SSL on the Mainframe

CONNX Supports SSL/TLS connections from the CONNX client to any CONNX server running on the mainframe, including Adabas, IMS, and VSAM.

CONNX SSL support on the mainframe is enabled through AT-TLS (Application Transparent TLS).

AT-TLS is the IBM Recommended method of providing SSL/TLS support for IBM hosted applications.  It enables companies to configure and control TLS access for all mainframe applications in a central location.  It also ensures that applications keep up with the latest TLS standard.

 

AT-TLS provides a SSL/TLS secured listening port for the application where all encryption and decryption is performed, using high performance hardware if available.  The AT-TLS service then makes a normal socket connection to the application listening on the mainframe.  As far as the application is concerned, it is communicating to a client using standard TCP/IP.  While all critical communication between the mainframe and the client is secured and encrypted via SSL.

 

In order to use CONNX with SSL on the mainframe with AT-TLS, the following requirements must be met.

  1. The CNXCONNECTBACK setting in CNXPARAM in the CONNX listener on mainframe must be set to 0.   This ensures that the initial encrypted socket connection is the only socket connection for a given session.

  2. For CONNX servers running on VSE using the Barnard TCP/IP stack, you must upgrade to at least Build 257pre32 or higher of Barnard TCP/IP.

 

Enabling SSL for CONNX Servers on the Mainframe

To Enable SSL on the mainframe, configure AT-TLS to provide an SSL listening port that maps to the CONNX listening port.

Please refer to the IBM and/or Barnard documentation on AT-TLS for detailed instructions on service configuration.

 

On the client side, the CONNX data dictionary must be configured to use SSL to connect to the server.

 

On the import dialog for VSAM, IMS, and Adabas, there is a checkbox "Use TLS/SSL"

Once AT-TLS has been configured, use the AT/TLS SSL port on the import dialog, and select the "Use TLS/SSL" button.

 

image50.gif

 

If you have an existing data dictionary, and you want to enable SSL for one or more databases in the CDD, there is also a "Use TLS/SSL" checkbox at the database panel for any database that supports SSL.

Use this checkbox to enable/disable SSL for the specified database connection.

 

image10.jpg

 

It is possible to configure some databases in the CDD to use SSL, and others without SSL.