Andrew, You seem to be asking generic questions about how TLS works on any/every platform. If you're concerned about defending against MITM attacks, then start with that bit of reading. Take a look at how HTTPS prevents such attacks, for example. Then you'll have your answer. As Tony Harminc mentioned, AT-TLS in Communications Server for z/OS is TLS. AT-TLS in z/OS is an extremely robust and full function implementation of these industry standards, as it happens.
As a rough analogy, Web browsers obviously support SSL/TLS (HTTPS), including security handshaking such as client and server certificate authentication. Most Web browsers can also run Javascript programs. There is no need to rewrite or to modify a Javascript program when, for example, the numeric IP address of the Web server changes. The Web browser, Web server, and their configurations and network services handle all that "busy work" on behalf of the Javascript program. Yes, it is possible to write a Javascript program that is aware of, or even (subject to browser and server "vetoes") able to control aspects of its TLS (HTTPS) connections. But Javascript programs are not required to do that, and they generally don't. The same is true with AT-TLS in z/OS and programs running in z/OS that need secure network connections. z/OS also happens to enforce strict controls on what program(s) can and cannot use particular AT-TLS connections, and even when (date and time policy limits). Those controls are enforced primarily via RACF (or other SAF compliant security manager) and the aforementioned Policy Agent, and those controls on the non-network "side" are unique to z/OS and special. Maybe another analogy will help. When you write a program, do you have to code logic in the program to perform any of the following network-related tasks: (a) Locate the correct network port; (b) Verify that a cable is connected to that port; (c) Negotiate the link speed with the switch; (d) Etcetera? No, of course not -- not unless you're writing firmware, anyway. All those functions are handled for you, outside your program. The network adapter's firmware and/or operating system provide those services for you, and you don't even think about them, really. That's the same basic principle with AT-TLS. AT-TLS handles all that "security stuff" (or use a stronger word if you like) on your program's behalf. Much like Web browsers do on behalf of Javascript programs executing in those browsers. ....On the other hand, if you're pressing us for a different answer because you *want* to do some recoding -- because you get paid by the hour or per line of code? -- then I suppose we could come up with some make work ideas. :-) But the reality is you have nothing to do to your program code. You just configure AT-TLS correctly -- yes, z/OSMF is a fantastic way to do that -- and it all works, securely. Isn't that lovely? -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
