I tried "Let's Encrypt" https://letsencrypt.org/ once for some web site
names I have on a Linux server under my desk. I can't remember why I
didn't like it, but I ended up making my own CA cert to sign my https
certificates, and then got the few people using the sites to import my
CA into their browser. Cheating a bit but it works great for isolated use.
But yes, if things like certificates could be all piled into one
application and handled by one person in a company, things would get
easier. The first time I dealt with a certificate on the mainframe was
for IBM's ITIM system which (the developer mentioned) had just switched
to use OpenSSL. We had multiple meetings with project leaders and
others just to get a paid-for certificate in place (2 year expiration),
when we probably could have created something self-signed with a 30 year
expiration if we knew better :)
On 6/30/2020 10:23 PM, kekronbekron wrote:
I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced;
will probably lead to adding more application/transport types being added under
AT-TLS's capability.
Just speculation anyway..
What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic
cert generation, renewal involved in it) for all the east-west traffic in
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.
- KB
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan <t...@tombrennansoftware.com>
wrote:
Thanks KB... I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption. In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS. If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.
But if I'm wrong with any of the general notes above, please correct me.
On 6/30/2020 9:16 PM, kekronbekron wrote:
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want
to do the same to see which of those are the most useful to you.
- KB
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com
wrote:
I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.
Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.
I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?
If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?
Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.
On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
Sweet - thank you
Lionel B. Dyck <sdg><
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are,
reputation merely what others think you are." - John Wooden
-----Original Message-----
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
- KB
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <sdg><
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
