Application Transparent Transport Layer Security (AT-TLS)
Learn about AT-TLS.
This is applicable only when running IBM® z/OS® Connect on z/OS.
Application Transparent Transport Layer Security (AT-TLS) is a capability of z/OS Communications Server that can create a secure session on behalf of IBM z/OS Connect (or other z/OS applications). Instead of implementing TLS in IBM z/OS Connect, AT-TLS provides encryption and decryption of data based on policy statements that are coded in the Policy Agent. IBM z/OS Connect sends and receives cleartext (unencrypted data) as usual while AT-TLS encrypts and decrypts data at the TCP transport layer.
- An unaware application is unaware that AT-TLS is performing encryption or decryption of data.
- An aware application is aware of AT-TLS and can query information such as AT-TLS status and the partner certificate.
- A controlling application is aware of AT-TLS and can control the secure session.
IBM z/OS Connect is an unaware AT-TLS application and therefore does not have access to the partner certificate. This means that a z/OS subsystem cannot use a client certificate to authenticate with IBM z/OS Connect when the connection between the z/OS subsystem and IBM z/OS Connect is secured by using AT-TLS.
For more information about AT-TLS, see Application Transparent Transport Layer Security data protection in the z/OS Communications Server documentation.
To learn how IBM z/OS Connect can use AT-TLS, see either API provider confidentiality and integrity or API requester confidentiality and integrity.