Configuring an SSL Client Connection to a Mainframe

Application Transparent Transport Layer Security or AT-TLS is IBM's solution for providing secure connectivity between SSL/TLS-enabled client applications and existing mainframe applications. The following topics provide information on how to configure MFA client applications to connect to MFA and z/Server mainframe server via AT-TLS in a z/OS environment.

Prerequisites

  • Your system programmer must configure AT-TLS on the z/OS host. A port must be configured to accept SSL traffic for MFA (default 2020).
  • The system programmer can export the required certificates from RACF. See Exporting Certificates from RACF for more information. Micro Focus recommends that you use a single file that is a base64 encoded PKCS #12 certificate. This certificate file contains the root certificate for the mainframe, the user certificate and user private key.
    Note: It is best practice to encrypt the exported PKCS #12 certificate file with a pass phrase.
  • The root certificate, user certificate, and private key are used by your client application to make a connection. These three components need to be stored in their own files and must meet the following format requirements:
    Root certificate:
    This must be in text PEM format.
    User certificate:
    This must be in text PEM format
    Private key:
    This must be in PKCS #8 binary DER format, and should be encrypted with a pass phrase.

    See Converting a PKCS #12 Certificate for more information on converting a PKCS #12 certificate into individual root certificate, user certificate and private key files.

    See Checking the Certificates to verify that the certificates are in the correct format for your client application.

Limitation

  • Specific TCP ports must be configured which prevents using dynamically-assigned ports.