This chapter describes the specific security mechanisms offered by ELS.
The IBM z/OS Application Transparent Transport Layer Security (AT-TLS) facility uses SSL data encryption to secure z/OS TCP/IP applications. For more information on AT-TLS, refer to the IBM publication z/OS Communications Server: IP Configuration Guide, and see information on the AT-TLS Policy Agent information in the IBM publication z/OS Communications Server: IP Configuration Reference.
Securing ELS client/server communications between SMC and HSC/VTCS is described in the Oracle white paper Using AT-TLS with HSC/SMC Client/Server z/OS Solution: Implementation Example. This white paper is published on the Oracle Technical Network in the Tape Storage Products section. Refer to this publication for detailed configuration information.
To secure ELS with AT-TLS, Oracle recommends using any of these SSL cryptographic algorithms:
SHA-2 family (SHA-256, SHA-384, SHA-512)
AES >= 128-bit
RSA >= 2048-bit
Diffie-Hellman (DH) >= 2048-bit
ECC >= 256-bit
Any other SSL cryptographic algorithms provide weaker protection and should not be used with ELS.
Note:
The StorageTek Virtual Library Extension (VLE) appliance for VSM does not currently support AT-TLS communications. Do not secure ELS VLE communications with AT-TLS.ELS 7.3 introduces a new XAPI security feature for client-server communication, enabled as a default in the SMC HTTP server. The XAPI security feature provides additional user authentication facilities as part of the XAPI protocol that are internal to and wholly contained within ELS. To use the XAPI security feature you must define security credentials (userids and passwords) for ELS clients and servers. ELS 7.3 TapePlex operations use these security credentials to secure XAPI transactions (mount, dismount, volume lookup, scratch, and so on). XAPI security credential usage is completely transparent and requires no additional user or operator intervention. Refer to Configuring and Managing SMC 7.3 for more information about configuring the XAPI security feature.
The preferred method for securing XAPI transactions for TapePlexes that host ELS client applications only (SMC and VM Client) is to use the AT/TLS facilities as described in the "Securing ELS with AT-TLS – z/OS Only". AT/TLS is a transport layer facility that is external and transparent to ELS.
Use the ELS 7.3 XAPI security feature to secure TapePlexes that host non-ELS clients (open systems clients) or a mixture of ELS clients (SMC and VM Client) and non-ELS clients. AT-TLS can be used in these environments in addition to the ELS 7.3 XAPI security feature but it will not secure XAPI transactions for non-ELS clients.