11/24/2023 0 Comments Zos explorer atlas zos connectFor more information related to the TLS handshake, see the TLS V1.2 specification. The cost of handshaking can be optimized by enabling persistent TCP/IP connections (see ‘Persistent connections’). More processing required with potential impact on response time and CPU time No client certificates management required any client can connect to the server)Īllow you to establish a trusted connection with the client (only known clients can access the server)Īllow you to authenticate clients (the client certificate can be mapped to a user) Table 1 outlines the main differences between one-way and two-way handshakes. The one-way TLS handshake is suitable for simple use cases but allows any client to connect to the server, un-less another method of authentication is enabled. For instance, in our environment the overhead z Systems Integrated Information Processor (zIIP) consumption can go up to 2 ms. The two-way TLS handshake offers more security but as it involves the validation of the client certificate, the handshake may take more time to complete. Allow the client and server to verify that their peer has calculated the same security parameters and that the handshake occurred without tampering by an attacker.Provide security parameters to the record layer.Generate a master secret from the premaster secret and exchanged random values.Exchange certificates and cryptographic information to allow the client and server to authenticate themselves.Exchange the necessary cryptographic parameters to allow the client and server to agree on a premaster secret.Exchange hello messages to agree on a cipher suite and a compression algorithm, exchange random values, and check for session resumption.The TLS Handshake Protocol involves the following steps: There are two types of TLS handshake: a one-way handshake during which only the server certificate is sent and validated and a two-way handshake during which both the server and the client certificates are exchanged and validated.įigure 1 shows the actions taken by the client and server during a TLS handshake with the optional client certificate exchange in red. Our focus in this article is, therefore, on the TLS options available with Liberty z/OS, and how to configure these with z/OS Connect EE. However, you can disable this requirement by setting the requireSecure attribute to false on the zosconnect_zosConnectManager, zosConnectAPI, and zosconnect_zosConnectService elements of the server.xml configuration file.Īs for other security controls, support for TLS with z/OS Connect EE is based on the security foundation of Liberty z/OS. The negotiation is reliable: no attacker can modify the negotiation communication without being detected by the parties in communication.īy default, connections to z/OS Connect EE must use HTTPS (and therefore TLS or SSL). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |