FIPS 140-2 support

You can configure AT-TLS to support FIPS 140-2. Specify On for the FIPS140 statement of the TTLSGroupAction statement.

For information about configuring System SSL to run in FIPS 140-2 mode, see the System SSL and FIPS 140-2 topic in z/OS Cryptographic Services System SSL Programming.

Requirement: ICSF must be active before starting AT-TLS groups configured to support FIPS140. For information about configuring ICSF to support FIPS 140-2, see the topic about operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

If the RACF® CSFSERV class is defined, the user ID associated with the TCP/IP stack and any application user ID that is using the TTLSGroup must be given READ access to the CSFRNG resource within the CSFSERV class. If the CSFSERV class is defined and Diffie-Hellman is being used, the application user ID must be given READ access to the CSF1TRC, CSF1DVK, CSF1GKP, CSF1GSK, CSF1GAV, and CSF1TRD resources within the CSFSERV class.

Parent topic: Configuring more sophisticated security