TMA SNA 22c requires TLS 1.2 by default for a secure configuration. GWSNAX fails to start if CLOPT '-n SSL' is not set, and also,CRM fails to start if CLOPT '-n SSL' is not set. To interoperate with older Tuxedo versions, customers may use the environment variable TM_TLS_FORCE_VER when accepting TLS 1.0 or 1.1 connections.

TLS_RSA_WITH_AES_256_CBC_SHA256 
TLS_RSA_WITH_AES_256_GCM_SHA384 
TLS_RSA_WITH_AES_128_CBC_SHA256 
TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Elliptic Curve Cryptography (ECC) based cipher suites, such as TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, must also be supported by ECC-based TLS certificates, and the environment variable TM_MIN_PUB_KEY_LENGTH must be set to 0.

If customers prefer to use other cipher suites, for example, to interoperate with older Tuxedo versions, the TM_CIPHERSUITES environment variable can be used.

RSA requires a minimum key length of 2048.The TMA SNA gateway determines the key length when loading the key/certificate, and fails the load if the key length is less than 2048.TM_MIN_PUB_KEY_LENGTH is an environment variable that specifies the minimum key length that customers may use.

Set the environment variable TUX_SSL_HOSTNAME_VALIDATE to Y to enable TLS hostname validation.

The following environment variable provides backward compatibility for users who prefer to maintain the old behavior as in TMA SNA 12.2.2. If the following variable TM_ALLOW_NOTLS is set to Y, it allows non-TLS connections.