More and more Db2 for z/OS users require AT-TLS encryption for their Db2 connections. However, there is still a lot of confusion which steps are necessary to configure the z/OS components as well as Db2 clients for AT-TLS connections. This becomes even more complicated if client certificate authentication against Db2 for z/OS is required. This presentation describes the essential steps on the z/OS side (with RACF, TCP/IP and Db2 involved) as well on the client side (with Java and non-Java applications) to achieve this goal. Special focus is on securing Db2 REST services and accessing them from Java and non-Java applications via AT-TLS.