Using AT-TLS for encrypted communications

The Application Transparent Transport Layer Security (AT-TLS) feature of z/OS® Communication Server can be used to secure communications between the ADFzCC server and connecting clients by setting the ATTLS configuration parameter to the value ‘Y’. For example:
ATTLS=Y

Using AT-TLS requires the configuration of z/OS® Communications Server and policy agent rules to enable TLS protection of inbound connections to the ADFzCC server and subsequent data flows between the client and server. Your security administrator or system programmer can create this configuration in accordance with your installation standards and ensure that the z/OS® Communication server policy agent is running to provide AT-TLS services.

To establish an AT-TLS environment, take the following steps:
Note: Particulars might vary by installation.
  1. Change the z/OS® Communication Server profile TCPCONFIG statement to activate the AT-TLS function. For example:
    TCPCONFIG  TTLS		; Required for AT-TLS
    Optionally, installations might also change the z/OS® Communication Server profile AUTOLOG statement to automate starting the policy agent (PAGENT), which is needed to effect AT-TLS rules. For example:
    AUTOLOG
          PAGENT		; POLICY AGENT, required for AT-TLS
    ENDAUTOLOG
  2. Create the z/OS® Communication Server policy agent (PAGENT) configuration to establish AT-TLS rules for inbound connections to the ADFzCC server . For example:
    TTLSRule                     rule_ADFzCC 
    {                                            
     LocalPortRange              2800 
     Direction                   Inbound 
     TTLSGroupActionRef          grp_ADFzCC  
     TTLSEnvironmentActionRef    env_ADFzCC  
    }                                          
    TTLSGroupAction              grp_ADFzCC  
    { 
     TTLSEnabled                 On                 
    }                                            
    TTLSEnvironmentAction        env_ADFzCC
    {                                            
    HandshakeRole                Server             
    TTLSKeyRingParms                             
    {                                             
     Keyring                     ADFzCC.KEYRING         
    }                                            
    TTLSEnvironmentAdvancedParms                 
    {                                              
      TLSv1.3                    On                    
      HandshakeTimeout           30                    
      ApplicationControlled      On                   
     }
    TTLSCipherParms                             
     {                                           
       V3CipherSuites4Char 13021301              
     }                                           
    TTLSSignatureParms                          
     {                                           
       ServerKeyShareGroups 00230024002500290030 
     }         
    TTLSGskAdvancedParms                        
     {                                           
       GSK_SESSION_TICKET_SERVER_ENABLE Off     
     }                                              
    }
    Note: The ApplicationControlled parameter must be on for the ADFzCC server . In addition, the SSL_REQUIRED configuration parameter must be set to a valid protocol value. The protocol that is chosen must match a protocol that is supported by the AT-TLS rules that are specified in the AT-TLS configuration TTLSEnvironmentAdvancedParms statement. For example:
    SSL_REQUIRED=TLSv1.3

    A HandshakeTimeout value of 30 seconds is recommended. If using a LocalAddr* (LocalAddr, LocalAddrRef, LocalAddrSetRef, LocalAddrGroupRef) statement within your rule to limit the IP addresses on which the ADFzCC server listens, you must ensure that the statement allows connections to the server on address 127.0.0.1.

    In addition, the IPVSRV STC user will require access to the keystore that is identified on the Keyring parameter of the TTLSKeyRingParms statement. For more information on cipher specifications, key share groups, and certificate types supported for TLS 1.3, see https://www.ibm.com/docs/en/zos/2.4.0?topic=protocols-required-updates-enable-tls-v13-protocol-support.

  3. Start the z/OS® Communications Server policy agent.
    Note: If your policy agent configuration, or the key ring or keystore that is identified in the policy agent configuration is changed, restart the policy agent.

Clients such as z/OS® Explorer will be prompted to trust the server certificate identified in the AT-TLS configuration if the certificate is not registered as trusted.

Clients such as File Manager Remote Services might require that the remote server CA certificate is imported as a SITE certificate on the client z/OS® system for establishing trust of the remote system.