Zero Trust (ZTA) which is the currently-favored paradigm says to treat all networks, internal and external, as untrusted. That would imply TLS.
You would not need "thousands of certificates": one per sysplex with TN3270 would be sufficient. And certificate generation increasingly is automated. Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN