Some programs will soon no longer be able to do their own TLS encryption. https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html&request_locale=en#sodx
Statements of direction Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and DCAS z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet server, FTP server, and Digital Certificate Access Server (DCAS) will support direct invocation of System SSL APIs for TLS/SSL protection. In the future, the only TLS/SSL protection option for these servers will be Application Transparent Transport Layer Security (AT-TLS). The direct System SSL support in each of these components is functionally outdated and only supports TLS protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, FTP server, and DCAS configurations to use AT-TLS, which supports the latest System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related cipher suites. Note that while native TLS/SSL support for z/OS FTP client is not being withdrawn at this time, no future enhancements are planned for that support. IBM recommends using AT-TLS to secure FTP client traffic. Mike Wawiorko -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom Brennan Sent: 01 July 2020 05:46 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions This mail originated from outside our organisation - t...@tombrennansoftware.com Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN