Re: z/osmf Network Configuration Assistant

Wed, 28 Oct 2020 03:20:24 -0700 

Thank you all for your replies.
It appears that z/OSMF NCA is, as we say, the best thing since sliced bread, but many do not like sliced bread. 


Our configuration is not typical because the system is used to test a 
SSL/TLS application and developers need to test z/OS servers and clients 
with a number of different AT-TLS rules. The original configuration was 
created many years ago with the Windows tool and thereafter was managed 
manually - usually by adding yet another rule based on a previous rule 
but sometimes requiring new actions or cipher suites.  It all got rather 
messy and the need for TLS 1.3 has prompted many changes. Using AT-TLS 
rather than native SSL/TLS support in z/OS-supplied components will also 
complicate matters.



I do like NCA but just importing our current configuration produces a 
complicated configuration with names based on 'mangled' profile 
construct names and a lot of requirement mapping tables each containing 
just one entry.



On the other hand I like the fact that NCA clearly presents the choices 
to be made - a list of cipher suites and elliptic curve groups specific 
to TLS 1.3 for instance - and although defaults can be taken we are 
aware that the default has been chosen rather than being something that 
was overlooked. Also I like the fact that I can print a configuration in 
a form that will make sense to a developer.



I think I may end up with a horrible compromise where I use NCA 'to 
create a set of definitions for TLS 1.3 testing 'from scratch' and merge 
them into the full policy.



Keith


On 27/10/2020 13:07, Tom Conley wrote:


Keith,


IBM decided that AT-TLS was so inscrutable that you needed an app to 
configure it.  Untrue.  You can manually configure AT-TLS for TN3270 
in less than a day, provided you can do all the tasks necessary.  
Please check out my presentation on this (WTW):


https://www.newera.com/INFO/Top_11_Things_032018.pdf

Please let me know if you have any questions or concerns.

Regards,
Tom Conley

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to