Application Transparent Transport Layer Security or AT-TLS is IBM's solution for providing secure connectivity between SSL/TLS-enabled
client applications and existing mainframe applications. The following topics provide information on how to configure MFA
client applications to connect to MFA and z/Server mainframe server via AT-TLS in a z/OS environment.
Prerequisites
- Your system programmer must configure AT-TLS on the z/OS host. Two ports must be configured to accept SSL traffic, one port
for MFA (default 2020) and the other for z/Server (default 1111).
- The system programmer can export the required certificates from RACF. See
Exporting Certificates from RACF for more information.
Micro Focus recommends that you use a single file that is a base64 encoded PKCS #12 certificate. This certificate file contains the root
certificate for the mainframe, the user certificate and user private key.
Note: It is best practice to encrypt the exported PKCS #12 certificate file with a pass phrase.
- The root certificate, user certificate, and private key are used by your client application to make a connection. These three
components need to be stored in their own files and must meet the following format requirements:
- Root certificate:
- This must be in text PEM format.
- User certificate:
- This must be in text PEM format
- Private key:
- This must be in PKCS #8 binary DER format, and should be encrypted with a pass phrase.
See
Converting a PKCS #12 Certificate for more information on converting a PKCS #12 certificate into individual root certificate, user certificate and private
key files.
See
Checking the Certificates to verify that the certificates are in the correct format for your client application.
Limitation
- Specific TCP ports must be configured which prevents using dynamically-assigned ports.