We have AT-TLS working between multiple XCOM for z/OS with no AT-TLS parameters defined in XCOM. Do you have to specify a value for the AT-TLS and AT-TLS_PORTS parameters in the CONFIG member to achieve encrypted connections for XCOM on z/OS? 

XCOM™ Data Transport® for z/OS

Values for the AT-TLS and AT-TLS_PORTS parameters are not an absolute requirement to achieve encrypted connections for XCOM for z/OS. However, those parameters are useful for managing your XCOM encrypted connections using AT-TLS. 

a. The AT-TLS=ONLY setting will enforce that every TCP/IP connection in a particular XCOM address space is covered by an AT-TLS policy, or the connection will be terminated. This prevents unencrypted network traffic between XCOM partners in case there is no AT-TLS policy that applies to a particular connection.

b. The AT-TLS=ALLOW setting will permit non AT-TLS listener tasks to be started by the server i.e. "regular" or dedicated SSL/TLS TCPIP listener. It also causes XCOM to permit non-encrypted traffic over TCP/IP if no AT-TLS policy applies to the connection. 

c. The AT-TLS=NONE specifies that no AT-TLS specific listener task is started.

The AT-TLS_PORTS parameter was created to allow users to run multiple listeners on different ports which may have different AT-TLS policies. This allows for stratified encryption/certificate requirements for partner systems. Many customers run in a mixed environment with external partners whose SSL/TLS requirements may vary. 

The bottom line is "YES" you can use AT-TLS with XCOM with no AT-TLS parameters in the XCOM configuration. However, those parameters offer flexibility and control that many customers want. 

XCOM™ Data Transport® for z/OS 12.0 > Getting Started > Features > AT-TLS Support