Thanks Allan. In TCP/IP programs I've written in C (both mainframe and non-mainframe), I've used connect(), send(), recv() and similar C functions for clear-text communication. So I think that would be called the "logical layer".

And I'm assuming the "physical layer" would be at the point where software is talking to an OSA card. In this case that would be the TCPIP address space, since my program doesn't talk directly to hardware.

That would mean AT-TLS comes into play via the TCPIP task, doing the encryption at that point, while my clear-text program has no idea and doesn't care. Certificates and other encryption parameters would be handled by AT-TLS at that point.

That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() or SSL_read(), then encryption would be done at the logical layer, and my own program would then be responsible for certificates. AT-TLS would not be needed, well, unless an auditor doesn't trust my SSL code. That actually could be a consideration even for things like SFTP I guess - there's your first flame :)

On 6/30/2020 1:42 PM, Allan Staller wrote:
Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
and the encryption/authentication is generally provided by the use of
RSA/DSA public/private key pairs. The public keys are exchanged and
stored in known_hosts files (if acting as client) or authorized_keys
file (if acting as server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are
provided by ICSF and policy agent (PAGENT) - You must configure an
FTPS TLS rule to allow the connection and the partner side also will
require a similar rule. The encryption/authentication come from the
PAGENT rule and the use of x.509 certificates.  These are exchanged
between partners and loaded onto the RACF keyring. The PAGNET rule
points back to the keyring. - Uses Server PORT 990 by an old implicit
default most sites use a different port and connect clients with
ephemeral port ranges. FTPS handles MVS datasets better if possible
use FTPS for MF to MF and use SFTP for MF to Other
platforms(MS,UNIX,etc)

MS

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of Tom Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing.  So when you set
those up, there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
Sweet - thank you


Lionel B. Dyck <sdg><
Website:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
.lbdsoftware.com%2F&amp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd879
db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7
C0%7C637291343650296855&amp;sdata=rYCeChKI6R6cKaQRyHKEfhk3QR%2Fya0rHS
%2FSvJedIZJo%3D&amp;reserved=0

"Worry more about your character than your reputation.  Character is
what you are, reputation merely what others think you are." - John
Wooden

-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On
Behalf Of kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-
03.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5416&a
mp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd879db1f36854d47ffc308d81
d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C6372913436503068
44&amp;sdata=9%2BluT%2FKH3wj94fpoHyCHX82zaMk0x2tVSqVkDFjlUQk%3D&amp;r
eserved=0
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-
03.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5415&a
mp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd879db1f36854d47ffc308d81
d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C6372913436503068
44&amp;sdata=dGiMYPWuNw7u%2BY3WkaphIHoKPI0DXTwXckMig4%2FEcKs%3D&amp;r
eserved=0
https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-
03.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5414&a
mp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd879db1f36854d47ffc308d81
d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C6372913436503068
44&amp;sdata=IFmR7%2BNJNVnxEe0kIoOdPI4lv9x3JUN9zNOUzQ8Td%2Fw%3D&amp;r
eserved=0

- KB

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck <lbd...@gmail.com> wrote:

Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <sdg><
Website:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.lbdsoftware.com%2F&amp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd8
79db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C
0%7C0%7C637291343650306844&amp;sdata=KPjRhP3xw6%2FSJgf3%2FHDd%2FWZpJ
g4qUv1SDTf5r5q%2FljE%3D&amp;reserved=0
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
w.lbdsoftware.com%2F&amp;data=02%7C01%7Callan.staller%40HCL.COM%7Cd8
79db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C
0%7C0%7C637291343650306844&amp;sdata=KPjRhP3xw6%2FSJgf3%2FHDd%2FWZpJ
g4qUv1SDTf5r5q%2FljE%3D&amp;reserved=0

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


--------------------------------------------------------------------
-
-
--------------------------------------------------------------------
-
-
-----

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

---------------------------------------------------------------------
- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN

---------------------------------------------------------------------
- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This message (including any attachments) is intended only for the use of the 
individual or entity to which it is addressed and may contain information that 
is non-public, proprietary, privileged, confidential, and exempt from 
disclosure under applicable law or may constitute as attorney work product. If 
you are not the intended recipient, you are hereby notified that any use, 
dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, notify us 
immediately by telephone and (i) destroy this message if a facsimile or (ii) 
delete this message immediately if this is an electronic communication. Thank 
you.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.
________________________________

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to