Application Transparent Transport Layer Security (AT-TLS)

Learn about AT-TLS.

z/OS Connect server on
z/OS This is applicable only when running IBM® z/OS® Connect on z/OS.

Application Transparent Transport Layer Security (AT-TLS) is a capability of z/OS Communications Server that can create a secure session on behalf of IBM z/OS Connect (or other z/OS applications). Instead of implementing TLS in IBM z/OS Connect, AT-TLS provides encryption and decryption of data based on policy statements that are coded in the Policy Agent. IBM z/OS Connect sends and receives cleartext (unencrypted data) as usual while AT-TLS encrypts and decrypts data at the TCP transport layer.

AT-TLS supports different types of application:
  • An unaware application is unaware that AT-TLS is performing encryption or decryption of data.
  • An aware application is aware of AT-TLS and can query information such as AT-TLS status and the partner certificate.
  • A controlling application is aware of AT-TLS and can control the secure session.

IBM z/OS Connect is an unaware AT-TLS application and therefore does not have access to the partner certificate. This means that a z/OS subsystem cannot use a client certificate to authenticate with IBM z/OS Connect when the connection between the z/OS subsystem and IBM z/OS Connect is secured by using AT-TLS.

For more information about AT-TLS, see Application Transparent Transport Layer Security data protection in the z/OS Communications Server documentation.

To learn how IBM z/OS Connect can use AT-TLS, see either API provider confidentiality and integrity or API requester confidentiality and integrity.