W dniu 06.05.2021 o 07:42, Timothy Sipples pisze:
Bill Giannelli wrote:
Our network security group (with no mainframe knowledge) is complaining
about the use of telnet for mainframe connections as they say it is not
encrypted.
Your network security group is correct to complain.
We use attachmate and HOD. Are there any 3270 emulators that also do
encryption?
Yes, the two you already have will do this. Host On-Demand (HOD)
introduced support for encrypted TN3270(E) about a quarter century ago
(not too long after Communications Server for OS/390 did), and I believe
Attachment's SSL/TLS support has been around for at least 20 years. You
just need to turn on TLS on both ends -- and shut down the unencrypted
traffic, perhaps with a temporary "night light" feature (a "call the help
desk" message for example). You're late to this party (and some others?),
but better late than never!
For z/OS you'd configure AT-TLS in Communications Server for z/OS for the
TN3270E server. Also, if you're using the Integrated Console Controller
(ICC) functionality in OSA-Express, you'd enable TLS encryption there,
too. Typically you would use and rotate (before expiration!) TLS server
certificates that are signed by a well known certificate authority. The
certificate process is fundamentally similar to setting up a HTTPS server
(Web server), although the commands can be slightly different. Your
network security team should be familiar with how to obtain and handle TLS
server certificates.
If you have other operating systems (z/VSE, z/VM, etc.) then they support
TLS-encrypted TN3270E, too -- and have for a long, long time.
I recommend you have Feature Code 3863 (CPACF) installed/activated on your
IBM mainframes. This feature code is available at no additional charge,
and it provides dedicated, higher performance processing for various
cryptographic algorithms. If you don't have CPACF then you can still order
it provided you have an IBM z14 model machine or higher (as I write this).
With CPACF enabled and actually used the TLS overhead is negligible. If
you want more than "clear key" cryptography -- and more would be good --
then the IBM Crypto Express features offer further help.
In recent releases of z/OS (2.3 and higher) there's a tool called "zERT"
(z/OS Encryption Readiness Technology) that's included. You can use zERT
to run reports illustrating your current z/OS network configuration and,
specifically, which network connections are still unencrypted or weakly
encrypted. Then you can work with your networking team and other
stakeholders to close all those gaps. You can then periodically revisit
zERT for updated reports.
There's plenty of documentation and help available if you need it. Just
ask. There's also an IBMTCP-L mailing list available where there are many
discussions of mainframe-related networking topics.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: [email protected]
Timothy,
I can be wrong, but I read that data portions for telnet traffic are so
small that there is no interest to call ICSF functions and just built-in
TCPIP/TN3270 procedures are used. Note: I talk about symmetric key
crypto, not handshaking. And that part of "software based" encryption is
eligible to zIIP offload.
Can you confirm that?
To make things more complex: some CPACF functions can be called directly
from assembler code, without ICSF.
--
Radoslaw Skorupka
(looking for new job)
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
