The goal is to enable RRSF which requires AT-TLS and then enable secure FTP TLS and TN3270 with it. Installing CoZ:SFTP for improved sftp capabilities as well.
Thanks Lionel B. Dyck <sdg>< Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Wendell Lovewell Sent: Monday, June 29, 2020 8:38 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Lionel, what type of endpoints are you wanting to use AT-TLS to secure? I might have some notes that would help. Here is some general information about diagnosing AT-TLS errors: If there is a problem making the connection, AT-TLS will display error on the console. Here are a few examples. The endpoints were a started task (XYZSTC) and a CICS region (CICSA): EZD1287I TTLS Error RC: 417 Initial Handshake 560 LOCAL: 10.1.1.1..1213 REMOTE: 10.1.1.1..5401 JOBNAME: XYZSTC RULE: XYZ_STC_Rule USERID: STCOPER GRPID: 0000000F ENVID: 00000013 CONNID: 000006DE EZD1287I TTLS Error RC: 435 Initial Handshake 561 LOCAL: 10.1.1.1..5401 REMOTE: 10.1.1.1..1213 JOBNAME: CICSA RULE: XYZ_CICS_Rule USERID: CICSA GRPID: 0000000E ENVID: 00000014 CONNID: 000006DF EZD1287I TTLS Error RC: 508 Initial Handshake 462 LOCAL: 10.1.1.1..1206 REMOTE: 10.1.1.1..5401 JOBNAME: XYZSTC RULE: XYZ_STC_Rule USERID: STCOPER GRPID: 0000000F ENVID: 00000010 CONNID: 000006B9 EZD1287I TTLS Error RC: 438 Initial Handshake 463 LOCAL: 10.1.1.1..5401 REMOTE: 10.1.1.1..1206 JOBNAME: CICSA RULE: XYZ_CICS_Rule USERID: CICSA GRPID: 0000000E ENVID: 00000011 CONNID: 000006BA EZD1287I TTLS Error RC: 5006 Initial Handshake 476 LOCAL: 10.1.1.1..5401 REMOTE: 10.1.1.1..1173 JOBNAME: CICSA RULE: XYZ_CICS_Rule USERID: CICSA GRPID: 0000000E ENVID: 0000000E CONNID: 000005A4 EZD1287I TTLS Error RC: 406 Initial Handshake 477 LOCAL: 10.1.1.1..1173 REMOTE: 10.1.1.1..5401 JOBNAME: XYZSTC RULE: XYZ_STC_Rule The RC values are most helpful. Since there is a policy used for both inbound (XYZ_CICS_Rule) and outbound (XYZ_STC_Rule—note the rules in play are also displayed on the console), there will likely be two EZD1287I messages displayed if there is a problem. (Both sides will experience a problem.) You can find an explanation for these in the SC14-7495-30 Cryptographic Services System Secure Sockets Layer Programming manual, currently in chapter 13. SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS policy (/etc/pagent_TTLS.conf). GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors. SA23-2292-30 Security Server RACF Command Language Reference contains the syntax for the RACDCERT instructions. If you need to see the GKY messages, set the Trace value in the TTLSGroupAction parms for both the XYZ_CICS_Rule and XYZ_STC_Rule to Trace 255. When you upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy. If you make RACF changes to the keyrings, you need to tell the policy agent to refresh it’s settings for them. You can do this by changing the EnvironmentAction value & reloading the pagent_TTLS.conf file. Hth, Wendell ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
