Skip to content

TLS Security

A server can be configured to use Transport Layer Security (TLS) encryption for secure communications with that server. The TLS setting applies to all ChangeMan instances defined under the server.

If TLS security is enabled, AT-TLS on the z/OS server must also be configured to use TLS on all ports for this server, as well as all ChangeMan ports under this server. Likewise, if AT-TLS on the z/OS server is configured to use TLS, the ChangeMan ZDD client must also be configured to use TLS.

Connection to the server will fail if its TLS setting does not match the AT-TLS configuration on the z/OS server.

When a connection is requested, the TLS handshake requires that the server provide a trusted server certificate, which is then authenticated by the client.

There are two ways for a company to supply a server certificate. One way is to purchase a certificate from a universally recognized and trusted certificate authority, such as Symantec, GlobalSign, or DigiCert. The Windows operating system will automatically trust certificates issued from these trusted sources, and the client users don’t need to take any action at all to allow these certificates to be accepted.

The other method, is for security administrators to issue their own self-signed certificates. A company may choose go this route, rather than purchasing a certificate from a universally trusted authority. Since a customer company is not an authority that is automatically trusted by Windows, you will need to import our your company server’s own root CA certificate into the Trusted Root Certification Authorities certificate store on each and every client machine. Since this certificate will have an expiration date, this process will have to be repeated periodically, each time the certificate approaches its expiration date. Of course, none of this is necessary, if the company purchases a universally trusted certificate.

If the server is configured to use TLS security, you can optionally log on using a client certificate, rather than supplying a password. There is a new Use certificate check box in the Logon dialog box.

The Use certificate check box is only present for servers configured to use TLS security. Logging on with a client certificate requires SerNet and ChangeMan ZMF version 8.2.2+.

The client certificate will be issued by the security administrator. The client certificate needs to be imported into the Windows Personal certificate store.

In order for the Client Pack to support client certificates for multiple RACF user ID’s, the common name on the certificate must be the same as the RACF user ID. This is the default when a RACF administrator generates the certificate. ChangeMan ZDD will not find the certificate in the certificate store if the administrator calls it something different.

Back to top