Getting started with AT-TLS

Assume you have a TCP client and server application pair running on z/OS® platforms. This application handles sensitive data, and you want this application to be used only with the TLS protocol. The server application runs under the job name of XYZSRV, and creates a passive TCP socket bound to IP address INADDR_ANY and port 5000. The client application runs as a command, issued by TSO or z/OS UNIX interactive users, and connects to port 5000.

To complete AT-TLS security setup for this sample environment, you need to create both server and client key rings. The server key ring needs to contain a server certificate, and any certificates used to sign it. The server needs access to the private keys of the server certificate. The client key ring needs the root certificate used to sign the server certificates. For a TLS/SSL primer and some step-by-step examples, see TLS/SSL security. For more information on managing key rings and certificates with RACF® and the RACDCERT command, see z/OS Security Server RACF Security Administrator's Guide. For detailed information on managing key rings and certificates with gskkyman, see z/OS Cryptographic Services System SSL Programming.