Transport Layer Security Protocol and Secure Sockets Layer Protocol

The Transport Layer Security protocol (TLS) and the Secure Sockets Layer (SSL) protocol use certificates to exchange a session key between the node that initiates the data transfer process (the primary node, or PNODE) and the other node that is part of the communications session (the secondary node, or the SNODE). A certificate is an electronic document that associates a public key with an individual or other entity. It enables you to verify the claim that a public key belongs to an entity. Certificates can be self-issued or issued by a certificate authority (CA). See Self-Signed and CA-Signed Certificates. When a CA receives an application for a certificate, it validates the applicant's identity, creates and signs certificate. A CA issues and revokes CA-issued certificates. Self-signed certificates are created and issued by the owner of the certificate, who must export the certificate in order to create a trusted root for the certificate and supply the trusted root of the self-signed certificate to the partner in a connection.

External Authentication Server validates certificates during an SSL or TLS session. Use the application to configure certificate chain validation, including the option to validate certificates against one or more Certificate Revocation Lists (CRLs) stored on an LDAP server. You can also configure the application to return attributes associated with the incoming certificate, such as group information, stored on an LDAP server. See IBM® External Authentication Server Implementation Guide for information.

To use External Authentication Server, configure your application to connect to the host name and port where the External Authentication Server application resides and specify a certificate validation definition. See the instructions for creating the Connect:Direct® Secure Plus parameter file manually or using the network map for the TLS or SSL protocols for instructions to create the remote node record for the External Authentication Server application (.EASERVER).

FIPS 140-2 Mode for the TLS Protocol

Enhanced security is available for Connect:Direct using System SSL FIPS mode available in IBM z/OS Version 1 Release 11 to meet FIPS 140-2 criteria. FIPS-mode operation is available only for the TLS protocol. For more information, see Planning for System SSL in FIPS Mode.