AT-TLS support for TLS v1.3
z/OS® V2R4 Communications Server adds support for TLS Version 1.3 for Application Transparent Transport Layer Security (AT-TLS). This includes support for the following new TLSv1.3 cipher suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256.
z/OS V2R4 Communications Server enhances the z/OS Encryption Readiness Technology (zERT) function to detect and report TLSv1.3 security session information using SMF Type 119 subtype 11 and 12 records. The IBM® zERT Network Analyzer z/OSMF plug-in is also enhanced to accept and display TLSv1.3 information and to allow IBM zERT Network Analyzer users to query database content using the new TLSv1.3 security session characteristics.
Support for TLS Version 1.3 is provided only for AT-TLS. Native TLS support for the FTP server and client, the TN3270E server, and DCAS is not updated to support TLSv1.3.
- The cipher suites supported for TLS Version 1.2 and earlier are not supported for TLS Version 1.3. And the cipher suites supported for TLS Version 1.3 are not supported by earlier versions of TLS. If TLSv1.3 and earlier versions are enabled, the configured list of supported cipher suites must include values supported for TLSv1.3 and values supported by earlier TLS versions.
- The FIPS 140-2 standard does not define support for TLSv1.3 or the new cipher suites defined for it. Enabling both the TLSv1.3 protocol and FIPS support results in an error.
The Integrated Cryptographic Services Facility (ICSF) must be active to provide support for all TLSv1.3 cipher suites.
Task/Procedure | Reference |
---|---|
Enable TLS v1.3 in AT-TLS policy by using the Network Configuration Assistant (NCA) or manual configuration. | See the following topics:
|
Optionally, display the policy-based networking information. Use the pasearch command to display AT-TLS policies. | The z/OS UNIX pasearch command: Display policies in z/OS Communications Server: IP System Administrator's Commands |
Optionally, display the AT-TLS negotiated and configured parameters in use for a TCP connection. | Netstat TTLS/-x reportin z/OS Communications Server: IP System Administrator's Commands |
Optionally, view updated AT-TLS information in the following SMF type 119 records:
|
Type 119 SMF records in z/OS Communications Server: IP Programmer's Guide and Reference |
Optionally, retrieve updated AT-TLS information for a connection with the TCP/IP callable NMI (EZBNMIFR). | TCP/IP callable NMI (EZBNMIFR) in z/OS Communications Server: IP Programmer's Guide and Reference |