Re: SSL on tso
On 5 April 2017 at 05:14, saurabh khandelwal wrote: > Then I downloaded using ASCII and renamed with .Cert and tried putting it > to PCOmm database and getting below error. > > The validity period doesn't include today or does not fall within its > issuer's validity period. > > But I also cross checked my certificate information on Mainframe and shows > > Effective date : 2017/04/05 > Expiration date : 2018/04/05 > > I am not sure why I am getting this issue . Are your mainframe and your Pcom in the same timezone? Is it possible your Pcomm wasn't yet at 2017-04-05? Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
Hello , Thanks for suggestion. To avoid all mistakes, I freshly created key database in mainframe and generated self signed certificate and then make it trusted and set key default. Then I downloaded using ASCII and renamed with .Cert and tried putting it to PCOmm database and getting below error. The validity period doesn't include today or does not fall within its issuer's validity period. But I also cross checked my certificate information on Mainframe and shows Effective date : 2017/04/05 Expiration date : 2018/04/05 I am not sure why I am getting this issue . Please suggest. On 04-Apr-2017 11:53 PM, "Cieri, Anthony" wrote: > > It has been awhile since I tried this, but as I recall, there are > a couple of task that needed to be done in the gskkyman utility > > 1) Set your self signed certificate to TRUST status > 2) Make your self signed certificate the Default cert for the > key database > 3) Create a database password file (i.e. keytdatabase.sth) > > Hth > Tony > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of saurabh khandelwal > Sent: Tuesday, April 04, 2017 12:06 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: SSL on tso > > Hello group, > > Till now we completed below steps to enable sal for tso. > 1) open port 992 firewall > 2) using gskkyman utility, created database and self signed certificate > for the user under which tn3270 address space running. > 3)made additional entry of SSL port 992 in tn3270 profile with key > database entry. > 4) obey the new configuration . > 5) downloaded certificate from mainframe to desktop in ASCII and renamed > the file with extension of .cer > 6) from pcom certificate managment utility, I created database and > uploaded the same certificate which we just downloaded into correct path > mentioned in the certificate managment utility. > 7) tried enabling port 992 on pcom and enabled security and TLS option and > use option to connect. > > But after doing all this I was getting error of "420". Which says remote > client rejection.. > > Can anybody help me to suggest if I an missing anything here to make this > connectivity work. > > Thanks for help > > On 31-Mar-2017 1:33 AM, "Andrew Rowley" > wrote: > > On 31/03/2017 6:48 AM, Mark Pace wrote: > > > Also note that one of the hard parts of SSL with PCOMM is self-signed > > certs. You need to send a copy of the public key to each user of > > PCOMM and import the certificate. If you're using a better TN3270 > > client, like Vista TN3270, you won't have this problem. At least that > > what I remember when I wandered down that rabbit hole about 5 years ago. > > > The better way to do this is with a properly signed certificate. You can > even get certificates free through Lets Encrypt (although that has its own > controversies). The main problem is a severe lack of documentation on how > to install a real certificate vs. creating your own CA and signing your own. > > I'm not sure that I would describe a client that doesn't have the problem > as "better" since it means that the client is not defending itself against > man-in-the-middle attacks (though I do use and like Vista myself). > > -- > Andrew Rowley > Black Hill Software > +61 413 302 386 > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
It has been awhile since I tried this, but as I recall, there are a couple of task that needed to be done in the gskkyman utility 1) Set your self signed certificate to TRUST status 2) Make your self signed certificate the Default cert for the key database 3) Create a database password file (i.e. keytdatabase.sth) Hth Tony -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of saurabh khandelwal Sent: Tuesday, April 04, 2017 12:06 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SSL on tso Hello group, Till now we completed below steps to enable sal for tso. 1) open port 992 firewall 2) using gskkyman utility, created database and self signed certificate for the user under which tn3270 address space running. 3)made additional entry of SSL port 992 in tn3270 profile with key database entry. 4) obey the new configuration . 5) downloaded certificate from mainframe to desktop in ASCII and renamed the file with extension of .cer 6) from pcom certificate managment utility, I created database and uploaded the same certificate which we just downloaded into correct path mentioned in the certificate managment utility. 