Security is often one of the key concerns for installations using TCP/IP on z/OS systems. The migration from the apparently more secure SNA environment to TCP/IP, combined with the growth of Internet services based on z/OS, is increasing the demand for secure communications.
Firewalls and the Internet Security Protocol (IPSec) provide packet and network-level security, but these approaches are not always practical when providing services to a wider range of clients and do not necessarily protect the applications or application data. Secure sockets were introduced to protect individual applications by implementing user authentication and encryption at the transport layer.
This article provides a basic overview of secure sockets on z/OS systems and introduces some of the built-in support available from IBM. This article is meant to provide an introduction to the subject rather than be a definitive reference guide.
WHAT ARE SECURE SOCKETS?
Netscape invented the Secure Sockets Layer (SSL) protocol to implement security at the application level. Although standard and is widely used by Internet servers and Web browsers to protect sensitive transactions such as those dealing with credit card details and other personal information. SSL became standardized in 1999 with the introduction of the Transport Layer Security (TLS) protocol (RFC 2246). Because secure sockets are an application-layer protocol, they are independent of the lower-layer security protocols and can therefore coexist with firewalls and IPSec tunnels.
Figure 1 shows the positioning of SSL/TLS when compared to firewall and IPSec technologies. Secure sockets are based on public/private key encryption, exploiting the use of digital certificates. A digital certificate is defined by the X.509 standard and is effectively a file that contains the encrypted details of the certificate owner. To be valid, a digital certificate must be requested and subsequently approved (“signed”) by a trusted Certificate Authority (CA). A certificate can be requested from a CA on behalf of an individual end user, an organization, or even a specific application. For maximum security, both the server and the client-end of a secure sockets connection should have a digital certificate signed by a trusted CA.
Secure sockets provide four key security functions:
- Client Authentication — allows the server application to be certain of the identity of the client application or end user
- Server Authentication — allows the client application to be certain of the identity of the server application
- Message Authentication — allows both the client and server applications to be certain that the data exchanged has not been modified by an intermediate node during transmission
- Message Confidentiality — allows both the client and server applications to be certain that the data exchanged has not been “read” by an intermediate node during transmission.
HOW DO SECURE SOCKETS WORK?
Secure socket protocols are implemented between the Application and the TCP layer. Normal TCP communications protocols are still used between the connection’s partners. Therefore, with one exception (which I will discuss later), no changes should be required to system, router, or firewall definitions. Remember that SSL functionality is required at both ends of a connection as, not surprisingly, if one application is encrypting data, something at the other end has to decrypt it.