Securing communications

Configure secure communication to protect the data and resources of Z APM Connect when it collects transaction tracking data of z/OS® subsystems.

About this task

You may either generate new certificates , import your own certificates, or disable security between z/OS and the Z APM Connect DG.

The z/OS components include Z APM Connect Base, and may also include the z/OS Connect Enterprise Edition (z/OS Connect EE) server or CICS® Transaction Gateway (CICS TG) server, depending on the type of transactions to be tracked.

When using TLS protection, the Z APM Connect DG Machine acts as the TLS server and the z/OS components act as the TLS client. Z APM Connect DG Machine uses the Java™ Secure Sockets Extension (JSSE) for its TLS processing and the z/OS components use Application Transparent TLS (AT-TLS) support.

overview of mutual secure communication
Note: An administrator for your security server is needed. If you use RACF®, the SPECIAL OPERATIONS attribute is required.
Tip: A brief review of keystores and truststores

Keystores and truststores are repositories that contain certificates.

A keystore contains personal certificates.

A personal certificate represents the identity of the TLS endpoint and contains a public and a private key. Both the client (for example, CICS TG server) and the server (for example, Z APM Connect DG machine) might have personal certificates to identify themselves.

A truststore contains the signer certificates (also known as Certificate Authority (CA) certificates) which the endpoint trusts.

A signer certificate contains a public key, which is used to validate personal certificates. By installing the server’s signer certificate into the client's truststore, you are allowing the client to trust the server when establishing a TLS connection. The same principle is true for a server to trust a client when TLS client authentication is enabled.

Z APM Connect supports only Java KeyStores (JKS) key rings.

Two secure connection configuration options are provided. The option you choose depends on the environment you installed Z APM Connect DG: