XCOM r12 with AT-TLS

Document ID : KB000111787
Last Modified Date : 21/08/2018
Show Technical Document Details
Question:
Customer is going to install and configure AT-TLS for many applications; and XCOM is targeted to be one of them. I've researched the KB and found this article:

https://comm.support.ca.com/kb/ca-xcom-for-z-os-with-at-tls/kb000111027

Basically, it says it should work, but is not certified/tested. Here are several questions:

A) Does that KB article refer to securing the SERVPORT port with an AT-TLS policy ? That is, security would be handled by AT-TLS instead of XCOM per se?
B) XCOM has 2 parameters that determine which ports are used by the Server as listeners: SERVPORT and SSLPORT. Currently, customer is only using SERVPORT on a non-secure port. If they want to have 2 ports, one secure and one non-secure, they would need to leave the SERVPORT non-secure, and define a SSLPORT. Would using SSLPORT keyword trigger XCOM to look for SSL configuration "outside" AT-TLS policy?. In other words: could you use a SSLPORT with no configuration to let AT-TLS handle that? 
 
Environment:
XCOM r12 for z/OS
Answer:
Knowledge Document, kb000111027, is basically answering the question if XCOM r12 is compatible with AT-TLS. The answer is that we don't see it having a problem, but XCOM r12 has not been tested/certified with AT-TLS. Because XCOM r12 has not been tested/certified with AT-TLS, we don't know of any or what problems may be encountered. 

If a non secured port, which is identified by parameter SERVPORT,  can be implemented to use AT-TLS with XCOM r12. The encryption of the data will occur at the AT-TLS level. If you have implemented a secured port, which is identified by parameter SSLPORT, and use SSL certificates, then the encryption of the data will occur at the SSL level. AT-TLS can be implemented for a secured port being used by XCOM, but it will encrypt the data twice. Once by SSL and then with AT-TLS. Implementing this will cause more overhead to the transfer performance and a user would need to keep that in mind when questioning such performance because that would be out of XCOM scope. 

XCOM also allows you to implement IPV6 ports, which can be identified with parameters SERVPORTV6 and SSLPORTV6. Please refer to the XCOM r12 manuals for details on the parameters.

 
Additional Information:
If you are interested in creating or voting for an existing Idea on this subject you can:

Create an Idea: 

- logon to support.ca.com 
- click on "Communities" link on top of page 
- in the drop down click on "CA Mainframe" under the "Mainframe Communities" heading. 
- once the page refreshes you can scroll down and on the left of the page you will see that "CA XCOM Data Transport" is listed as part of the "Products Covered" heading. Click on it. 
- the page will refresh and you will need to log in once again. So click on the Log In link and use your same credentials for support.ca.com if required. 
- once again the page will refresh and now you can click on the Actions drop down link on the right side of the screen and select the "Idea" link 
- A form will be provided for you to create your Idea. Once you fill it out click on the Publish button on the bottom of the screen. 

Search for existing Idea and vote: 

- logon to support.ca.com 
- click on "Communities" on top of page 
- in the drop down click on "CA Mainframe" under the "Mainframe Communities" heading. 
- once the page refreshes you can scroll down and on the left of the page you will see that "CA XCOM Data Transport" is listed as part of the "Products Covered" heading. Click on it. 
- the page will refresh and you will need to log in once again. Not sure why. So click on the Log In link and use your same credentials for support.ca.com if required. 
- once the page refreshes you can click on the "light bulb" icon next to the "All Content(nnn)" heading 
- all Ideas are listed, but you can enter text in the filter field to search for an existing Idea.