CONNX Supports SSL/TLS connections from the CONNX client to any CONNX server running on the Mainframe, including Adabas, IMS, and VSAM.

CONNX SSL support on the Mainframe is enabled through AT-TLS (Application Transparent TLS).

AT-TLS is the IBM Recommended method of providing SSL/TLS support for IBM hosted applications. It enables companies to configure and control TLS access for all Mainframe applications in a central location. It also ensures that applications keep up with the latest TLS standard.

AT-TLS provides a SSL/TLS secured listening port for the application where all encryption and decryption is performed, using high performance hardware if available. The AT-TLS service then makes a normal socket connection to the application listening on the Mainframe. As far as the application is concerned, it is communicating to a client using standard TCP/IP. While all critical communication between the Mainframe and the client is secured and encrypted via SSL.

In order to use CONNX with SSL on the Mainframe with AT-TLS, The CNXCONNECTBACK setting in CNXPARAM in the CONNX listener on Mainframe must be set to 0. This ensures that the initial encrypted socket connection is the only socket connection for a given session.

To Enable SSL on the Mainframe, configure AT-TLS to provide an SSL listening port that maps to the CONNX listening port.

On the client side, the CONNX data dictionary must be configured to use SSL to connect to the server.

On the import dialog for VSAM, IMS, and Adabas, there is a checkbox Use TLS/SSL.

Once AT-TLS has been configured, use the AT/TLS SSL port on the import dialog, and select the Use TLS/SSL button.

If you have an existing data dictionary, and you want to enable SSL for one or more databases in the CDD, there is also a Use TLS/SSL checkbox at the database panel for any database that supports SSL. Use this checkbox to enable/disable SSL for the specified database connection.

It is possible to configure some databases in the CDD to use SSL, and others without SSL.