Enablement of encryption for XCOM for z/OS transfers (AT-TLS)
search cancel

Enablement of encryption for XCOM for z/OS transfers (AT-TLS)

book

Article ID: 273874

calendar_today

Updated On:

Products

XCOM Data Transport - z/OS XCOM Data Transport XCOM Data Transport - Linux PC XCOM Data Transport - Windows

Issue/Introduction

Looking at enabling encryption for XCOM for z/OS file transfers:

1. Can we use AT-TLS for the encryption part on z/OS?

2. Does the remote XCOM partner need configuration changes as well?

3. I assume certificates will be required?

Environment

Release : 12.0

Resolution

Q1. Can we use AT-TLS for the encryption part on z/OS?
A1. Yes XCOM is an AT-TLS aware application per the article: XCOM is an AT-TLS aware application
Here are some doc. pages with more details:
XCOM™ Data Transport® for z/OS 12.0 > Release Notes> New Features
XCOM™ Data Transport® for z/OS 12.0 > Overview > Features > AT-TLS Support

Q2. Does the remote XCOM partner need configuration changes as well?
A2. No changes are required on the remote partner but AT-TLS* parameters provide a degree of control for starting multiple listeners depending on different partner requirements: Are AT-TLS parameters mandatory in XCOM CONFIG to use AT-TLS
Some other relevant information:
a. To initiate secure transfers using AT-TLS, you must not specify SECURE_SOCKET=YES in the XCOM parameters. The idea is that XCOM starts an unsecure transfer. AT-TLS makes it secure, XCOM notices the fact and issues messages informing that the connection is protected by AT-TLS. The transfers must be addressed to the SSL port at the partner.
b. To initiate unsecure transfers when AT-TLS is around, the transfer needs to address the non-SSL port at the partner and the AT-TLS policies need to be set up so that this connection is not managed by AT-TLS so that it proceeds in clear text.

Q3. I assume certificates will be required?
A3. Yes, just like using normal secure transfers, certificates will be required.

 

ADDITIONAL:
XCOM Engineering had this additional advice:

1. Any remote XCOM for Windows/Linux 11.6 system should have one of the latest patches applied because Engineering had to correct a few things on the distributed side to make it work with AT-TLS. See the below problem numbers and referenced solutions from 2021: 

Transfer from z/OS to Windows using AT-TLS fails.

Transfer from z/OS to Linux using AT-TLS fails

 

Due to their later release date, the XCOM for Windows/Linux 12.0 versions have those changes in the GA version.

2. AT-TLS is XCOM's stated direction for data encryption support on the z/OS platform, so if you are going to the trouble of setting up encryption then you should use AT-TLS.
XCOM's chosen method of supporting TLS 1.3 is via AT-TLS and that is the path forward for supporting encryption technology: Improving XCOM Data Transport transfers with TLSv1.3
Support for OpenSSL on z/OS has already been removed and at some point (as yet undetermined) System SSL will likewise be removed.