Looking at enabling encryption for XCOM for z/OS file transfers:
1. Can we use AT-TLS for the encryption part on z/OS?
2. Does the remote XCOM partner need configuration changes as well?
3. I assume certificates will be required?
Release : 12.0
Q1. Can we use AT-TLS for the encryption part on z/OS?
A1. Yes XCOM is an AT-TLS aware application per the article: XCOM is an AT-TLS aware application
Here are some doc. pages with more details:
XCOM™ Data Transport® for z/OS 12.0 > Release Notes> New Features
XCOM™ Data Transport® for z/OS 12.0 > Overview > Features > AT-TLS Support
Q2. Does the remote XCOM partner need configuration changes as well?
A2. No changes are required on the remote partner but AT-TLS* parameters provide a degree of control for starting multiple listeners depending on different partner requirements: Are AT-TLS parameters mandatory in XCOM CONFIG to use AT-TLS
Some other relevant information:
a. To initiate secure transfers using AT-TLS, you must not specify SECURE_SOCKET=YES in the XCOM parameters. The idea is that XCOM starts an unsecure transfer. AT-TLS makes it secure, XCOM notices the fact and issues messages informing that the connection is protected by AT-TLS. The transfers must be addressed to the SSL port at the partner.
b. To initiate unsecure transfers when AT-TLS is around, the transfer needs to address the non-SSL port at the partner and the AT-TLS policies need to be set up so that this connection is not managed by AT-TLS so that it proceeds in clear text.
Q3. I assume certificates will be required?
A3. Yes, just like using normal secure transfers, certificates will be required.
XCOM Engineering had this additional advice:
1. Any remote XCOM for Windows/Linux 11.6 system should have one of the latest patches applied because Engineering had to correct a few things on the distributed side to make it work with AT-TLS. See the below problem numbers and referenced solutions from 2021:
Due to their later release date, the XCOM for Windows/Linux 12.0 versions have those changes in the GA version.
2. AT-TLS is XCOM's stated direction for data encryption support on the z/OS platform, so if you are going to the trouble of setting up encryption then you should use AT-TLS.
XCOM's chosen method of supporting TLS 1.3 is via AT-TLS and that is the path forward for supporting encryption technology: Improving XCOM Data Transport transfers with TLSv1.3
Support for OpenSSL on z/OS has already been removed and at some point (as yet undetermined) System SSL will likewise be removed.