You'll probably also want to think about how you move users over to encrypted connections in a sensible, phased manner so that you retire the non-encrypted connections by some expeditious date certain. (How expeditious depends on the sensitivity of your applications.) And the key -- no pun intended -- is to communicate well with users and explain the benefits to *them*.
There are various approaches that work, but as you think about port definitions and the like it's something to anticipate. I think end users find it easier to figure out how to switch IP addresses instead of ports. So you can establish a second IP address with its own name server entry (e.g. secure.mainframe.mycompany.com) and start to ease people over to that. I'm biased, but it's even easier if you're steering people to the Web (e.g. Host On-Demand) for access, so it's a good time to rethink your whole deployment of clients -- like maybe to stop deploying client software completely. At that point you turn mainframe access into a simple Web address, with a link from your company's internal homepage presumably, e.g. http://w3.mycompany.com/mainframe. You would also start to insert a warning message on the unencrypted address/port which gets progressively more urgent. At first the warning message is an extra line or two on the first screen ("GREAT NEWS! We are enhancing our company's security. You have the most important role in protecting our customers' private information. You may need to make small changes to meet this goal. Find out more today at http://w3.mycompany.com/mainframe/security";), then there might be an interstitial screen that everybody sees and must acknowledge (and which breaks those logon macros with hardcoded clear text user passwords -- a feature, not a bug :-)), then some particularly sensitive application functions removed (like displaying somebody's Social Security number over an unencrypted connection), and finally retiring the connection completely with only a single screen presented announcing the end of that access and how to reestablish access. That last screen might stay in place for a year or more, and you'd monitor it until you see that nobody hit it for a year or more. Always with very friendly and constructively helpful language, of course. But whatever path you choose, I want to reiterate that it's critical to work very closely with the users, understand their needs, and clearly articulate why this move is good for them. I find that we IT people too often forget to do that. - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Specializing in Software Architectures Related to System z Based in Tokyo, Serving IBM Japan and IBM Asia-Pacific E-Mail: [EMAIL PROTECTED] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
