Customizing SSL/TLS security

If you are enabling SSL encryption for any of the TCP/IP cloud traffic, IBM's Communication Server enables control through Application Transparent Transport Layer Security (AT-TLS). You can enable AT-TLS by user, started task, host, or many other options. If you are not enabling SSL encryption for cloud traffic, ignore this step.

About this task

Full documentation for AT-TLS is provided in the IBM z/OS® Communication Server: IP Configuration Guide.

Note: If your environment does not use RACF®, consult the documentation for your environment's security product. Other automatic SSL/TLS configuration solutions exist.

Procedure

  1. Create a keyring and add all certificates that will be used by any of the following: AXQTINIT started task, the AXQRCHIV batch job, the AXQCLNUP batch job, the AXQRECYC batch job, or the AXQRESTR batch job. Include the certificate and certificate chain for the storage server from your secure file server.
    For more information about creating a key chain and importing certificates, see the z/OS Security Server RACF Security Administrator's Guide.
  2. Create a TTLS Rule that enables your SSL/TLS encryption policies. To see a configuration example, refer to Example of AT-TLS parameter setup. Verify that this policy matches your cloud definition in the Advanced Archive for DFSMShsm Cloud Definition Database.
    Be aware that most object stores use port 80 for unencrypted HTTP traffic and port 443 for encrypted SSL/TLS encryption.

What to do next

Go on to Starting the started task.