AT-TLS currency with System SSL with APAR PH49284

z/OS® V2R5 Communications Server with APAR PH49284 enhances AT-TLS support.

z/OS V2R5 Communications Server with APAR PH49284 provides AT-TLS support for the following functions:
  • TLS Version 1.3 sysplex session ticket support
  • Domain-based server certificate validation during an SSL/TLS session negotiation

With APAR PH53064, you can configure these functions in IBM Network Configuration Assistant for z/OS Communications Server.

Dependencies:
  • To use TLS Version 1.3 sysplex session tickets:
    • z/OS V2R5 System SSL APAR OA63252 is required.
    • GSKSRVR must be started for all systems in the sysplex acting as AT-TLS servers for the workload.
  • To use domain-based server certificate validation, z/OS V2R5 System SSL APAR OA63164 is required.
Result:

In V2R5, TLSv1.3 performance improves significantly over V2R4 due to optimizations in cryptographic software and hardware acceleration of the RSASSA-PSS signature algorithm if you are using CryptoExpress adapters. However, you should still be aware that the CPU consumption of the TCP/IP address space will increase when you enable TLSv1.3. While TLSv1.3 provides stronger cryptographic protection for your TCP connections, it inherently uses more cryptographic operations and therefore consumes more CPU than TLSv1.2 when using comparable cipher suites and key exchange algorithms.

The magnitude of the CPU increase depends on a variety of factors, including the cipher suites you were using under TLSv1.2 (or earlier) and the level of hardware you are using (in the z15 and later models, CPACF acceleration of ECC operations can benefit TLSv1.3 performance).

Using AT-TLS currency with System SSL

To use AT-TLS currency with System SSL, complete the appropriate tasks in Table 1.

Table 1. Task topics to enable AT-TLS currency with System SSL
Task Reference
Understand the benefits and setup required for sysplex TLS Version 1.3 session ticket caching
Enable sysplex-wide TLSv1.3 session ticket caching for an AT-TLS server with the GSK_SYSPLEX_SESSION_TICKET_CACHE parameter on the TTLSGskAdvancedParms statement.
Understand the benefits of domain-based server certificate validation as defined by RFC 6125 Enabling an AT-TLS client to verify the server identity during the TLS handshake section in Validating a host name against a certificate in z/OS Communications Server: IP Configuration Guide
Enable domain-based server certificate validation by providing one or more fully qualified DNS domain names on the AT-TLS client rule to use for verification
  • For a server certificate that includes a Subject Alternative Name (SAN) extension with a DNS domain name, provide references using the HostReferenceIdDNS parameter
  • For a server certificate with DNS domain name specified in the DN common name (and that does not include a SAN extension with a DNS domain name), provide references using the HostReferenceIdCN parameter
  • Values can be specified for both reference lists
  • If the server certificate can contain a wildcarded DNS domain name, enable wildcard support with the HostRefWildcardValidation parameter.
Display AT-TLS policy using the z/OS UNIX pasearch command to query information from the Policy Agent. The z/OS UNIX pasearch command: Display policies in z/OS Communications Server: IP System Administrator's Commands
Display AT-TLS policy for an active connection using the Netstat TTLS/-x command. Netstat TTLS/-x report in z/OS Communications Server: IP System Administrator's Commands

To find all related topics about AT-TLS currency with System SSL, see Table 2.

Table 2. All related topics about AT-TLS currency with System SSL
Book name Topics
z/OS Communications Server: IP Configuration Reference
z/OS Communications Server: IP Configuration Guide
z/OS Communications Server: IP System Administrator's Commands