I'm not sure where you're management got their information about SSL being less secure than SSH. With the SSL configuration, you can configure it to use different ciphers, one of them being AES.
Yes, as stated by others, SSH and SSL use Public key processing. And no you do not have to pay Verisign, or someone else, for setting up the ssl certificate. If all your TN3270 traffic is on your internal network, then you create a CERTAUTH certificate, and then create another certificate, signed by your inhouse CERTAUTH. Add them both to the keyring, make your 2nd certificate the default, and then just make the CERTAUTH certificate available to your systems that are running the TN3270 client (if windows based, you can use Microsoft's SMS to push it to all the desktops and servers). Once the SSL negotiation is done, ALL traffic is then encrypted using a key that is generated during the SSL negotiation, and the agreed upon cipher, thus all your passwords and other data is encrypted. Peter On Tue, 25 Aug 2009 13:25:19 -0700, John Mattson <[email protected]> wrote: >EXCELLENT Question. The kind on insight I need here. > We use Rumba, running on a Windows server to talk allow 3270 type >communication from users on Windows boxes who need to access our zOS >system, TSO, CICS, and some VTAM apps. >Problem is that PCI and JSOX do not think this is sucure... and it is >certainly not secure enough. Users are on our internal net, or coming in >thru VPN to our internal net, firewalls on the network, not zOS. > Management seems to believe that SSL is not sufficient, they must >have SSH and I am working on getting IBM Ported Tools installed. Just >where the TN3270 would go, server or user PC... etc, most everything is up >in the air at this point. > I am also looking at what is involved in putting a firewall on >zOS, and framkly, I am WAY over my head. > > > >"Patrick O'Keefe" <[email protected]> >Sent by: IBM Mainframe Discussion List <[email protected]> >08/25/2009 12:43 PM >Please respond to >IBM Mainframe Discussion List <[email protected]> >Expire Date: 08/25/2011 > > >To >[email protected] >cc > >Subject >Re: Need new 3270 emulator: SSH, inexpensive, reliable > > > > >On Tue, 25 Aug 2009 10:35:18 -0700, John Mattson ><[email protected]> wrote: >> ... Management ... now wants a SSH based >3270 emulation for >accessing mainframe TSO, CICS, and such apps. >... >> Uh, something I've missed in the thread so far: What are you going to >talk to? Does some vendor produce an SSH-based Tn3270 server? Or are you > >> going to talk with some server that includes a Tn3270 client that then >connects to the local z/CS Tn3270 server? (Maybe something sort of like >HATS > except with some special SSH client rather than a browser.) Or >something else I can't envision? >> It looks to me like somebody has tried to define a solution rather >defining the problem and then looking for solutions that address it. >> Pat O'Keefe > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: GET IBM-MAIN INFO >Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
