Enabling TLS Connection to IBM AD Validation Server
Before you begin
Before the Application Transparent Transport Layer Security (AT-TLS) setup in IBM® AD Connect for Mainframe, make sure to complete the enablement of Transport Layer Security (TLS) connection in IBM AD Validation Server. For instructions, see Enabling TLS Connection between IBM AD Validation Server and IBM AD Connect for Mainframe.
About this task
For IBM AD V5.1.0.7 and earlier versions, the communication between IBM AD Validation Server and IBM AD Connect for Mainframe is unencrypted socket session. Beginning with version 5.1.0.8, the optional secure communication, which uses the TLS protocol, is supported by using the AT-TLS feature of IBM z/OS® Communication Server.
The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, typically, an application must be designed and coded to use TLS/SSL protection. On z/OS, the System SSL component of the Cryptographic Services element implements the full suite of SSL and TLS protocols (SSL V2, SSL V3, TLS V1.0, TLS V1.1, and TLS V1.2 as of this writing), including a robust set of application programming interfaces (APIs) for z/OS C and C++ applications to use.
To make the TLS or SSL protocol more accessible to z/OS applications, z/OS Communications Server V1R7 introduced the AT-TLS feature. AT-TLS starts TLS or SSL primitives in the TCP layer of the TCP/IP stack on behalf of application programs, based on policy files that describe the application traffic and how to protect it. With AT-TLS, z/OS applications that are written in almost any language can enjoy full TLS or SSL protection without requiring source code changes. AT-TLS allows socket applications to access encrypted sessions by invoking system SSL within the transport layer of the TCP/IP stack.
AT-TLS policy is read, parsed, and installed into the TCP/IP stack by the z/OS Communication Server Policy Agent (PAGENT), which implements policy-based networking for the z/OS environment. The application continues to send and receive clear text over the socket, but data that is sent over the network is protected by the System SSL component. For more information about policy-based networking, see z/OS Communications Server V2R3: IP Configuration Guide, SC27-3650-30.
- Configure PAGENT as a started task on z/OS.
- Define the security authorization for PAGENT.
- Define PAGENT configuration files.
- Configure AT-TLS.
- Store the personal certificate that represent IBM AD Validation Server.
- Import the personal certificate to the RACF® database.
- Set up the PAGENT policy for the port that is used by IBM AD Validation Server.
- Refresh the PAGENT policy.