Networking on z/OS
Previous topic | Next topic | Contents | Glossary | Contact z/OS | PDF


Application Transparent TLS

Networking on z/OS

Application Transparent TLS (AT-TLS) is a unique usage of TLS on the z/OS end of the session. In principle, it is quite simple: Instead of having the application itself be TLS-capable and TLS-aware, the establishment of the TLS connection is pushed down the stack into the TCP layer.

Many applications on z/OS can run without even being aware that the connection is using TLS. Remote clients cannot distinguish between "normal" TLS (where the application is doing the socket calls necessary for TLS) and AT-TLS (where the TCP layer handles the connection).

Figure 1 shows the AT-TLS layer implemented at a lower layer than the standard TLS. Because TCP/IP is a layered protocol, the changes done at the TCP layer are hidden from the application layer.

Figure 1. AT-TLS in the IP layer modelAT-TLS in the IP layer model

AT-TLS will appear identical to normal TLS to any application connecting to the z/OS host. The AT-TLS environment is activated by a simple option within the TCPCONFIG statement block in the TCP/IP profile data set: TTLS. When coded, the TCP/IP stack will use the policy agent (in the same fashion as it does for IPSec) to determine how to handle each application's communication.

Note: This is the second time the policy agent has been mentioned as the source of configuration data. So you might wonder, why are some definitions coded in a policy agent and some in specific application configuration files?

The primary reason for this is conceptual: the configuration data that belongs under policy agent control should be information that is related to the policies and goals of the organization. Remember that security choices should flow from a security policy document? The policy agent is the service that implements the policies.

The other advantage of the policy agent is that it uses LDAP as the source of the policies. The LDAP directory service is a networked repository of configuration data available to all hosts in the network. A readily apparent advantage is that multiple TCP/IP instances take advantage of policy data stored in LDAP.

Like most protocols relating to IP, LDAP is defined via RFCs: 1777, 2251-2256.
Parent topic: Industry standard network security features

Go to the previous page   |   Go to the next page

Notices | Terms of use | Support | Contact z/OS



Copyright IBM Corporation 1990, 2010