Enjoy the SSL On Tue, Mar 21, 2017 at 9:17 AM, Timothy Sipples <[email protected]> wrote:
> This presentation provides excellent advice on configuring TLS/SSL > encryption in z/OS: > > http://www.ibm.com/support/docview.wss?uid=swg27028558&aid=1 > > Although it was written almost 6 1/2 years ago (as I write this), it's > still an excellent technical guide. Refer to the z/OS Knowledge Center for > your particular z/OS release if you need anything more up-to-date, for > reference. You will at least want to refer to the z/OS Communications > Server IP Configuration Guide. Here is the direct link (subject to change) > to that publication for z/OS 2.2: > > http://publibz.boulder.ibm.com/epubs/pdf/f1a2b312.pdf > > Chapter 21 contains the details on AT-TLS. As noted in Chapter 21, the z/OS > Management Facility (z/OSMF) makes it a great deal easier to configure > AT-TLS. > > This redbook, geared for z/OS 2.1 and above, is also useful, especially > Chapters 12 and 16: > > http://www.redbooks.ibm.com/redbooks/pdfs/sg248099.pdf > > I assume you know how to obtain a TLS/SSL server certificate signed by a > well known Certificate Authority (CA) and how to configure IBM Personal > Communications to use TLS/SSL encryption over port 992. If you don't, and > if you cannot find those answers, please post a follow-up. > > Encrypting TSO/E sessions is only one small part of overall enterprise > security, or even of z/OS-related security. There are several other steps > you can and should take, quickly. (You're well overdue on implementing TLS > encrypted TN3270E sessions, actually. I was working with customers on > implementing encrypted TN3270E sessions about two decades ago, so to be > generous you're only about 15 years late. Better late than never. :-)) > Other basic steps include encrypting your other connections (AT-TLS will be > helpful, plus OSA-ICC encryption), making sure you have migrated to AES > encryption of your RACF databases, passphrases (with sensible policies) > instead of passwords, storage encryption (starting with physical tape, > since tape is inherently prone to movement), and several other steps. IBM > offers something called the "IBM Eagle Security Assessment" which is well > worth doing, if you haven't done it already and fairly recently. To apply > for that no charge assessment, visit this Web page (and scroll down a bit): > > http://www.ibm.com/systems/z/solutions/enterprise-security.html > > ------------------------------------------------------------ > -------------------------------------------- > Timothy Sipples > IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA > E-Mail: [email protected] > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- בברכה, *דורון גבע* - 054-4974548 [email protected] Regards, Doron Geva - +972-54-4974548 [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
