there is a relatively new red piece on how to configure TLS with tn3270: IBM z/OS IBM Personal Communications TTLS Enablement at http://www.redbooks.ibm.com/redpapers/pdfs/redp5538.pdf
ITschak On Sat, Nov 9, 2019 at 4:08 AM Greg Boyd <gregb...@mainframecrypto.com> wrote: > System SSL (aka TLS) will work without ICSF being active and without CEX > cards being available. You may not like the performance and some functions > (i.e. specifically ECC) may not work. Elliptic Curve (ECC) requires that > CEX cards are available and ICSF is active, to drive those operations to > the card. > > Keep in mind that TLS (and System SSL) have two phases: > > The handshake phase performs authentication and requires public/private > keys which relies on either CEX cards or software routines. A low number > of handshakes per second can be handled in software, but if you have any > volume, having the cards can provide a significant savings in MIPS as well > as helping performance. Handshakes also do some hashing, which is done on > the CPACF (ICSF is not required on the latest versions of z/OS). > > The record phase uses symmetric encryption to protect the data and hashing > for integrity. The symmetric encryption is done on the CPACF, if you are > using DES/TDES or AES (if that is what is negotiated). Long ago, ICSF had > to be active to do AES, if you were running on a machine that didn't > support AES on the CPACF hardware ... circa z/890 and z990. But ICSF is > not required on the latest versions of z/OS, System SSL uses the native > crypto instructions on the CPACF. Hashing for the record phase is also > done on the CPACF (no ICSF required, on current versions of z/OS) if you > are using SHA-1, SHA-2. > > Greg Boyd > Mainframe Crypto > www.mainframecrypto.com > > > On Fri, 8 Nov 2019 01:05:42 -0600, Barbara Nitz <nitz-...@gmx.net> wrote: > > >> Do we need ICSF to be running while implementing ATTLS ? > >I ran AT-TLS on a 2.1 RDT system *without* ICSF without a problem. And it > was for more than just TN3270 traffic at TLS 1.2. I haven't tried at a > higher z/OS level, but I don't think you need ICSF. > > > >Regards, Barbara > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
