Bill Giannelli wrote: >Our network security group (with no mainframe knowledge) is complaining >about the use of telnet for mainframe connections as they say it is not >encrypted.
Your network security group is correct to complain. >We use attachmate and HOD. Are there any 3270 emulators that also do >encryption? Yes, the two you already have will do this. Host On-Demand (HOD) introduced support for encrypted TN3270(E) about a quarter century ago (not too long after Communications Server for OS/390 did), and I believe Attachment's SSL/TLS support has been around for at least 20 years. You just need to turn on TLS on both ends -- and shut down the unencrypted traffic, perhaps with a temporary "night light" feature (a "call the help desk" message for example). You're late to this party (and some others?), but better late than never! For z/OS you'd configure AT-TLS in Communications Server for z/OS for the TN3270E server. Also, if you're using the Integrated Console Controller (ICC) functionality in OSA-Express, you'd enable TLS encryption there, too. Typically you would use and rotate (before expiration!) TLS server certificates that are signed by a well known certificate authority. The certificate process is fundamentally similar to setting up a HTTPS server (Web server), although the commands can be slightly different. Your network security team should be familiar with how to obtain and handle TLS server certificates. If you have other operating systems (z/VSE, z/VM, etc.) then they support TLS-encrypted TN3270E, too -- and have for a long, long time. I recommend you have Feature Code 3863 (CPACF) installed/activated on your IBM mainframes. This feature code is available at no additional charge, and it provides dedicated, higher performance processing for various cryptographic algorithms. If you don't have CPACF then you can still order it provided you have an IBM z14 model machine or higher (as I write this). With CPACF enabled and actually used the TLS overhead is negligible. If you want more than "clear key" cryptography -- and more would be good -- then the IBM Crypto Express features offer further help. In recent releases of z/OS (2.3 and higher) there's a tool called "zERT" (z/OS Encryption Readiness Technology) that's included. You can use zERT to run reports illustrating your current z/OS network configuration and, specifically, which network connections are still unencrypted or weakly encrypted. Then you can work with your networking team and other stakeholders to close all those gaps. You can then periodically revisit zERT for updated reports. There's plenty of documentation and help available if you need it. Just ask. There's also an IBMTCP-L mailing list available where there are many discussions of mainframe-related networking topics. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
