Access to key rings and certificates is verified by System SSL when SSL environments are initialized. Access to certificate private keys is verified by ICSF when asymetric encryption services are requested that require the private keys. AT-TLS invokes System SSL services that cause these access control checks to occur on tasks created in the TCP/IP address space. TCP/IP replicates the security environment of the user running the application that owns the socket at the time AT-TLS policy is mapped, before invoking these System SSL services.
Several common application models were considered to determine the most appropriate time for replicating the security environment. Replication occurs when AT-TLS policy is mapped. Policy mapping occurs during processing of the first occurrence of connect, a SIOCTTLSCTL IOCTL, select for socket readable or writable, poll for socket readable or writable, or call that sends or receives data over the socket. This defers security environment replication for applications such as INETD until after the accept(), fork(), setuid(), and exec() sequence of services has established the server application process.
In the CICS® socket environment, transaction security environments are not visible to AT-TLS support. The CICS job and all of its transactions appear to the stack as a single server application with a single z/OS® UNIX process ID running in the security environment of the CICS job. All AT-TLS policy lookups, System SSL key ring authorization checks, and ICSF private key authorization checks are processed using the identity of the CICS job. Connections established, whether active or passive, can perform TLS handshake processing as either the client or server. All of the connections established by a single CICS job are able to share the session ID cache in the SSL environment. The CICS job should use a private key ring with a server certificate. The key ring used must contain the chain of root certificates needed to validate the server certificate it presents to the client. If the server requires client authentication, it must also have any other root certificates necessary to validate client certificates presented on its key ring.