Securing communications to IBM z/OS Connect with AT-TLS

Use Application Transparent Transport Layer Security (AT-TLS), a capability of z/OS® Communications Server, for transport layer security with IBM® z/OS Connect. For more information, see Application Transparent Transport Layer Security (AT-TLS).

This topic is applicable to: z/OS Connect server on z/OS

API provider confidentiality and integrity shows the TLS implementation options available for the API provider.

  1. For any REST client that supports TLS:
    • The HTTPS connection is established with port 5002. The port is associated with an SSL configuration in IBM z/OS Connect.
    • The HTTPS connection is established with port 5004. The port is protected by an AT-TLS inbound policy so the TLS connection is managed by AT-TLS. Client certificate authentication cannot be used for this connection.
  2. For a z/OS REST client that relies on an AT-TLS outbound policy:
    • Outbound connections to port 5002 are protected by the AT-TLS outbound policy. On the server, port 5002 is associated with an SSL configuration in IBM z/OS Connect.
    • Outbound connections to port 5004 are protected by the AT-TLS outbound policy. On the server, port 5004 is protected with an AT-TLS inbound policy so the TLS connection is managed by AT-TLS. Client certificate authentication cannot be used for this connection.
Figure 1. TLS implementation options for API provider.
TLS implementation options for API provider.