Improving XCOM Data Transport transfers with TLSv1.3
search cancel

Improving XCOM Data Transport transfers with TLSv1.3

book

Article ID: 258891

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - z/OS XCOM Data Transport - Linux PC

Issue/Introduction

You can use a network service proxy to incorporate improved TLS features into your XCOM Data Transport transfers.  This information originally posted as a blog in the XCOM community, will show an example of using XCOM Data Transport between z/OS and Linux (RHEL 8.6) to create transfers that are secured between the systems using TLSv1.3.  While the example focuses on Linux x86 transfers, the same concepts may be applied to other environments (e.g. Windows) where you have a TLSv1.3 capable network service proxy.

Environment

XCOM for z/OS

XCOM for Linux PC

Resolution

Sending data to z/OS

Your XCOM Data Transport z/OS started task will be the server in this first scenario, listening for suitable remote connections.  Using XCOM Data Transport z/OS configuration parameters:

  • AT-TLS=ALLOW
  • AT-TLS_PORTS=12346

you configure your XCOM Data Transport z/OS server to listen for AT-TLS secure connections on port 12346.  You can select the port of your choice, but this example will use port 12346.  AT-TLS will allow successful connections that meet the policy definitions to reach your XCOM Data Transport z/OS started task.  The following are example AT-TLS policy definitions.  You can review these example policies as a guide, but you should work with your site AT-TLS experts to get the appropriate TLSv1.3 rules in place for your environment.  The example policies are simplified definitions that use a key database file and you should consider implementing yours with a SAF key ring outside of proof-of-concept, or demo environments.  Also, the list of ciphers is incomplete (you will notice a ... break in the list) for brevity of the blog.

The policy statements are not explained in this blog, but you can find documentation for these statements here in IBM documentation:  AT-TLS policy statements and, again, you should work with your site experts to properly implement your policies.
...
Continued with the Blog post in the XCOM community.