Cameron Seay writes: > This may be a question for the z/OS board, but since all of our z/OS lives > inside z/VM guests I will ask it here first.
The IBMVM mailing list would have been better still but there's a good sized overlap between the IBMVM and LINUX-390 lists. > Our IT staff wants us to use SSL so that outside users can access the z/VM > LPAR without having to get vpn accounts. Currently they do. We access > z/OS via logging into a VM LPAR and then dialing into the z/OS guest. The > 3270 client we use has SSL capability. What needs to be enabled/turned on > on the VM side to allow a connection via SSL? The IT folks are going to > open a port for this purpose. Follow the "Configuring the SSL Server" chapter of the "z/VM TCP/IP Planning and Customization" manual to get the base SSL and TLS support set up with your certificate and to get the SSL service virtual machine(s) set up. There were significant changes brought in in z/VM 6.2 for SSL (e.g. multiple server pools) so the exact method depends on what level of z/VM you're using and if you're still on 5.4 then there'll be a bit of tweaking you'll need to remember to do to the configuration when you upgrade. Then for SSL-secured tn3270 access you follow the "Configuring the TCP/IP Server" chapter. You need to choose one or both of: (a) having z/VM TCPIP and the tn3270 clients negotiate SSL via TLS (no need for a separate port). You use INTERCLIENTPARAMS statements to configure it: TLSLABEL to choose your certificate label and SECURECONNECTION NEVER|REQUIRED|PREFERRED|ALLOWED to set your policy on whether clients can/must negotiate SSL. Some tn3270 clients that support SSL don't support TLS-negotiated SSL and some of those that support TLS have problems depending on which end tries to negotiate first so that may influence your SECURECONNECTION or TLS choice. (b) having the tn3270 client make an immediate SSL-protocol connection in which case you need a separate port and add "SECURE your_cert_label" to the relevant "portnum TCP INTCLIEN" line in the PORT section of your PROFILE TCPIP. --Malcolm -- Malcolm Beattie Linux and System z Technical Consultant, zChampion IBM UK Systems and Technology Group ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/
