Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Application Transparent Transport Layer Security z/OS Communications Server: IP CICS Sockets Guide SC27-3649-00 |
|
Before reading this topic, first read the Application Transparent Transport Layer Security (AT-TLS) topic of the z/OS Communications Server: IP Configuration Guide. The z/OS® Communications
Server TCP/IP stack provides Application Transparent Transport Layer
Security (AT-TLS). This allows socket applications that use the TCP
protocol to transparently use the Secure Socket Layer protocol (TLS/SSL)
to communicate with partners in the network. IP CICS® sockets enabled applications can take advantage
of this support. This requires the following:
Careful consideration must be given for IP CICS sockets-enabled applications that act as clients connecting outbound because the AT-TLS policy might not be specific enough to restrict individual CICS users from logging on to and invoking these clients. Additional CICS security controls such as transaction security and resource security can be considered in order to limit users' access to remote hosts. See Example of outbound AT-TLS support for more information. If a CICS listener is AT-TLS enabled but the client does not use SSL, there is a mismatch; AT-TLS receives unencrypted data when it is expecting encrypted data. In this case, AT-TLS resets the connection. See the Application Transparent Transport Layer Security (AT-TLS) topic in the z/OS Communications Server: IP Configuration Guide for information regarding defining keyrings, client certificates, mapping them to user IDs, permitting users access to keyrings, and other AT-TLS details. When taking advantage of AT-TLS support, CICS application programmers and TCP/IP administrators must work together to provide the required support. This can also require communication with RACF administrators. |
Copyright IBM Corporation 1990, 2014
|