George, You should at least get the freebie encryption turned on for the box. The lack of the SERVAUTH setup can have a deleterious effect if you have a UACC(NONE) at the wrong level and then specify TCPCONFIG TLS will stop all other services from starting up. You can use OBEY to change the TCPCONFIG dynamically and avoid it.
Once the negotiation has completed, the encryption will start using some sort of symmetric ... which the freebie will help out with performance. Rob Schramm Senior Systems Consultant On Tue, Feb 7, 2012 at 6:24 PM, Henke, George <[email protected]> wrote: > tyvm, Tom > > When you say crypto hardware is not necessary but preferred, do you mean > we do not have to enable the cryptographics cards to turn on TLS? > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Tom Ambros > Sent: Tuesday, February 07, 2012 2:54 PM > To: [email protected] > Subject: Re: TLS, AT-TLS, Encryption Requirements > > Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for > things like OMPROUTE and use DELAYSTART if you're autologging things. > > We're considering whether it is worth changing up parent-child > relationships in SA because it can be disconcerting to see lots of > ICH408I messages before Policy Agent installs the TLS policy. Once you > see some of those you are obliged to inspect to make sure that whatever > issued it was intelligent enough to recover, the smart thing is to stamp > them all out in your sandbox first. That's pretty much where we sit right > now, we have questions about certain requirements with IKE and NSS which > hold up our rollout so production experience is not to be had here yet. > > I believe your emulator needs to be capable, my old Attachmate was not. > > Encryption will run anywhere, but it's like what they ask you if you want > to play baccarat. "Do you have a lot of money?" Crypto hardware not > necessary but preferred. > > In our case, we're playing around with automatic VPN tunneling because > relying on products on a desktop to be capable is not always possible. > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > > > > > From: "Henke, George" <[email protected]> > To: [email protected] > Date: 02/07/2012 14:32 > Subject: TLS, AT-TLS, Encryption Requirements > Sent by: IBM Mainframe Discussion List <[email protected]> > > > > Has anyone done this? > > Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does > anything else, like enabling encryption cards, need to be done? > > Also, is TLS downward compatible with older TN3270 emulators, like > PROCOMM? > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key > send an e-mail to mailto:[email protected] with 'No Promotional > E-mails' in the > SUBJECT line. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
