Configuring AT-TLS

AT-TLS consolidates TLS implementation in one location, reducing or eliminating application development overhead, maintenance, and parameter specification. AT-TLS is based on z/OS System SSL, and transparently implements it in the TCP layer of the stack.

Applications that are taking advantage of the AT-TLS can be separated into three different types: basic, aware, and controlling. The type is based on whether the application is aware of the service, and if so, the amount of control that the application is given over the security functions. The SIOCTTLSCTL.ioctl function call provides the interface for the application to query or control AT-TLS.

A basic application is unaware that AT-TLS is encrypting or decrypting data.

An aware application is aware of AT-TLS and can query information such as AT-TLS status, partner certificate, and derived RACF user ID without any advanced setting in AT-TLS policy.

A controlling application is aware of AT-TLS and needs to control the secure session. It must have the ApplicationControlled parameter in the AT-TLS policy set to ON.

All of these types of applications send and receive unencrypted text data while encrypted data flows over the network.

Follow this procedure to configure AT-TLS policies.

1. Provide the TCP/IP stack with the AT-TLS policies required to negotiate secure connections.

   AT-TLS policies are configured in the Policy Agent (described in the next section) using a set of configuration statements and parameters coded into a flat file. You can create the flat file using one of two methods:

   • Using manual configuration, coding all the required statements in an HFS file or MVS data set, or

   • Using z/OS Network Security Configuration Assistant, which is a standalone Windows application that requires no network connectivity or setup. You can download the GUI from the Web site for the Communication Server Family downloadable tool.

2. Enable AT-TLS through the TTLS parameter on the TCPCONFIG statement in PROFILE.TCPIP.

When AT-TLS is enabled and a newly established connection is first used, the TCP layer of the stack searches for a matching AT-TLS policy installed from the Policy Agent. If no policy is found, the connection is made without AT-TLS involvement.