7) tried enabling port 992 on pcom and enabled security and TLS option and use option to connect. But after doing all this I was getting error of "420". Which says remote client rejection.. Can anybody help me to suggest if I an missing anything here to make this connectivity work. Thanks for help On 31-Mar-2017 1:33 AM, "Andrew Rowley" wrote: On 31/03/2017 6:48 AM, Mark Pace wrote: > Also note that one of the hard parts of SSL with PCOMM is self-signed > certs. You need to send a copy of the public key to each user of > PCOMM and import the certificate. If you're using a better TN3270 > client, like Vista TN3270, you won't have this problem. At least that > what I remember when I wandered down that rabbit hole about 5 years ago. > The better way to do this is with a properly signed certificate. You can even get certificates free through Lets Encrypt (although that has its own controversies). The main problem is a severe lack of documentation on how to install a real certificate vs. creating your own CA and signing your own. I'm not sure that I would describe a client that doesn't have the problem as "better" since it means that the client is not defending itself against man-in-the-middle attacks (though I do use and like Vista myself). -- Andrew Rowley Black Hill Software +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
Hello group, Till now we completed below steps to enable sal for tso. 1) open port 992 firewall 2) using gskkyman utility, created database and self signed certificate for the user under which tn3270 address space running. 3)made additional entry of SSL port 992 in tn3270 profile with key database entry. 4) obey the new configuration . 5) downloaded certificate from mainframe to desktop in ASCII and renamed the file with extension of .cer 6) from pcom certificate managment utility, I created database and uploaded the same certificate which we just downloaded into correct path mentioned in the certificate managment utility. 7) tried enabling port 992 on pcom and enabled security and TLS option and use option to connect. But after doing all this I was getting error of "420". Which says remote client rejection.. Can anybody help me to suggest if I an missing anything here to make this connectivity work. Thanks for help On 31-Mar-2017 1:33 AM, "Andrew Rowley" wrote: On 31/03/2017 6:48 AM, Mark Pace wrote: > Also note that one of the hard parts of SSL with PCOMM is self-signed > certs. You need to send a copy of the public key to each user of PCOMM and > import the certificate. If you're using a better TN3270 client, like Vista > TN3270, you won't have this problem. At least that what I remember when I > wandered down that rabbit hole about 5 years ago. > The better way to do this is with a properly signed certificate. You can even get certificates free through Lets Encrypt (although that has its own controversies). The main problem is a severe lack of documentation on how to install a real certificate vs. creating your own CA and signing your own. I'm not sure that I would describe a client that doesn't have the problem as "better" since it means that the client is not defending itself against man-in-the-middle attacks (though I do use and like Vista myself). -- Andrew Rowley Black Hill Software +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
On 31/03/2017 6:48 AM, Mark Pace wrote: Also note that one of the hard parts of SSL with PCOMM is self-signed certs. You need to send a copy of the public key to each user of PCOMM and import the certificate. If you're using a better TN3270 client, like Vista TN3270, you won't have this problem. At least that what I remember when I wandered down that rabbit hole about 5 years ago. The better way to do this is with a properly signed certificate. You can even get certificates free through Lets Encrypt (although that has its own controversies). The main problem is a severe lack of documentation on how to install a real certificate vs. creating your own CA and signing your own. I'm not sure that I would describe a client that doesn't have the problem as "better" since it means that the client is not defending itself against man-in-the-middle attacks (though I do use and like Vista myself). -- Andrew Rowley Black Hill Software +61 413 302 386 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
Also note that one of the hard parts of SSL with PCOMM is self-signed certs. You need to send a copy of the public key to each user of PCOMM and import the certificate. If you're using a better TN3270 client, like Vista TN3270, you won't have this problem. At least that what I remember when I wandered down that rabbit hole about 5 years ago. On Tue, Mar 21, 2017 at 8:09 PM, Tom Brennan wrote: > I created a couple of SSL setup examples (RACF and USS) that worked for me > a few years back. With these instructions I was able to setup SSL > encryption using self-signed certificates (i.e. no paid-for certificates > that your site may require), but without any host or client authentication. > > Later I did figure out how to setup host and client authentication, and in > my tests for that I used the same self-signed certificate as for > encryption. But in my experience, I'd say most people aren't using > authentication and just want encryption. Or maybe they just *think* they > are being authenticated once they get encrypted. Uh oh... > > Anyway, here are some notes. Use them if you can, or throw them away > where they probably belong: > > http://www.mildredbrennan.com/mvs/setting_up_the_tn3270_star > ted_task_for_ssl.docx > > Tom > > > saurabh khandelwal wrote: > >> Yes, I m referring to IBM pcom . For secure two session we would like to >> use 992 port. >> I did google it for archived data but couldn't find steps to implement >> this >> new change in the system >> >> >> >> >> On 20-Mar-2017 3:17 PM, "Elardus Engelbrecht" < >> elardus.engelbre...