API provider confidentiality and integrity
Learn how to maintain the confidentiality and integrity of the data that is handled by IBM® z/OS® Connect.
Before you study this topic, you should be familiar with the information in Overview of IBM z/OS Connect security.
Confidentiality ensures that an unauthorized party cannot obtain the information in the transferred or stored data. Typically, confidentiality is achieved by encrypting the data.
Integrity ensures that transmitted or stored information is not altered in an unauthorized or accidental manner.
Persistent connections can reduce CPU usage.
When TLS is used, CPU intensive processing occurs most during the handshake phase. The simplest way to reduce this cost is to enable persistent HTTP connections because a TLS handshake occurs only during the creation of the HTTP connection. By using this mechanism, the cost of the handshake is spread over multiple requests.
You can configure IBM z/OS Connect to limit the number
of persistent requests that can reuse an HTTP connection by setting the
maxKeepAliveRequests attribute on an
httpOptions element that is
referenced from the
httpEndpoint element. After the specified number of requests,
the HTTP connection and the underlying socket are closed. If HTTPS is used, a TLS handshake occurs
every time after that number of requests is reached. The default value of
maxKeepAliveRequests is -1, which means that the HTTP connection and the underlying
socket are never closed. However, an idle socket is still closed after the time specified in
persistTimeout. For more information, see httpEndpoint > httpOptions in the WebSphere® Application Server for Liberty documentation.
You can also increase the amount of time that a connection persists when it is not being used by
persistTimeout attribute on the
The default is 30 seconds.
Even after the persistent maximum number of requests or timeout is reached, the SSL session ID
can be used to avoid another costly handshake. During the handshake phase, IBM z/OS Connect and the REST client create an SSL session ID,
which is used for all the persistent HTTP connections. When another handshake is needed, and the
REST client calls IBM z/OS Connect with the same SSL
session ID as used in the previous handshake, IBM z/OS Connect can decide to do a null handshake. The null
handshake means that the connection reuses the same symmetric key as the previous session to avoid
the handshake phase. The connection is a prolongation of the persistent HTTP connections. The
control of the usage of the SSL session ID is done in the
points to an
sslOptions element where the
attribute establishes the time the encryption symmetric key for HTTP requests is used.
Additional trust can be established between the intermediate server and IBM z/OS Connect by using mutual TLS authentication, in which the two parties authenticate each other.
Configuring TLS for IBM z/OS Connect resources
- Basic authentication.
- OpenID Connect with JWT authentication. This takes precedence over TLS client authentication.
Configuring IBM z/OS Connect SSL elements
IBM z/OS Connect includes a default SSL configuration. This default configuration is typically customized to add your own keystores and truststores, configure whether client authentication is required or supported, or whether only server authentication is required.
For more information, see How to configure a TLS connection with RACF key rings and How to configure a TLS connection with PKCS12 keystores.
In a development environment, you might choose to start testing with the default SSL configuration. You can use this default configuration to get started quickly with TLS because a keystore and certificate are automatically created for you. For production environments, create your own key rings and certificates.
<keyStore id="defaultKeyStore" password="yourpassword" />
For more information about using the default SSL configuration, see SSL defaults in Liberty in the WebSphere Application Server for Liberty documentation.
If you require different TLS implementations, such as using different certificates for different clients, you can configure extra SSL configuration elements and HTTP endpoint elements, and associate the appropriate SSL configuration to the appropriate HTTP endpoint (HTTPS) ports.
- Cipher suites
- You can use cipher suites to control the cryptographic algorithms used on the TLS connection. For more information, see Cipher suites.
- Hardware cryptography
- You can use hardware cryptography with TLS connections. For more information, see Hardware cryptography.
- You can configure IBM z/OS Connect to meet the SP800-131a specification. For more information, see SP800-131a.