Re: TLS - and HTTP download

2023-05-02 Thread Colin Paice 
I wrote  Using AT-TLS and PAGENT on z/OS

which covers setting  up ATTLS, and gives an example or two
Colin

On Mon, 1 May 2023 at 22:17, Keith Gooding <
034af3894af4-dmarc-requ...@listserv.ua.edu> wrote:

> Bill.
>
> A AT-TLS rule consists of a number of tests and pointers to actions which
> are performed if all of the tests are true. One of the actions specifies if
> TLS is to be enabled or not.  You can test on  local and remote port
> numbers , local and remote IP addresses, connection direction (inbound or
> outbound) , local address space name etc. you may have a rule which says
> “if the remote port is 443 (https ?) and direction is outbound then enable
> TLS”.  This would  enable TLS for an SMPE batch job connecting to an https
> server. To check you can either view the AT-TLS policy or,  to get a better
> formatted list, use the unix command “pasearch -t >  mylist.txt” and then
> view mylist.txt. See Comms Server IP diagnosis for details of pasearch and
> how to list a subset of the policy. If this is in fact the problem you
> could add add another rule which says “if the remote IP address is the IBM
> https server then do not enable TLS“.
>
> Keith
> > On 1 May 2023, at 20:29, Michael Babcock  wrote:
> >
> > Here's our simple DB2 Secure port definition in AT-TLS:
> >
> > TTLSRule DBRTSecureServer# Secure DBRT
> > {
> >   LocalPortRange   4450# DBRT Secure Port
> >   DirectionInbound # Inbound Only
> >   Priority 1   # Lowest priority
> rule
> >   TTLSGroupActionRef   grp_Production  # Uncomment once
> debugging
> >   TTLSEnvironmentActionRef DBRT_SecureServer_Action# DBRT Env Action
> > }
> >
> > TTLSEnvironmentAction DBRT_SecureServer_Action
> > {
> >   HandshakeRole   Server
> >   TTLSKeyRingParmsRef DBRT_Keyring_Parms
> >   TTLSCipherParmsRef  DB2_CipherParms
> >   TTLSEnvironmentAdvancedParms
> >   {
> > ClientAuthTypePassThru
> > SSLv2 Off
> > SSLv3 Off
> > TLSv1 Off
> > TLSv1.1   Off
> > TLSv1.2   On
> >   }
> > }
> >
> > TTLSKeyRingParms  DBRT_Keyring_Parms
> > {
> >  Keyring  DBRT/DBRT.KEYRING
> > }
> >>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Keith Gooding 
Bill.

A AT-TLS rule consists of a number of tests and pointers to actions which are 
performed if all of the tests are true. One of the actions specifies if TLS is 
to be enabled or not.  You can test on  local and remote port numbers , local 
and remote IP addresses, connection direction (inbound or outbound) , local 
address space name etc. you may have a rule which says “if the remote port is 
443 (https ?) and direction is outbound then enable TLS”.  This would  enable 
TLS for an SMPE batch job connecting to an https server. To check you can 
either view the AT-TLS policy or,  to get a better formatted list, use the unix 
command “pasearch -t >  mylist.txt” and then view mylist.txt. See Comms Server 
IP diagnosis for details of pasearch and how to list a subset of the policy. If 
this is in fact the problem you  could add add another rule which says “if the 
remote IP address is the IBM https server then do not enable TLS“.

Keith
> On 1 May 2023, at 20:29, Michael Babcock  wrote:
> 
> Here's our simple DB2 Secure port definition in AT-TLS:
> 
> TTLSRule DBRTSecureServer# Secure DBRT
> {
>   LocalPortRange   4450# DBRT Secure Port
>   DirectionInbound # Inbound Only
>   Priority 1   # Lowest priority rule
>   TTLSGroupActionRef   grp_Production  # Uncomment once 
> debugging
>   TTLSEnvironmentActionRef DBRT_SecureServer_Action# DBRT Env Action
> }
> 
> TTLSEnvironmentAction DBRT_SecureServer_Action
> {
>   HandshakeRole   Server
>   TTLSKeyRingParmsRef DBRT_Keyring_Parms
>   TTLSCipherParmsRef  DB2_CipherParms
>   TTLSEnvironmentAdvancedParms
>   {
> ClientAuthTypePassThru
> SSLv2 Off
> SSLv3 Off
> TLSv1 Off
> TLSv1.1   Off
> TLSv1.2   On
>   }
> }
> 
> TTLSKeyRingParms  DBRT_Keyring_Parms
> {
>  Keyring  DBRT/DBRT.KEYRING
> }
>> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Michael Babcock 

Here's our simple DB2 Secure port definition in AT-TLS:

TTLSRule DBRTSecureServer    # Secure DBRT
{
  LocalPortRange   4450    # DBRT Secure Port
  Direction    Inbound     # Inbound Only
  Priority 1   # Lowest 
priority rule
  TTLSGroupActionRef   grp_Production  # Uncomment once 
debugging

