Control encrypted communication in ssl.properties

The RSED started task has no knowledge about AT-TLS encrypting all incoming and outgoing traffic, and therefore must be configured to work in unencrypted mode, by disabling legacy encryption in ssl.properties. As documented in (Optional) ssl.properties, the RSE encrypted communication of z/OS® Explorer Host Configuration Guide, you can also instruct RSED to ask AT-TLS if it is encrypting the communication, and fail the connection if it is not.

enable_attls_policy=true
enable_ssl=false

When using encrypted communication, users can choose to authenticate by using a certificate instead of user ID and password. To do so, the RSE daemon must be able to validate and authenticate the presented certificate, which implies that the RSE daemon requires access to a key ring holding the public certificate of the CA used to sign the client certificate. AT-TLS cannot share key ring information with the RSE daemon. Therefore, to support certificate authentication, the key ring name and type must be specified in ssl.properties by using variables daemon_keydb_file and server_keystore_type. For more information about these variables, see (Optional) ssl.properties, the RSE encrypted communication.

daemon_keydb_file=FEK.keyring
server_keystore_type=JCERACFKS