AT-TLS support for TLS v1.2 and related features

z/OS® V2R1 Communications Server supports Application Transparent TLS (AT-TLS) currency with z/OS System SSL. Support is added for the following functions that are provided by System SSL:

Renegotiation (RFC 5746) in z/OS V1R12
Elliptic Curve Cryptography (RFC 4492 and RFC 5480) in z/OS V1R13
TLSv1.2 (RFC 5246) in z/OS V2R1
AES GCM Cipher Suites (RFC 5288) in z/OS V2R1
Suite B Profile (RFC 5430) in z/OS V2R1
ECC and AES GCM with SHA-256/384 (RFC 5289) in z/OS V2R1

Dependency: Elliptic Curve ciphers and ciphers that use AES-GCM require Integrated Cryptographic Services Facility (ICSF) to be active. If the CSFSERV class is defined, the application user ID must have READ access to certain resources in the CSFSERV class.

Using the AT-TLS support for TLS v1.2 and related features

To use the AT-TLS support for TLS v1.2 and related features, perform the appropriate tasks in Table 1.

Table 1. AT-TLS support for TLS v1.2 and related features
Task	Reference
Enable new AT-TLS policies by using the Configuration Assistant or manual configuration: If using IBM® Configuration Assistant for z/OS Communications Server, migrate your current backing store to V2R1. Use new AT-TLS statements or parameters as needed in the AT-TLS environment or connection actions.	See the following topics: IBM Configuration Assistant for z/OS Communications Server online helps AT-TLS policy statements in z/OS Communications Server: IP Configuration Reference
Optionally, display the policy-based networking information. Use the pasearch command to display AT-TLS policies.	The z/OS UNIX pasearch command in z/OS Communications Server: IP System Administrator's Commands
Before you use Elliptic Curve Cryptography (ECC) ciphers, perform the following steps: Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class: CSF1TRC CSF1PKV CSF1PKS CSF1GKP CSF1GAV CSF1DVK CSF1TRD	Using Cryptographic Features with System SSL in Cryptographic Services System Secure Sockets Layer programming (SC24-5901-11)
Before you use AES GCM ciphers, perform the following steps: Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class: CSF1TRC CSF1SKD CSF1SKE CSF1TRD	Using Cryptographic Features with System SSL in Cryptographic Services System Secure Sockets Layer programming (SC24-5901-11)
If you intend to use any of the new four character cipher suites, you might need to modify applications: Use the TTLSi_Neg_Cipher4 field instead of the TTLSi_Neg_Cipher field on the SIOCTTLSCTL ioctl. Use the Network Management Interface NWMTcpConnType to use the NWMConnTTLSNegCiph4 field instead of the NWMConnTTLSNegCiph field. Process SMF Type 119 records: TCP Connection Termination to use the SMF119AP_TTTTLSNC4 field instead of the SMF119AP_TTTTLSNC field CSSMTP Connection Identification to use the SMF119ML_CN_TLSSNC4 field instead of the SMF119ML_ CN_TLSSNC field FTP Client Transfer Complete to use the SMF119FT_FCCipher4 field instead of the SMF119FT_FCCipher field FTP Server Transfer Complete to use the SMF119FT_FSCipher4 field instead of the SMF119FT_FSCipher field FTP Login Failure to use the SMF119FT_FFCipher4 field instead of the SMF119FT_FFCipher field	Network management interfaces and Application Transparent Transport Layer Security (AT-TLS) in z/OS Communications Server: IP Programmer's Guide and Reference
Use new SNMP MIB object ibmMvsTcpConnectionTtlsNegCipher4 to retrieve the four-byte cipher in use on a TCP connection using AT-TLS.	TCP/IP subagent in z/OS Communications Server: IP System Administrator's Commands