For secure transmission of data, Oracle TMA TCP for CICS utilizes IBM's Policy Agent and AT-TLS rules, along with a certificate setup in the keyring.

In z/OS Communications Server, the Policy Agent (PAGENT) implements and enforces a set of rules and policies that govern how users and applications can access network resources.

Application Transparent Transport Layer Security (AT-TLS) is IBM's solution for providing secure connectivity between SSL/TLS-enabled applications and existing mainframe applications. It enables Secure Socket Layer (SSL) security on the mainframe. It is the Policy Agent (PAGENT) that configures the encryption and decryption policies. The PAGENT policy determines which traffic on the mainframe TCP/IP stack should be secured with SSL.

AT-TLS provides a secure session on behalf of an application, therefore no changes to the application code are required. Oracle TMA TCP for CICS utilizes this feature to enable secure communication.

Refer to IBM’s z/OS Communications Server - IP CICS Sockets Guide for information on applications that use IP CICS Socket API for TCP/IP client-server systems with AT-TLS rules.

Setting up Keyring and Certificate

You configure certificates on the mainframe by using ESM (Enterprise Security Manager) tools such as RACF. For CICS SSL applications, the keyring's user ID must be CICS user ID (SYSCICS). Keyrings are generated and associated with their respective CICS regions.

Refer to IBM’s z/OS Security Server RACF Command Language Reference for keyring setup and to create a self-signed CA certificate.

Server Authentication

When authenticating a server, the client verifies the validity of the server's certificate, which must be signed by a trusted Certificate Authority (CA).

Client Authentication

When client authentication is used, the server verifies that the client's certificate is valid and signed by a Certificate Authority trusted by the server.