The term SSL is used to describe both SSL and TLS protocols.
SSL protocol runs above the TCP/IP protocol and below higher-level protocols such as HTTP.
IBM SSL support runs as part of the TCP/IP stack under UNIX System Services (USS).
These levels of authentication and encryption are available with TLS/SSL security:
Server authentication only
Client authentication level 1
Client authentication level 2
Client authentication level 3
For consistency with other Sybase products, Sybase implements
server authentication only.
For server authentication to work, the server must have a private key and associated server certificate in the server key database file. To manage the keys and certificates needed for SSL support, you can use the gskkyman utility (provided by the System SSL) or RACF Common Keyring support. The server certificate and the CA certificates are stored in a key ring, also called a key database.
Some considerations when using RACF:
References to RACF apply to any other System Authorization Facility (SAF)-compliant security products that contain the required support.
For RACF support, all key rings and certificates are stored in the RACF database. There are no separate key database or stash files.
IBM provides the mainframe applications with two options for implementing SSL support:
System SSL, which runs on top of the TCP/IP stack and provides interfaces to write both client and server applications.
Application Transparent - Transport Layer Security (AT-TLS), which provides application-transparent secured connections for both client and server. Internally, it uses System SSL interfaces.
The following subsections describe each of these options.
