IMS Connect SSL connections

To use Secure Sockets Layer (SSL) with IMS Connect, you can either configure the IMS Connect support for SSL by using the IMS Connect SSL interface or you can use the IBM® z/OS® Communications Server Application Transparent Transport Layer Security feature (AT-TLS).

If you use AT-TLS, the use of SSL is transparent to IMS Connect and you do not need to configure the IMS Connect SSL interface. The configuration and administration of SSL is performed by your z/OS TCP/IP administrator.

In addition to simplifying IMS Connect security implementation, AT-TLS provides greater flexibility with respect to the use of ports. IMS Connect support for SSL is restricted to only a single port. If more than one SSL port is defined on the IMS Connect TCPIP configuration statement, IMS Connect abends during startup. However, if AT-TLS is used, connections that are secured by SSL are unencrypted by AT-TLS before they reach IMS Connect and can therefore use any IMS Connect port.

Recommendation: Use the z/OS Communication Server AT-TLS feature to enable SSL on TCP/IP connections to IMS instead of configuring the IMS Connect support for SSL.
The IMS Connect SSL interface includes support for:
  • SSL Version 2.0
  • SSL Version 3.0
  • Transport Layer Security (TLS) Version 1.0
  • Transport Layer Security (TLS) Version 1.1
  • Transport Layer Security (TLS) Version 1.2
  • FIPS mode

Throughout this topic, the term SSL is used to describe both the SSL and TLS protocols. This topic applies only to the configuration of IMS Connect support for SSL.

SSL and TLS protect the privacy and integrity of data that is transferred through a network. SSL rests on top of TCP/IP to provide a mechanism for secure sockets. SSL uses a combination of public and private keys for initial contact and authentication between the client and servers and symmetric key encryption for the subsequent communication flows.

During the initial handshake protocol, the client and server agree on how to encrypt and decrypt information and define the format used to transmit the encrypted data. After the SSL connection is established, the encryption and decryption of communication data flows by using symmetric key encryption is transparent to the client and server.

Because the SSL encryption is transparent to the client and server programs, the message formats they send and receive are the same regardless of whether the connection is an SSL socket or a regular unencrypted socket.

When you are setting up IMS Connect SSL configuration, you must consider any limitations or restrictions of the client's SSL support. TCP/IP consistently and reliably transfers information across the internet domain, but it does not secure the information that is transferred.

SSL protects information from:
  • Eavesdropping
  • Data theft
  • Traffic analysis
  • Data modification
  • Trojan horse browser / server

X.509 certificates are used by both the client and server when securing communications. The client must verify the server's certificate based on the certificate of the Certificate Authority (CA) that signed the certificate or based on a self-signed certificate from the server. The server must verify the client's certificate (if requested) using the certificate of the CA that signed the client's certificate. The client and the server then use the negotiated session keys and begin encrypted communications.