This presentation provides excellent advice on configuring TLS/SSL encryption in z/OS:
http://www.ibm.com/support/docview.wss?uid=swg27028558&aid=1 Although it was written almost 6 1/2 years ago (as I write this), it's still an excellent technical guide. Refer to the z/OS Knowledge Center for your particular z/OS release if you need anything more up-to-date, for reference. You will at least want to refer to the z/OS Communications Server IP Configuration Guide. Here is the direct link (subject to change) to that publication for z/OS 2.2: http://publibz.boulder.ibm.com/epubs/pdf/f1a2b312.pdf Chapter 21 contains the details on AT-TLS. As noted in Chapter 21, the z/OS Management Facility (z/OSMF) makes it a great deal easier to configure AT-TLS. This redbook, geared for z/OS 2.1 and above, is also useful, especially Chapters 12 and 16: http://www.redbooks.ibm.com/redbooks/pdfs/sg248099.pdf I assume you know how to obtain a TLS/SSL server certificate signed by a well known Certificate Authority (CA) and how to configure IBM Personal Communications to use TLS/SSL encryption over port 992. If you don't, and if you cannot find those answers, please post a follow-up. Encrypting TSO/E sessions is only one small part of overall enterprise security, or even of z/OS-related security. There are several other steps you can and should take, quickly. (You're well overdue on implementing TLS encrypted TN3270E sessions, actually. I was working with customers on implementing encrypted TN3270E sessions about two decades ago, so to be generous you're only about 15 years late. Better late than never. :-)) Other basic steps include encrypting your other connections (AT-TLS will be helpful, plus OSA-ICC encryption), making sure you have migrated to AES encryption of your RACF databases, passphrases (with sensible policies) instead of passwords, storage encryption (starting with physical tape, since tape is inherently prone to movement), and several other steps. IBM offers something called the "IBM Eagle Security Assessment" which is well worth doing, if you haven't done it already and fairly recently. To apply for that no charge assessment, visit this Web page (and scroll down a bit): http://www.ibm.com/systems/z/solutions/enterprise-security.html -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
