IBM Support

How can I determine whether TLSv1.2 is enabled for my AT-TLS connections?

Question & Answer


Question

How can I determine whether TLSv1.2 is enabled for my AT-TLS connections?

Answer

To determine whether TLSv1.2 is enabled for your AT-TLS connections:

First, display all connections that match an Application Transparent Transport Layer Security (AT-TLS) rule. To do that, do one of the following:

  • From the TSO environment, enter the command NETSTAT ALLCONN TCP tcpname (CONNTYPE TTLSPOLICY

  • From the UNIX shell environment, enter the command netstat -a -p tcpname -X TTLSPOLICY

You can determine the connid of each connection matching an AT-TLS rule from the Conn column in the Netstat ALLCOnn/-a report.

Next, for each connid displayed, do one of the following:

  • From the TSO environment, enter the command NETSTAT TTLS CONN connid DETAIL TCP tcpname

  • From the UNIX shell environment, enter the command netstat -x CONN connid DETAIL -p tcpname

The resulting display will show, for the specified connid:

  • The security level being used by the connection, as indicated by the value displayed in the SecLevel field, as shown in the following example: "SecLevel: TLS Version 1.2"

  • If you are running z/OS V2R1 or later, whether TLS version 1.2 protocol is acceptable for the connection, as indicated by a value of On or Off in the TLSV1.2 field of the TTLSEnvAction section of the display. If you are running z/OS V1R13, however, you will not see TLSv1.2 On in that section, despite the fact that you correctly implemented TLSv1.2 on z/OS V1R13. That's because the TLSv1.2 AT-TLS parameter, a different method of implementing TLSv1.2, is not available until z/OS V2R1. That SecLevel shows "TLS Version 1.2" (as referenced above) is your confirmation that you have correctly enabled TLSv1.2.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
19 November 2015

UID

dwa1193834