z/OS Security and PKI services

Application Transparent TLS (AT-TLS) Overview•Solution:ƒTCP/IP stack performs TLSBNo application changesrequiredBTake advantage of z/OSunique encryptionƒTLS Configuration throughsystem wide policiesƒGUI supplied to easeconfigurationƒOptional API for applicationsthat wish to be “aware” orcontrol TLS informationOptional APIs forTLS-awareapplications tocontrol start/stop ofTLS sessionEncryptedApplicationsSocketsSystem SSL callsTCPApplicationTransparentTLS policy flatfileUDPIP Networking LayerNetwork InterfacesPolicyAgent507.04.2006 IBM SystemsIPSecurity Overview – Dynamic Key Distribution• SAs can be negotiated dynamically using Internet Key Exchange (IKE) Protocolƒz/OS Cryptographic Services System Secure Sockets Layer (System SSL)ƒPhase 1 SAs are negotiated to protect IKE traffic (IKE tunnel)ƒPhase 2 SAs are negotiated to protect IP traffic (IPSEC tunnel)• IPSEC SAs provide authentication, integrity, and data privacy – 2 security protocols:ƒBased on Security Associations (SAs) – defines type of service between 2 endpointsƒAuthentication Header (AH) – authentication/integrityƒEncapsulating Security Payload (ESP) – data privacy with optional authentication• Transparent to upper layersServerandTrustedCA'sCertificateIKERACF1. Negotiate phase I Security Association (Get amaster key)2. Negotiate Security Associations (phase II)3. Generate session keys, refresh keys and SAsServerandTrustedCA'sCertificateIKERACFInstall SAs andfilters into IP stackSockets APITCP/UDPIP/ICMPData LinkIPSec Security Association(s)Sockets APITCP/UDPIP/ICMPData Link607.04.2006 IBM Systems

Previous page

Next page

1

3

5

6

7

8

9

10

12

13

14

15

16

17

18

19

z/OS Security and PKI services

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?