AT-TLS support for TLS v1.3

z/OS® V2R4 Communications Server adds support for TLS Version 1.3 for Application Transparent Transport Layer Security (AT-TLS). This includes support for the following new TLSv1.3 cipher suites: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256.

z/OS V2R4 Communications Server enhances the z/OS Encryption Readiness Technology (zERT) function to detect and report TLSv1.3 security session information using SMF Type 119 subtype 11 and 12 records. The IBM® zERT Network Analyzer z/OSMF plug-in is also enhanced to accept and display TLSv1.3 information and to allow IBM zERT Network Analyzer users to query database content using the new TLSv1.3 security session characteristics.

Restrictions:

Support for TLS Version 1.3 is provided only for AT-TLS. Native TLS support for the FTP server and client, the TN3270E server, and DCAS is not updated to support TLSv1.3.

Incompatibilities:

The cipher suites supported for TLS Version 1.2 and earlier are not supported for TLS Version 1.3. And the cipher suites supported for TLS Version 1.3 are not supported by earlier versions of TLS. If TLSv1.3 and earlier versions are enabled, the configured list of supported cipher suites must include values supported for TLSv1.3 and values supported by earlier TLS versions.
The FIPS 140-2 standard does not define support for TLSv1.3 or the new cipher suites defined for it. Enabling both the TLSv1.3 protocol and FIPS support results in an error.

Dependency:

The Integrated Cryptographic Services Facility (ICSF) must be active to provide support for all TLSv1.3 cipher suites.

Table 1. AT-TLS support for TLS v1.3
Task/Procedure	Reference
Enable TLS v1.3 in AT-TLS policy by using the Network Configuration Assistant (NCA) or manual configuration.	See the following topics: IBM Configuration Assistant for z/OS Communications Server online helps AT-TLS policy statements in z/OS Communications Server: IP Configuration Reference Using TLSv1.3 protocol support in z/OS Communications Server: IP Configuration Guide
Optionally, display the policy-based networking information. Use the pasearch command to display AT-TLS policies.	The z/OS UNIX pasearch command: Display policies in z/OS Communications Server: IP System Administrator's Commands
Optionally, display the AT-TLS negotiated and configured parameters in use for a TCP connection.	Netstat TTLS/-x reportin z/OS Communications Server: IP System Administrator's Commands
Optionally, view updated AT-TLS information in the following SMF type 119 records: TCP connection termination record (subtype 2) FTP records, including: subtype 3 subtype 70 subtype 100 subtype 101 subtype 102 subtype 103 subtype 104 zERT connection detail record (subtype 11) zERT connection summary record (subtype 12) CSSMTP connection record (subtype 49)	Type 119 SMF records in z/OS Communications Server: IP Programmer's Guide and Reference
Optionally, retrieve updated AT-TLS information for a connection with the TCP/IP callable NMI (EZBNMIFR).	TCP/IP callable NMI (EZBNMIFR) in z/OS Communications Server: IP Programmer's Guide and Reference

To find all related topics about AT-TLS support for TLS v1.3, see Table 2.

Table 2. All related topics about AT-TLS support for TLS v1.3
Book name	Topics
z/OS Communications Server: IP Sockets Application Programming Interface Guide and Reference	IOCTL Sockets return codes (ERRNOs)
z/OS Communications Server: IP CICS Sockets Guide	Sockets return codes (ERRNOs)
z/OS Communications Server: IP IMS Sockets Guide	Sockets return codes (ERRNOs)
z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)	EZD1282I EZD1283I EZD1286I
z/OS Communications Server: IP Programmer's Guide and Reference	zERT connection detail record (subtype 11) zERT Summary record (subtype 12) Application Transparent Transport Layer Security (AT-TLS) CICS® transaction considerations Starting AT-TLS on a connection Steps for implementing a controlling server application SIOCTTLSCTL ioctl return values TCP connection termination record (subtype 2) FTP client transfer completion record (subtype 3) FTP server transfer completion record (subtype 70) FTP server logon failure record (subtype 72) z/OS Communications Server: IP Programmer's Guide and Reference FTP client transfer initialization record (subtype 101) FTP client login failure record (subtype 102) FTP client session record (subtype 103) FTP server session record (subtype 104) FTP client application data format for the control connection FTP client application data format for the data connection FTP server application data format for the control connection FTP server application data format for the data connection Application data format for CSSMTP Application data format for Telnet Type 119 SMF records TCP/IP callable NMI (EZBNMIFR)
z/OS Communications Server: IP System Administrator's Commands	COnn report examples Report field descriptions The z/OS UNIX pasearch command: Display policies
z/OS Communications Server: IP Configuration Guide	Security Existing workload TLS and SSL TN3270E Telnet server security Multiple port support Secure and non-secure connections using a single Telnet port Express Logon Feature Application Transparent Transport Layer Security Cipher suite specification Protocol versions Using TLSv1.3 protocol support Certificate validation Encryption key refresh Handshake timer Wireless performance Certificate selection Session caching AT-TLS access control considerations Client application model What are the limitations for zERT discovery? AT-TLS controlling application considerations Client application model Server application model Forked server application model
z/OS Communications Server: IP Configuration Reference	TTLSConnectionAdvancedParms statement TTLSEnvironmentAction statement TTLSEnvironmentAdvancedParms statement TTLSSignatureParms statement TTLSGskAdvancedParms statement TTLSCipherParms statement TTLSGskOcspParms statement General syntax rules for Policy Agent AT-TLS policy statements