A first-person account of migrating 30 z/OS mainframe services from per-application TLS management to centralized TLS enforcement using AT-TLS (z/OS Communications Server). Before the change, 22% of connections still negotiated deprecated TLS 1.0/1.1 despite all services having TLS configured. The solution moved TLS policy to the TCP/IP stack via PAGENT rules, requiring no application code changes. A 12-week, 5-phase rollout achieved 100% encrypted session coverage, eliminated monthly configuration drift, and upgraded all connections to TLS 1.3. Performance overhead was minimal due to CPACF hardware offload. The post also covers limitations: AT-TLS only handles transport encryption and can erode defense-in-depth culture if teams stop thinking about security above the transport layer.
Table of contents
The Real Cost of Distributed TLS OwnershipCentralize at the Transport LayerWhat a Controlled Rollout Looks LikeThe Numbers That MatterWhat AT-TLS Won’t SolveThe TakeawaySort: