For z/OS Communications Server, is AT-TLS needed to implement TLS V1.2?

In the short term, you can enable TLS V1.2 support in TN3270 and FTP without implementing AT-TLS by setting the GSK_PROTOCOL_TLSV1_2 environment variable to either 1 on ON. But for the long term, you should convert to AT-TLS for all SSL communication (if allowed by the application). As new functions/requirements are introduced by System SSL, AT-TLS (and not FTP and TN3270) will get the associated enhancements needed.

In the IBM Redbooks publication SG24-8140-00 IBM z/OS Version 2 Release 1 Technical Updates you will see that System SSL was upgraded to use TLS 1.2 and it documented that by setting the environment variable GSK_PROTOCOL_TLSV1_2 to either 1 or ON that anything using System SSL can now use TLS 1.2. See http://www.redbooks.ibm.com/abstracts/sg248140.html?Open See also the SSL Programming manual
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.gska100sssl2env999503.htm

To enable TLS 1.2 for FTP , code your FTP JCL as follows:

   //FTPD   EXEC PGM=&MODULE,REGION=4096K,TIME=NOLIMIT,
   //    PARM=('POSIX(ON) ALL31(ON)',
   //       'ENVAR("_CEE_ENVFILE=DD:STDENV")/')
   //STDENV   DD DISP=SHR,DSN=HLQ.FTP.STDENV

The data set pointed to by STDENV should be a sequential data set with RECFM VB and it would contain the environmental variable GSK_PROTOCOL_TLSV1_2=ON.

To enable TLS 1.2 for TN3270, add a //CEEOPTS DD statement to the TN3270 proc referencing an RECFM=FB,LRECL=80 dataset (or member) containing the ENVAR option that specifies the environment variable GSK_PROTOCOL_TLSV1_2=1. For more information, please reference TechNote 1177026 at url: http://www.ibm.com/support/docview.wss?uid=swg21177026