John Mattson writes: >Tell me more about "self-sign"... We have users outsife of our >Domain, and we do not want to manage PC's and Certs for users >around the world.
Ah, now I see the source of your confusion. TLS and SSL do not require client certificates. TLS/SSL supports them if you want some more security capabilities, but they are certainly not required. If all you want to do is encrypt the connection(s), then all you need is one certificate installed and configured on the server, i.e. on your mainframe. You can generate such a certificate yourself, right in z/OS, and that would be what's called a self-signed certificate. That works fine for testing. At a very high level what you'd do is use RACDCERT (or GSKKYMAN) to generate the server certificate, add it to your keyring, and make sure the TN3270E server is configured to use it. You should not run this way for very long. The reason is that most TN3270E clients are going to see warning messages when they connect to an encrypted server using a self-signed certificate. Those warning messages indicate to the user that the server may or may not be authentic. That is, there is no way for the client to be sure (or at least have some degree of confidence) that the server identity is validated. The connection is encrypted, yes, but the server could be "spoofed." Said another way, the client could be talking secretly, privately, with a criminal enterprise. :-) That's why certificate authorities exist, to verify that particular servers have particular identities -- that mainframe.epson.com really is mainframe.epson.com, for example. So I do recommend one of two things. Either buy a single server certificate from a well-known certificate authority, or configure z/OS PKI Services so that it is a "child" of a well-known certificate authority root (which you also have to buy). In your case, since you're just getting started, I would advise doing the former -- the one-off server certificate purchase. (The latter path is available if you ever want to generate lots and lots of certificates. Basically you would buy subsidiary rights from the well-known certificate authority to generate certificates yourself for, say, *.mainframe.epson.com and its client users.) You seem to be worried about cost. Have you actually looked at the price of server certificates? :-) They start under US $20 per year. (Granted, the cheapest ones are from somewhat less known well-known CAs, but they're still far, far better than self-signed.) I'll make a generous and exclusive offer here (one-time only): assuming there are no laws that would be violated, I'll send you $20 so you can buy a certificate if you can't find the money in the sofa cushions. :-) Contact me offline if you need that. When you are using TLS or SSL encryption, everything flowing over the TN3270E connection is encrypted, including what the user types in to sign on. It's very similar to HTTPS, actually. (Same encryption scheme, different protocol riding on it.) Hope that helps! - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
