I wrote: >....and I believe Attachment's SSL/TLS support has been around for at >least 20 years.
I meant Attachmate, not Attachment. :-) Radoslaw Skorupka wrote: >I can be wrong, but I read that data portions for telnet traffic are so >small that there is no interest to call ICSF functions and just built-in >TCPIP/TN3270 procedures are used. Note: I talk about symmetric key >crypto, not handshaking. And that part of "software based" encryption is >eligible to zIIP offload. >Can you confirm that? z/OS's TN3270E server uses AT-TLS (Application Transparent Transport Layer Security) via the TTLSPORT configuration option, AT-TLS uses System SSL, and System SSL uses CPACF (if available). If IBM Crypto Express is available and properly configured that'll also be used, particularly for TLS handshaking. As I write this the z/OS TN3270E server still supports another, older configuration option, SECUREPORT. You should phase out use of the SECUREPORT configuration option in favor of TTLSPORT. Make this shift as reasonably soon as you can, please. Bill Giannelli evidently isn't using either, so TTLSPORT is the way forward. zIIPs are not relevant to TN3270E with AT-TLS. You might be thinking of something else (IPsec/IKEv2, Encryption Facility for z/OS, ...) that can often benefit from zIIPs. >To make things more complex: some CPACF functions can be called directly >from assembler code, without ICSF. Perhaps that detail is interesting to some, but nobody needs to worry about it in this context, or in most other contexts for that matter. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