@sita.co.za> wrote: >> >> saurabh khandelwal wrote: >> >> >> We have requirement to enable SSL for two access with ibm PCOOM emulator >>> >> >> >> Are you referring to IBM PCOM emulater? Just checking about your spelling. >> >> >> >> with port 992 for secure connection. >>> >> >> >> It depends on what your TCP/IP staff is using that port or any other port >> for TSO logon. >> >> >> >> I tried looking at document and rebook but didn't find any implementation >>> >> >> steps. >> >> Really? There are many books and discussion lists sitting worldwide about >> this topic. Did you asked Mr. G. O. Ogle (Google) for it? >> >> >> >> Can anybody help to make this setup work. >>> >> >> >> Ask your TELNET server staff for assistance. Also ask your RACF staff for >> assistance for setting up a Digital Certificate for TELNET server. >> >> Just ensure you have a default TELNET non-SSL port in case you can't login >> in the first place. >> >> Good luck, this is a major project. (I and my colleagues have been there >> and it was quite a journey, trust me.) >> >> Groete / Greetings >> Elardus Engelbrecht >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> >> > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
I created a couple of SSL setup examples (RACF and USS) that worked for me a few years back. With these instructions I was able to setup SSL encryption using self-signed certificates (i.e. no paid-for certificates that your site may require), but without any host or client authentication. Later I did figure out how to setup host and client authentication, and in my tests for that I used the same self-signed certificate as for encryption. But in my experience, I'd say most people aren't using authentication and just want encryption. Or maybe they just *think* they are being authenticated once they get encrypted. Uh oh... Anyway, here are some notes. Use them if you can, or throw them away where they probably belong: http://www.mildredbrennan.com/mvs/setting_up_the_tn3270_started_task_for_ssl.docx Tom saurabh khandelwal wrote: Yes, I m referring to IBM pcom . For secure two session we would like to use 992 port. I did google it for archived data but couldn't find steps to implement this new change in the system On 20-Mar-2017 3:17 PM, "Elardus Engelbrecht" < elardus.engelbre...@sita.co.za> wrote: saurabh khandelwal wrote: We have requirement to enable SSL for two access with ibm PCOOM emulator Are you referring to IBM PCOM emulater? Just checking about your spelling. with port 992 for secure connection. It depends on what your TCP/IP staff is using that port or any other port for TSO logon. I tried looking at document and rebook but didn't find any implementation steps. Really? There are many books and discussion lists sitting worldwide about this topic. Did you asked Mr. G. O. Ogle (Google) for it? Can anybody help to make this setup work. Ask your TELNET server staff for assistance. Also ask your RACF staff for assistance for setting up a Digital Certificate for TELNET server. Just ensure you have a default TELNET non-SSL port in case you can't login in the first place. Good luck, this is a major project. (I and my colleagues have been there and it was quite a journey, trust me.) Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
Yes, I m referring to IBM pcom . For secure two session we would like to use 992 port. I did google it for archived data but couldn't find steps to implement this new change in the system On 20-Mar-2017 3:17 PM, "Elardus Engelbrecht" < elardus.engelbre...@sita.co.za> wrote: saurabh khandelwal wrote: >We have requirement to enable SSL for two access with ibm PCOOM emulator Are you referring to IBM PCOM emulater? Just checking about your spelling. >with port 992 for secure connection. It depends on what your TCP/IP staff is using that port or any other port for TSO logon. >I tried looking at document and rebook but didn't find any implementation steps. Really? There are many books and discussion lists sitting worldwide about this topic. Did you asked Mr. G. O. Ogle (Google) for it? >Can anybody help to make this setup work. Ask your TELNET server staff for assistance. Also ask your RACF staff for assistance for setting up a Digital Certificate for TELNET server. Just ensure you have a default TELNET non-SSL port in case you can't login in the first place. Good luck, this is a major project. (I and my colleagues have been there and it was quite a journey, trust me.) Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
Enjoy the SSL On Tue, Mar 21, 2017 at 9:17 AM, Timothy Sipples wrote: > This presentation provides excellent advice on configuring TLS/SSL > encryption in z/OS: > > http://www.ibm.com/support/docview.wss?uid=swg27028558&aid=1 > > Although it was written almost 6 1/2 years ago (as I write this), it's > still an excellent technical guide. Refer to the z/OS Knowledge Center for > your particular z/OS release if you need anything more up-to-date, for > reference. You will at least want to refer to the z/OS Communications > Server IP Configuration Guide. Here is the direct link (subject to change) > to that publication for z/OS 2.2: > > http://publibz.boulder.ibm.com/epubs/pdf/f1a2b312.pdf > > Chapter 21 contains the details on AT-TLS. As noted in Chapter 21, the z/OS > Management Facility (z/OSMF) makes it a great deal easier to configure > AT-TLS. > > This redbook, geared for z/OS 2.1 and above, is also useful, especially > Chapters 12 and 16: > > http://www.redbooks.ibm.com/redbooks/pdfs/sg248099.pdf > > I assume you know how to obtain a TLS/SSL server certificate signed by a > well known Certificate Authority (CA) and how to configure IBM Personal > Communications to use TLS/SSL encryption over port 992. If you don't, and > if you cannot find those answers, please post a follow-up. > > Encrypting TSO/E sessions is only one small part of overall enterprise > security, or even of z/OS-related security. There are several other steps > you can and should take, quickly. (You're well overdue on implementing TLS > encrypted TN3270E sessions, actually. I was working with customers on > implementing encrypted TN3270E sessions about two decades ago, so to be > generous you're only about 15 years late. Better late than never. :-)) > Other basic steps include encrypting your other connections (AT-TLS will be > helpful, plus OSA-ICC encryption), making sure you have migrated to AES > encryption of your RACF databases, passphrases (with sensible policies) > instead of passwords, storage encryption (starting with physical tape, > since tape is inherently prone to movement), and several other steps. IBM > offers something called the "IBM Eagle Security Assessment" which is well > worth doing, if you haven't done it already and fairly recently. To apply > for that no charge assessment, visit this Web page (and scroll down a bit): > > http://www.ibm.com/systems/z/solutions/enterprise-security.html > > > > Timothy Sipples > IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA > E-Mail: sipp...@sg.ibm.com > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- בברכה, *דורון גבע* - 054-4974548 doron.geva...@gmail.com Regards, Doron Geva - +972-54-4974548 doron.geva...@gmail.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
This presentation provides excellent advice on configuring TLS/SSL encryption in z/OS: http://www.ibm.com/support/docview.wss?uid=swg27028558&aid=1 Although it was written almost 6 1/2 years ago (as I write this), it's still an excellent technical guide. Refer to the z/OS Knowledge Center for your particular z/OS release if you need anything more up-to-date, for reference. You will at least want to refer to the z/OS Communications Server IP Configuration Guide. Here is the direct link (subject to change) to that publication for z/OS 2.2: http://publibz.boulder.ibm.com/epubs/pdf/f1a2b312.pdf Chapter 21 contains the details on AT-TLS. As noted in Chapter 21, the z/OS Management Facility (z/OSMF) makes it a great deal easier to configure AT-TLS. This redbook, geared for z/OS 2.1 and above, is also useful, especially Chapters 12 and 16: http://www.redbooks.ibm.com/redbooks/pdfs/sg248099.pdf I assume you know how to obtain a TLS/SSL server certificate signed by a well known Certificate Authority (CA) and how to configure IBM Personal Communications to use TLS/SSL encryption over port 992. If you don't, and if you cannot find those answers, please post a follow-up. Encrypting TSO/E sessions is only one small part of overall enterprise security, or even of z/OS-related security. There are several other steps you can and should take, quickly. (You're well overdue on implementing TLS encrypted TN3270E sessions, actually. I was working with customers on implementing encrypted TN3270E sessions about two decades ago, so to be generous you're only about 15 years late. Better late than never. :-)) Other basic steps include encrypting your other connections (AT-TLS will be helpful, plus OSA-ICC encryption), making sure you have migrated to AES encryption of your RACF databases, passphrases (with sensible policies) instead of passwords, storage encryption (starting with physical tape, since tape is inherently prone to movement), and several other steps. IBM offers something called the "IBM Eagle Security Assessment" which is well worth doing, if you haven't done it already and fairly recently. To apply for that no charge assessment, visit this Web page (and scroll down a bit): http://www.ibm.com/systems/z/solutions/enterprise-security.html Timothy Sipples IT Architect Executive, Industry Solutions, IBM z Systems, AP/GCG/MEA E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SSL on tso
saurabh khandelwal wrote: >We have requirement to enable SSL for two access with ibm PCOOM emulator Are you referring to IBM PCOM emulater? Just checking about your spelling. >with port 992 for secure connection. It depends on what your TCP/IP staff is using that port or any other port for TSO logon. >I tried looking at document and rebook but didn't find any implementation >steps. Really? There are many books and discussion lists sitting worldwide about this topic. Did you asked Mr. G. O. Ogle (Google) for it? >Can anybody help to make this setup work. Ask your TELNET server staff for assistance. Also ask your RACF staff for assistance for setting up a Digital Certificate for TELNET server. Just ensure you have a default TELNET non-SSL port in case you can't login in the first place. Good luck, this is a major project. (I and my colleagues have been there and it was quite a journey, trust me.) Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
SSL on tso
Hello group, We have requirement to enable SSL for two access with ibm PCOOM emulator with port 992 for secure connection. I tried looking at document and rebook but didn't find any implementation steps. Can anybody help to make this setup work. Regards Saurabh -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
