType: Primary
FIPS140: Off
SessionID: 01010018 0A010002 CFEE0000 00000000
00000000 00000000 62970B05 00000001
SIDReuseReq: Off
TTLSRule: REMOTE-TO-CSQ1
Priority: 1
LocalAddr: All
LocalPort: 1414
RemoteAddr: All
RemotePort: All
JobName: CSQ9CHIN
Direction: Inbound
TTLSGrpAction: CSQ1-GROUP-ACTION
GroupID: 00000007
TTLSEnabled: On
CtraceClearText: Off
Trace: 2
SyslogFacility: Daemon
SecondaryMap: Off
FIPS140: Off
TTLSEnvAction: CSQ1-INBOUND-ENVIRONMENT-ACTION
HandshakeRole: Server
SuiteBProfile: Off
MiddleBoxCompatMode: Off
Keyring: START1/MQRING
V3CipherSuites: 003C TLS_RSA_WITH_AES_128_CBC_SHA256
Trace: 255
SSLV2: Off
SSLV3: Off
TLSV1: Off
TLSV1.1: Off
TLSV1.2: On
TLSV1.3: On
ResetCipherTimer: 0
ApplicationControlled: Off
HandshakeTimeout: 10
CertificateLabel: ZZZZ
SecondaryMap: Off
TruncatedHMAC: Off
ClientMaxSSLFragment: Off
ServerMaxSSLFragment: Off
ClientHandshakeSNI: Off
ServerHandshakeSNI: Off
ClientECurves: 0021 secp224r1
0023 secp256r1
0024 secp384r1
0025 secp521r1
0019 secp192r1
0029 X25519
ClientKeyShareGroups: 0023 secp256r1
ServerKeyShareGroups: 0023 secp256r1
0024 secp384r1
0025 secp521r1
0029 X25519
0030 X448
SignaturePairs: 0601 TLS_SIGALG_SHA512_WITH_RSA
0603 TLS_SIGALG_SHA512_WITH_ECDSA
0501 TLS_SIGALG_SHA384_WITH_RSA
0503 TLS_SIGALG_SHA384_WITH_ECDSA
0401 TLS_SIGALG_SHA256_WITH_RSA
0403 TLS_SIGALG_SHA256_WITH_ECDSA
0402 TLS_SIGALG_SHA256_WITH_DSA
0301 TLS_SIGALG_SHA224_WITH_RSA
0303 TLS_SIGALG_SHA224_WITH_ECDSA
0302 TLS_SIGALG_SHA224_WITH_DSA
0201 TLS_SIGALG_SHA1_WITH_RSA
0203 TLS_SIGALG_SHA1_WITH_ECDSA
0202 TLS_SIGALG_SHA1_WITH_DSA
0806 TLS_SIGALG_SHA512_WITH_RSASSA_PSS
0805 TLS_SIGALG_SHA384_WITH_RSASSA_PSS
0804 TLS_SIGALG_SHA256_WITH_RSASSA_PSS
ClientAuthType: Required
CertValidationMode: Any
Renegotiation: Default
RenegotiationIndicator: Optional
RenegotiationCertCheck: Off
3DesKeyCheck: Off
ClientEDHGroupSize: Legacy
ServerEDHGroupSize: Legacy
PeerMinCertVersion: Any
PeerMinDHKeySize: 1024
PeerMinDsaKeySize: 1024
PeerMinECCKeySize: 192
PeerMinRsaKeySize: 1024
ServerScsv: Off
GSK_V3_SESSION_TIMEOUT: 86400
GSK_V3_SIDCACHE_SIZE: 512
GSK_SESSION_TICKET_CLIENT_ENABLE: On
GSK_SESSION_TICKET_CLIENT_MAXSIZE: 8192
GSK_SESSION_TICKET_SERVER_ENABLE: On
GSK_SESSION_TICKET_SERVER_ALGORITHM: AESCBC128
GSK_SESSION_TICKET_SERVER_COUNT: 2
GSK_SESSION_TICKET_SERVER_TIMEOUT: 300
GSK_SESSION_TICKET_SERVER_KEY_REFRESH: 300
HttpCdpEnable: Off
HttpCdpProxyServerPort: 80
HttpCdpResponseTimeout: 15
HttpCdpMaxResponseSize: 204800
HttpCdpCacheSize: 32
HttpCdpCacheEntryMaxsize: 0
OcspAiaEnable: Off
OcspProxyServerPort: 80
OcspRetrieveViaGet: Off
OcspUrlPriority: On
OcspRequestSigalg: 0401 TLS_SIGALG_SHA256_WITH_RSA
OcspClientCacheSize: 256
OcspCliCacheEntryMaxsize: 0
OcspNonceGenEnable: Off
OcspNonceCheckEnable: Off
OcspNonceSize: 8
OcspResponseTimeout: 15
OcspMaxResponseSize: 20480
OcspServerStapling: Off
Which AT-TLS groups are being used?
I didn’t find this information very useful. It isn’t clear what a group is. The doc says
Use the TTLSGroupAction statement to specify parameters for a Language Environment process required to support secure connections. The TTLSGroupAction statement indicates whether a selected connection should use AT-TLS security.
tso netstat ttls group
tso netstat ttls
MVS TCP/IP NETSTAT CS V2R4 TCPIP Name: TCPIP TTLSGrpAction Group ID Conns ---------------------------------------- ----------------- ----- CSQ1-GROUP-ACTION 0000003F 1 GrpActOff 00000040 0 GrpActOn 00000041 0 GA1 00000042 0
tso netstat ttls group detail
MVS TCP/IP NETSTAT CS V2R4 TCPIP Name: TCPIP
TTLSGrpAction: CSQ1-GROUP-ACTION
GroupID: 0000003F
Tasks: 4 GroupConns: 1
WorkQElements: 0 SyslogQElements: 0
Env: CSQ1-INBOUND-ENVIRONMENT-ACTION EnvConns: 1
TTLSGrpAction: GrpActOff
GroupID: 00000040
Tasks: 4 GroupConns: 0
WorkQElements: 0 SyslogQElements: 0
TTLSGrpAction: GrpActOn
GroupID: 00000041
Tasks: 4 GroupConns: 0
WorkQElements: 0 SyslogQElements: 0
TTLSGrpAction: GA1
GroupID: 00000042
Tasks: 4 GroupConns: 0
WorkQElements: 0 SyslogQElements: 0
ColinPaice 
One thought on “Netstat, TTLS and AT-TLS”