Brad,
Thanks a lot. That really helps. I think it looks like one of
the main differences is that I am going to try to use a self-signed
certificate, since our traffic is internal, but that appears to be the
only difference. Thanks again.
Bill
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Wissink, Brad [ITSYS]
Sent: Monday, April 28, 2008 2:51 PM
To: [email protected]
Subject: Re: Secure TN3270
Bill,
We did this a couple of years ago, but here are the main steps we
used. If you need more detail you can contact me offline.
1. We setup TN3270 to use its own address spaced called TN3270.
Point the PROFILE DD statement to the telnet parameter member
2. We assigned the TN3270 address space the same userid as we had our
TCPIP address space.
3. In the TCPIP profile data set we assigned port 992 as:
992 TCP TN3270 ; Telnet Server with SSL
support
4. Our telnet parameter member looks somewhat like this;
;
; Global TN3270 parameters
;
TELNETGLOBALS
CLIENTAUTH NONE
TCPIPJOBNAME TCPIP
ENDTELNETGLOBALS
; --------------------------------------------------------
; Define the VTAM parameters for the Telnet/SSL Server.
; This is for the secured port 992 running SSL.
; -------------------------------------------------------
TELNETPARMS
ENCRYPT
SSL_3DES_SHA
SSL_AES_128_SHA
SSL_AES_256_SHA
ENDENCRYPT
SECUREPORT 992 KEYRING SAF tcpipring
; SECUREPORT 992 KEYRING HFS /etc/key.kdb
WLMCLUSTERNAME TN3270E ENDWLMCLUSTERNAME
ENDTELNETPARMS
;
BEGINVTAM
PORT 992
; define LU group
DEFAULTAPPL NVAS
ALLOWAPPL TSO
ALLOWAPPL NVAS
ENDVTAM
5. We got a certificate from THAWTE.
6. We decided to use RACF to hold the certificate so we imported the
certificate from THAWTE into RACF as TRUSTED site certificate
7. defined a keyring under the userid assigned to TN3270 named
tcpipring. Case sensitive
The SECUREPORT statement tells TN3270 where to find the
certificate.
8. connected the THAWTE certificate to the keyring with OWNER=SITE,
usage=personnal, default=yes
9. Made sure classes DIGTRING, DIGTCERT are active. I don't think you
define profiles here
10. Classes CSFSERV needs to be active and you need permission to the
profiles that protect the services you want to use, i.e. CSFENC, CSFPKI.
11. We also have CSFKEYS active, but I can't remember if it is needed
here or not.
That is what I remember and I bet I forgot something.
Good luck.
Brad Wissink
Information Technology Services
Iowa State University
515-294-3088
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Coatney, Bill
Sent: Monday, April 28, 2008 2:18 PM
To: [email protected]
Subject: Secure TN3270
I posted the following this morning:
I need to set up a secure TN3270 connection on our z/OS 1.9
system. I have read through the Communications Server IP Configuration
Guide and it seems like the TLS protocol would be the way to go, as
opposed to the SSL protocol. Did I interpret that correctly? Also does
anyone have a cookbook type list for the needed steps for setting up the
secure TN3270 connection?
I got absolutely no responses. Would that be because setting up the
Secure TN3270 too simple for anyone to mess with? Or is there a lot to
it? Just wondering... I thought surely there must be an outline of the
steps needed somewhere. Thanks.
Bill Coatney
ANPAC - Information Services
(417)-887-4990 ext. 2610
[EMAIL PROTECTED]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
