Phil Smith III wrote: >What Radoslaw said re TLS versions. But you mostly probably don't need to worry >too much about it, unless you're writing an application that will manage the >actual >connection. In that case, the application has to tell System SSL (the z/OS TLS >stack) what it wants/is willing to use. This is sort of sad in that in most >cases >you just want it to use the latest and greatest: if it's talking to a peer >that can >do TLSv1.3, hey, do that; if 1.4 comes along, use that! But that's how it >mostly >works.
I think you're probably referring to z/OS AT-TLS. AT-TLS uses z/OS System SSL, but you don't really have to worry about that architectural detail. Here's an introductory explanation (z/OS 3.2 link, subject to change): https://www.ibm.com/docs/en/zos/3.2.0?topic=reference-application-transparent-transport-layer-security-tls Applications can optionally be AT-TLS "aware" or "controlling." If for example your application generates logs, AT-TLS awareness can be helpful because (for example) you can issue a log message whenever AT-TLS swings into action for your application. It's wise to rely on z/OS AT-TLS for all your TLS-related needs on z/OS. With AT-TLS you effectively "outsource" TLS-related maintenance and troubleshooting to IBM. Your customers will typically appreciate that approach, even a lot. TLS certificate management(*), policy enforcement, and compliance reporting (via the z/OS Encryption Readiness Tool as a notable example) are unified with AT-TLS. As TLS standards evolve your application will automatically pick them up when AT-TLS does. And as cryptographic hardware evolves it's reasonable to assume AT-TLS will pick up those improvements, too. (*) TLS certificates are shifting to maximum 47 days of validity by March, 2029. You really should be automating TLS certificate renewals and deployments on z/OS and on your other platforms — and that includes other parts of the IBM Z server ecosystem such as OSA-ICC, HMC/SE, etc. Start planning now if you haven't started yet. Application-specific TLS certificate management will soon become even more annoying and burdensome than it already is. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
