Setting SSL/TLS encrypted communications

Important:

Encrypted communication now requires the use of AT-TLS. If SSL_REQUIRED is set to a value other than NO, ATTLS=YES must also be specified. See Using AT-TLS for encrypted communications for more information.

The sample HFICONFG configuration file member can be configured for encrypted communications by specifying SSL_REQUIRED and ATTLS=YES under the CONFIG=DEFAULT section. For example:

SSL_REQUIRED=YES
 ATTLS=YES

To use other versions of TLS, see Configuration file keyword descriptions for additional values that can be specified for the SSL_REQUIRED keyword. If TLS encryption is not required in your environment, comment out this line and uncomment the next line (or alter your existing line to SSL_REQUIRED=NO). If TLS is required, replace SSL_REQUIRED=YES with SSL_REQUIRED=TLSVxxx, where TLSVxxx is one of the supported TLS versions listed in the description of SSL_REQUIRED in Configuration file keyword descriptions.

If you are using ICSF and have protected resources through the CSFSERV facility class, the server user or group id needs to be permitted to the resource, for example:

PERMIT  CSF*  CLASS(CSFSERV)
            ID(groupid)  ACCESS(READ)

For more details see the Cryptographic Services ICSF Administrator's Guide.

Considerations when using TLS 1.3

To use TLS 1.3 for communication between clients and the ZCC server, specify SSL_REQUIRED=TLSV1.3 and ATTLS=YES in the server configuration.

The SSL_REQUIRED protocol value must match a protocol supported by the configured AT-TLS rules. For more information on using AT-TLS, see Using AT-TLS for encrypted communications.