  TTLSEnvironmentActionRef DBRT_SecureServer_Action    # DBRT Env Action
}

TTLSEnvironmentAction DBRT_SecureServer_Action
{
  HandshakeRole   Server
  TTLSKeyRingParmsRef DBRT_Keyring_Parms
  TTLSCipherParmsRef  DB2_CipherParms
  TTLSEnvironmentAdvancedParms
  {
    ClientAuthType    PassThru
    SSLv2 Off
    SSLv3 Off
    TLSv1 Off
    TLSv1.1   Off
    TLSv1.2   On
  }
}

TTLSKeyRingParms  DBRT_Keyring_Parms
{
 Keyring  DBRT/DBRT.KEYRING
}

On 5/1/2023 2:12 PM, Kurt J. Quackenbush wrote:

My understand is that ATTLS allows you to encrypt network traffic for 
clients/servers which do not implement TLS themselves.  It sounds like your Db2 
traffic was formerly not encrypted with TLS, but your ATTLS rule now encrypts 
that Db2 traffic without the client or server being any wiser.  Unfortunately 
that rule is also negatively affecting SMP/E and probably any other 
applications that use HTTPS.  SMP/E implements TLS itself, so it doesn't need 
ATTLS to do so on its behalf.

I am absolutely NOT an expert in defining ATTLS rules, but my guess is you need 
to define the rule more specifically to impact only the Db2 traffic and not all 
HTTPS traffic.  Hopefully some kind soul with may more experience in ATTLS can 
offer suggestions, sorry.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Kurt J. Quackenbush 
My understand is that ATTLS allows you to encrypt network traffic for 
clients/servers which do not implement TLS themselves.  It sounds like your Db2 
traffic was formerly not encrypted with TLS, but your ATTLS rule now encrypts 
that Db2 traffic without the client or server being any wiser.  Unfortunately 
that rule is also negatively affecting SMP/E and probably any other 
applications that use HTTPS.  SMP/E implements TLS itself, so it doesn't need 
ATTLS to do so on its behalf.

I am absolutely NOT an expert in defining ATTLS rules, but my guess is you need 
to define the rule more specifically to impact only the Db2 traffic and not all 
HTTPS traffic.  Hopefully some kind soul with may more experience in ATTLS can 
offer suggestions, sorry.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Keith Gooding 
Do you mean that you have an ATTLS rule which ‘converts’ your SMP/E job to an 
SSL client ?. Ie ATTLS acts as an SSL proxy, converting the data stream into 
and out of your SMP/E step to SSL ? But SMP/E implements SS itself so you must 
not convert that to SL using an AT-TLS rule. 

> On 1 May 2023, at 17:53, Bill Giannelli  wrote:
> 
> I am confused myself!
> we originally "reconfigured" TLS to provide for encrypted data transfer for 
> Db2 thru secured ports.
> part of that work (I do not know why) was specifying a rule for HTTPS.
> Now the only way we can download on this LPAR is when the HTTPS - TLS rule is 
> disabled.
> Does that make sense?
> thanks
> Bill  
>> On Mon, 1 May 2023 15:03:47 +, Kurt J. Quackenbush  
>> wrote:
>> 
>> I'm confused by your question.  Can you be more specific what you mean by 
>> "we have locked down HTTPS via TLS"?  Are you not allowing any HTTPS traffic 
>> at all?  That feels extreme.
>> 
>> Kurt Quackenbush
>> IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com
>> 
>> Chuck Norris never uses CHECK when he applies PTFs.
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Bill Giannelli 
I am confused myself!
we originally "reconfigured" TLS to provide for encrypted data transfer for Db2 
thru secured ports.
part of that work (I do not know why) was specifying a rule for HTTPS.
Now the only way we can download on this LPAR is when the HTTPS - TLS rule is 
disabled.
Does that make sense?
thanks
Bill  
On Mon, 1 May 2023 15:03:47 +, Kurt J. Quackenbush  wrote:

>I'm confused by your question.  Can you be more specific what you mean by "we 
>have locked down HTTPS via TLS"?  Are you not allowing any HTTPS traffic at 
>all?  That feels extreme.
>
>Kurt Quackenbush
>IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com
>
>Chuck Norris never uses CHECK when he applies PTFs.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: TLS - and HTTP download

2023-05-01 Thread Kurt J. Quackenbush 
I'm confused by your question.  Can you be more specific what you mean by "we 
have locked down HTTPS via TLS"?  Are you not allowing any HTTPS traffic at 
all?  That feels extreme.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

TLS - and HTTP download

2023-05-01 Thread Bill Giannelli 
we download IBM software maintenance via HTTPS.
Now, we have locked down HTTPS via TLS.
This prevents us from downloading.
One detail, we are going thru a proxy server.
How do we need to configure so we can still download using HTTPS with TLS 
locking it down?
thanks
Bill

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN