HTTPS - HTTP Secure

Enhanced Definition

HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP, primarily used on z/OS to provide encrypted communication and secure identification for web-based access to mainframe applications and data. It ensures data privacy and integrity between a client (e.g., web browser, mobile app) and a z/OS-based web server or application.

Key Characteristics

- Encryption: Utilizes SSL (Secure Sockets Layer) or its successor, TLS (Transport Layer Security), to encrypt data exchanged between the client and the z/OS server, preventing eavesdropping and tampering.
- Authentication: Employs digital certificates, typically managed by RACF or other z/OS security managers, to verify the identity of the z/OS server to the client, assuring the client is connecting to the legitimate server.
- Default Port: Operates over TCP port 443 by default, distinguishing it from standard HTTP traffic on port 80.
- Protocol Layering: Functions by layering the SSL/TLS security protocol on top of HTTP, allowing HTTP messages to be securely transmitted within the encrypted tunnel.
- z/OS Implementation: Can be implemented transparently via z/OS Communications Server's AT-TLS (Application Transparent Transport Layer Security) or explicitly by applications using System SSL APIs.

Use Cases

- Secure Web Access to Mainframe Applications: Providing secure browser-based access to applications hosted on z/OS, such as CICS Web Support, IMS WebSphere Application Server, or custom Java applications running in a z/OS USS environment.
- API Communication: Securing RESTful API calls to mainframe resources via z/OS Connect EE, enabling secure integration with distributed applications and cloud services.
- z/OS Management Interfaces: Ensuring secure access to web-based z/OS management tools like z/OSMF (z/OS Management Facility) for system administration and automation.
- Secure Data Transfer: Facilitating the secure exchange of sensitive data between external systems and mainframe data sources (e.g., DB2, VSAM) through web services or specialized secure file transfer protocols built on HTTPS.

Related Concepts

HTTPS is fundamentally built upon HTTP for communication and SSL/TLS for security. On z/OS, its implementation heavily relies on z/OS Communications Server for TCP/IP networking, RACF (or equivalent) for managing digital certificates and key rings, and AT-TLS for transparent encryption. Middleware like CICS Web Support, IMS Connect, and z/OS Connect EE are designed to leverage HTTPS to secure their web-enabled interfaces and APIs, integrating the mainframe securely into enterprise architectures.

Best Practices:

Leverage AT-TLS: For most applications, configure AT-TLS in z/OS Communications Server to offload SSL/TLS processing from applications, simplifying development and centralizing security policy management.
Strong Cipher Suites: Configure AT-TLS policies and application-level SSL/TLS settings to use only strong, modern TLS cipher suites and protocols, disabling older, vulnerable versions like SSLv3 or TLS 1.0/1.1.
Certificate Management: Implement robust processes for managing digital certificates, including regular renewal, secure storage of private keys in RACF key rings, and timely revocation of compromised certificates.
Performance Optimization: Utilize zIIP (System z Integrated Information Processor) for System SSL cryptographic operations where applicable, to reduce CPU consumption on general purpose processors.
Security Auditing: Regularly audit AT-TLS configurations, RACF certificate definitions, and application logs for TLS handshake failures or certificate-related errors to ensure continuous security and compliance.