Security Configurations for Mainframe Integration Components

This section provides details about the security configurations for communication between Identity Security Cloud, the Connector Gateway, and Mainframe Connectors.

There are three components to carry out all the transactions which support Mainframe Integration:

  • Identity Security Cloud

  • Connector Gateway

  • Mainframe Connector.

It is crucial to secure the communication channels between these three components. The security mechanisms supported by the Mainframe integration include:

  • TLS Communication – TLS for the following communication channels must be enabled to secure the complete solution:
    • TLS between Identity Security Cloud and Connector Gateway
    • TLS between Connector Gateway and Mainframe Connector
  • Client Authentication: Configurations in the Mainframe Connector – The Mainframe-based connectors support Client Authentication. Client Authentication verifies every incoming request from Identity Security Cloud before executing them. To ensure the authentication process works correctly, the Mainframe Connector expects the client to send credentials with every registered user's request. Before processing a request, the Mainframe Connector first confirms that the user that requested it is authorized to perform transactions.
  • Upgrade considerations

    • Apply FSD0116 on the Mainframe Connector.

    • Install the latest Connector Gateway.

      You can download the latest Connector Gateway at the Mainframe Connector Downloads page.

  • To enable TLS between Identity Security Cloud and Connector Gateway

    • The X.509 certificate with CN part of the <domainName> must match with FQDN of the system running Connector Gateway.

    • If the certificate is not available, create a CSR (Certificate Signing Request) from the Connector Gateway machine.

    • Submit the CSR to a trusted (internal or third party) CA for signing. Ensure that the CA is on a trusted root CA list of the machine.

  • To enable TLS between Connector Gateway and Mainframe Connector

    • The following respective components for z/OS versions must be installed for TLS communication:

      z/OS Version

      Cryptographic Services

      z/OS Security Level 3

      z/OS 3.1

      System SSL Base: FMID HCPT460

      System SSL Security Level: FMID JCPT461

      z/OS 2.5

      System SSL Base: FMID HCPT450

      System SSL Security Level: FMID JCPT451

      z/OS 2.4

      System SSL Base: FMID HCPT440

      System SSL Security Level: FMID JCPT441

  • To utilize available hardware cryptography for performance and advanced features, the task started by CSF must be active in the system where the Mainframe application server is active.

  • Configure an AT-TLS policy on Mainframe system. For more information, refer to Implementing AT-TLS Policy for Mainframe Connector Communication.

  • The X.509 certificate with the CN part of the <domainName> must match with FQDN of the system running the Mainframe Connector.

  • If the certificate is not available, create a CSR (Certificate Signing Request) from the Mainframe machine.

  • Submit the CSR to a trusted (internal or third party) CA for signing. Ensure that the CA is on a trusted root CA list of the machine.

Refer to Connector Gateway (CG) and Mainframe Connectors - Frequently Asked Questions (FAQ) and Troubleshooting for any issues.