Some programs will soon no longer be able to do their own TLS encryption.

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom 
Sent: 01 July 2020 05:46
Subject: Re: AT-TLS ? Very Basic Questions

This mail originated from outside our organisation -

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to with the message: INFO IBM-MAIN

Reply via email to