Ah, of course. Our product predates AT-TLS and we create our own connections via GSK (System SSL). If we were doing it today, we would use AT-TLS for sure!
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Timothy Sipples Sent: Sunday, October 5, 2025 9:32 PM To: [email protected] Subject: Re: ZSeries Crypto Cards - Decision Table? Phil Smith III wrote: >What Radoslaw said re TLS versions. But you mostly probably don't need >to worry too much about it, unless you're writing an application that >will manage the actual connection. In that case, the application has to >tell System SSL (the z/OS TLS >stack) what it wants/is willing to use. This is sort of sad in that in >most cases you just want it to use the latest and greatest: if it's >talking to a peer that can do TLSv1.3, hey, do that; if 1.4 comes >along, use that! But that's how it mostly works. I think you're probably referring to z/OS AT-TLS. AT-TLS uses z/OS System SSL, but you don't really have to worry about that architectural detail. Here's an introductory explanation (z/OS 3.2 link, subject to change): https://www.ibm.com/docs/en/zos/3.2.0?topic=reference-application-transparent-transport-layer-security-tls Applications can optionally be AT-TLS "aware" or "controlling." If for example your application generates logs, AT-TLS awareness can be helpful because (for example) you can issue a log message whenever AT-TLS swings into action for your application. It's wise to rely on z/OS AT-TLS for all your TLS-related needs on z/OS. With AT-TLS you effectively "outsource" TLS-related maintenance and troubleshooting to IBM. Your customers will typically appreciate that approach, even a lot. TLS certificate management(*), policy enforcement, and compliance reporting (via the z/OS Encryption Readiness Tool as a notable example) are unified with AT-TLS. As TLS standards evolve your application will automatically pick them up when AT-TLS does. And as cryptographic hardware evolves it's reasonable to assume AT-TLS will pick up those improvements, too. (*) TLS certificates are shifting to maximum 47 days of validity by March, 2029. You really should be automating TLS certificate renewals and deployments on z/OS and on your other platforms — and that includes other parts of the IBM Z server ecosystem such as OSA-ICC, HMC/SE, etc. Start planning now if you haven't started yet. Application-specific TLS certificate management will soon become even more annoying and burdensome than it already is. ————— Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
