One of the most popular security features of z/OS Communications Server is Application Transparent TLS (AT-TLS) which uses policy-based rules to apply System SSL protection to z/OS TCP/IP applications without requiring any changes to those applications.The[NR1] latest release of IBM z/OS 3.1 Communications Server introduces a number of enhancements to AT-TLS to ensure applications have access to the latest System SSL capabilities.. These enhancements include:
- TLSv1.3 sysplex-wide session resumption
- Domain-based server certificate validation during TLS handshake
- x25519 and x448 key exchange and Extended Master Secret support for TLSv1.2
- Support to restrict server-side key exchange algorithms.
Check out the details!
z/OS® 3.1 Communications Server provides AT-TLS support for TLS Version 1.3 sysplex session ticket caching. The TLS V1.3 sysplex session ticket caching support improves performance in that it allows the ability for handshake session ticket information to be shared among like servers listening on the same port within a single system or servers across multiple systems in a sysplex. AT-TLS support is also provided for domain-based server certificate validation during an SSL/TLS session negotiation, which provides an additional layer of security by ensuring that servers only accept certificates from authorized issuers.
Dependency: To use TLS Version 1.3 sysplex session tickets, GSKSRVR must be started for all systems in the sysplex acting as AT-TLS servers for the workload.
Related APAR: TCPIP APAR PH49284 and Network Configuration Assistant APAR PH53064 for z/OS V2R5.
Click here to learn more about AT-TLS support for TLS Version 1.3 sysplex session ticket caching and domain-based server certificate validation during TLS handshake on IBM Docs.
z/OS 3.1 Communications Server also provides AT-TLS support for a TLSv1.2 server to specify which elliptic curves can be used for the handshake key exchange when an ephemeral ECDH (Elliptic Curve Diffie-Hellman) cipher is used. Support is also added for the x25519 and x448 curves for TLSv1.2 handshake key exchange.These updates also apply to TLSv1.0 and TLSv1.1. With these updates, organizations are able to gain stronger security than the previously supported key exchange algorithms and win additional layer of protection against cryptographic attacks.
Restriction: TLS V1.0, TLS V1.1, and TLS V1.2 server configurations can limit the acceptable elliptic curves for the key exchange.
Related APAR: TCPIP APAR PH45902 and Network Configuration Assistant APAR PH47400 for z/OS V2R5.
Click here to learn more about AT-TLS support for x25519 and x448 key exchange for TLSv1.2 on IBM Docs.
Overall, the AT-TLS enhancements in z/OS 3.1 Communications Server provide organizations with a more secure, reliable, and efficient way to communicate with their partners and customers.
To learn more about AT-TLS, visit AT-TLS information hub (https://ibm.biz/thingsaboutattls).