Also, the TN3270 definition doesn't have CONNTYPE=SECURE specified, because we can only secure specific incoming IP addresses over port 923, not everything.
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Edgington, Jerry Sent: Monday, November 16, 2020 8:17 AM To: [email protected] Subject: Re: Need some help with SSL error AT/TLS config: TcpImage TCPIP /etc/pagent.conf FLUSH PURGE ##LogLevel 31 ## Default logging level. ##LogLevel 511 ## gives the most verbose logging LogLevel 32 ## Be verbose - Default is 31. ServicesConnection { Port 16311 ImageName TCPIP Security Basic } AutoMonitorParms { MonitorInterval 86400 ## 24 hours. RetryLimitCount 5 RetryLimitPeriod 86400 ## 24 hours. } AutoMonitorApps { AppName SYSLOGD { ProcName SYSLOGD JobName SYSLOGD StartParms -c } } PAGENT_CONFIG_FILE=/etc/pagent.conf PAGENT_LOG_FILE=/var/log/pagent.log PAGENT_LOG_FILE_CONTROL=500,5 TZ=EST5EDT -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Joe Monk Sent: Monday, November 16, 2020 8:07 AM To: [email protected] Subject: Re: Need some help with SSL error This message was sent from an external source outside of Western & Southern's network. Do not click links or open attachments unless you recognize the sender and know the contents are safe. ________________________________________________________________________________________________________________________ Sorry ... my email client cut off the ATTLS parms and I didnt see them. Joe On Mon, Nov 16, 2020 at 7:06 AM Joe Monk <[email protected]> wrote: > Error 100B: > > 100B Unexpected SSL handshake encountered.An SSL handshake header was > encountered on a basic port or the client immediately entered an SSL > handshake for a CONNTYPE option value other than SECURE or ANY. Verify > that the client and port settings are compatible. > A quick google found this: > > > https://www.ibm.com/support/pages/zos-communications-server-tls-needed > -implement-tls-v12 > > Joe > > > > > On Mon, Nov 16, 2020 at 6:27 AM Edgington, Jerry < > [email protected]> wrote: > >> I need some help, please. We have an automated system, using TN3270 >> screen scraping. Over the weekend, we IPL'ed, first time in April, >> 2020 and now, when this "automated" system/client tries to connect >> over TN3270, we are getting this error message: >> >> M 4100000 aaaa 20320 14:22:03.02 STC09624 00000090 EZZ6034I TN3270 >> CONN 0000025C LU **N/A** CONN DROP ERR 100B 864 >> E 864 00000090 IP..PORT: >> ::FFFF:xx.xx.xx.xx..53084 EZBTTRCV >> >> The AT/TLS policy has changed since August, 2020. And we only have >> TLS >> v1.2 turned on for only specific inbound IP addresses. We are >> running z/OS v2.1, at this point >> >> Any suggestions, help or ideas, would be great. >> >> Thanks, >> Jerry Edgington >> >> Here is the AT/TLS policy. I have masked the names for security reasons. >> ##------------------------------------------------------------------- >> ## Rules for yyy servers using xxxxxx IP over port 923 >> ##------------------------------------------------------------------- >> TTLSRule yyy-xxxxxx-SSL >> { >> LocalAddrGroupRef xxxxx-Ip-Addr >> RemoteAddrGroupRef yyy-Server-IpAddr >> LocalPortRange 923 >> RemotePortRangeRef Port-Remote >> Direction Inbound >> Priority 500 >> TTLSGroupActionRef gAct1 >> TTLSEnvironmentActionRef eAct1 >> TTLSConnectionActionRef cAct-xxxxx >> } >> >> TTLSConnectionAction cAct-xxxxx >> { >> HandshakeRole Server >> TTLSCipherParmsRef cipher1~Default_Ciphers >> TTLSConnectionAdvancedParmsRef cAdv-xxxxxx >> CtraceClearText Off >> Trace 7 >> } >> >> TTLSConnectionAdvancedParms cAdv-xxxx >> { >> HandshakeTimeout 30 >> CertificateLabel ATTLS >> SecondaryMap Off >> TLSv1.2 On >> ApplicationControlled On >> } >> >> TTLSEnvironmentAction eAct1 >> { >> HandshakeRole Server >> EnvironmentUserInstance 0 >> TTLSKeyringParmsRef keyR~ZOS112 >> } >> >> >> ##------------------------------------------------------------------- >> ## IP Address for yyy Servers >> ##------------------------------------------------------------------- >> IpAddrGroup yyy-Server-IpAddr { >> IpAddr >> { >> Addr xx.xx.xx.xx >> } >> } >> >> ##------------------------------------------------------------------- >> ## Ports Remote >> ##------------------------------------------------------------------- >> PortRange Port-Remote >> { >> Port 1024-65535 >> } >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO >> IBM-MAIN >> > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
