This article is the second in a series that describe the different z/OS TLS providers, how those providers expose their settings, which providers are used by some common IBM z/OS-based products, and some examples of changing very specific TLS settings for each provider and product.
For a complete listing of all the articles, please refer to the anchor article entitled z/OS TLS/SSL Configuration One-stop information hub.
If you have a comment or question about this article or any in the series, please post it to the z/OS Communications Server discussion group on the IBM Z and Linux ONE Community. For the quickest response, please prefix your discussion subject line with “TLS Settings:”
For details on setting TLS parameters for ISV products, please consult the appropriate vendor documentation.
A look at the different z/OS TLS providers
As shown in Figure 1, z/OS provides three TLS implementations. The left side shows an application using System SSL APIs, the middle shows an application using AT-TLS, and the right shows a Java application using the Java Secure Sockets Extension (JSSE).
Figure 1 z/OS's three TLS providers
Each provider uses its own mechanisms to set their specific TLS attributes. In some cases, there are also application/middleware-specific mechanisms. You will find a brief introduction to each of these providers in the following paragraphs, as well as deep-dive discussion of specific providers in other articles in this series.
System SSL
System SSL is part of the z/OS Cryptographic Services element. System SSL provides a complete TLS/SSL implementation through a set of APIs available to z/OS Language Environment (LE) C/C++.programs running under z/OS UNIX System Services (USS, or z/OS UNIX).
System SSL runs under the operational and security environment of the invoking C/C++ application. It uses CPACF directly for a few cryptographic algorithms in non-FIPS-140 mode. It also makes heavy use of ICSF regardless of FIPS-140 mode for CPACF acceleration and CrytpoExpress offload of common cryptographic operations.
There are two primary ways of configuring TLS settings through System SSL:
- All settings can be controlled through parameters on API calls
- Most settings are available through USS environment variables, but these are overridden if specified by API parameters.
We will go into more details on this topic in another article.
See the z/OS Cryptographic Services System SSL Programming book for more details on System SSL setup, capabilities, API, and a complete list of settings.
Some common products and components that call System SSL directly are:
- IBM Sterling Connect:Direct
- IBM MQ
- IBM CICS (in certain configurations)
- IBM Apache HTTP Server
- IBM Tivoli Directory (z/OS LDAP) Server
- IBM Content Manager On Demand
- z/OS Communications Server Policy Agent (when acting as a policy client)
- z/OS Communications Server FTP client (when so configured)
Java Secure Sockets Extension (JSSE)
JSSE is a standard part of the Java Platform, Standard Edition. JSSE provides a set of Java classes that implement the TLS protocol for any Java language program.
On z/OS, the standard provider name is IBMJSSE2. JSSE depends heavily on the Java Cryptographic Extension (JCE). There are JCE providers that provide access to RACF keyrings, ICSF, CPACF and Crypto Express adapters, so JSSE is fully capable of using the advanced cryptographic capabilities of the IBM Z platform.
There are two primary ways of configuring TLS settings through JSSE:
- All settings can be controlled through parameters on API calls
- Many settings are available through Java properties in the relevant java.security file, but these are overridden if specified by API parameters.
We will go into more details on this topic in another article.
See the IBM SDK, Java Technology Edition 8 documentation on JSSE2 for details:
Note: documentation from “standard” Java sites (like Oracle’s) may contain some configuration parameters that are not available on z/OS, so be sure to use the above references as the authority.
Common workloads that use JSSE are:
- Anything written in Java
- Workloads that run on WebSphere Application Server (Liberty or traditional), such as z/OSMF
Application Transparent TLS (AT-TLS)
AT-TLS is a capability provided by z/OS Communications Server. AT-TLS allows any z/OS LE sockets application or middleware program to protect their Transmission Control Protocol (TCP) sockets with TLS, regardless of programming language and without requiring any changes to the application or middleware program.
AT-TLS invokes System SSL on behalf of the LE sockets program for its TLS protocol processing and is configured using policy rules that are processed and installed into the TCP/IP stack by the Communications Server Policy Agent.
All AT-TLS configuration is done through the AT-TLS policy rules that are processed by Policy Agent. We will go into more details on this topic later.
See the following references for more details on AT-TLS setup and configuration:
Many z/OS-based applications and middleware rely on AT-TLS for their TLS protection, and the list grows on a regular basis. AT-TLS users include:
- Communications Server applications
o TN3270E Telnet server
o FTP client and server
o CSSMTP
o Load Balancing Advisor
o IKED (when operating as an NSS client)
o NSS server
o Policy Agent
o DCAS server
- DB2 for z/OS
- IMS Connect
- z/OS Connect EE
- InfoSphere Guardium S-TAP
- CICS Transaction Server (when operating as a server)
- IBM Multi-Site Workload Lifeline
- IBM RMF Distributed Data Server
- IBM z/OS Web Enablement Toolkit
- JES2 Network Job Entry
- RACF Remote Resource Sharing Facility
- z/OS CIM server
- IBM Integration Bus for z/OS
- IBM Security zSecure
- IBM Tivoli NetView Management Console
- IBM Tivoli Monitoring applications
- Tivoli Enterpise Portal Server
- Tivoli Enterprise Monitoring Server
- IBM Debug Tool for z/OS
- Trusted Key Entry host transaction program
- Other IBM products
- Numerous ISV products
- Numerous customer-written applications
A good way to determine which programs are using AT-TLS on any given z/OS system is to analyze the AT-TLS policy rules or to use the z/OS UNIX pasearch -t command to get a list of all the AT-TLS rules that are defined for the system.
Navigation
Next article: Risks involved with changing TLS settings
Previous article: Controlling TLS settings on z/OS