Re: z/osmf Network Configuration Assistant
Thank you all for your replies. It appears that z/OSMF NCA is, as we say, the best thing since sliced bread, but many do not like sliced bread. Our configuration is not typical because the system is used to test a SSL/TLS application and developers need to test z/OS servers and clients with a number of different AT-TLS rules. The original configuration was created many years ago with the Windows tool and thereafter was managed manually - usually by adding yet another rule based on a previous rule but sometimes requiring new actions or cipher suites. It all got rather messy and the need for TLS 1.3 has prompted many changes. Using AT-TLS rather than native SSL/TLS support in z/OS-supplied components will also complicate matters. I do like NCA but just importing our current configuration produces a complicated configuration with names based on 'mangled' profile construct names and a lot of requirement mapping tables each containing just one entry. On the other hand I like the fact that NCA clearly presents the choices to be made - a list of cipher suites and elliptic curve groups specific to TLS 1.3 for instance - and although defaults can be taken we are aware that the default has been chosen rather than being something that was overlooked. Also I like the fact that I can print a configuration in a form that will make sense to a developer. I think I may end up with a horrible compromise where I use NCA 'to create a set of definitions for TLS 1.3 testing 'from scratch' and merge them into the full policy. Keith On 27/10/2020 13:07, Tom Conley wrote: Keith, IBM decided that AT-TLS was so inscrutable that you needed an app to configure it. Untrue. You can manually configure AT-TLS for TN3270 in less than a day, provided you can do all the tasks necessary. Please check out my presentation on this (WTW): https://www.newera.com/INFO/Top_11_Things_032018.pdf Please let me know if you have any questions or concerns. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/osmf Network Configuration Assistant
I also use manual modification and it works fine. NCA in the other hand seems daunting to me. A question and answer format like zCX would be far better IMHO. On Tue, Oct 27, 2020 at 7:05 AM Roberto Halais wrote: > We are using manual modifications. Before, we used the Windows application > which was excellent. > We tried z/OSMF NCA but don't like it. > Maybe IBM will force us to use it. > > On Mon, Oct 26, 2020 at 12:21 PM Keith Gooding < > 034af3894af4-dmarc-requ...@listserv.ua.edu> wrote: > > > Is anyone using this to maintain AT-TLS policies or any other policies ? > > > > Any views on NCA vs manual editing of the policy file ? > > > > When I first encountered AT-TLS I used the Windows version to generate a > > simple policy file for one type of application and thereafter did manual > > edits to the policy file (all applications were similar). Using AT-TLS > for > > z/OS-supplied applications such as Telnet and FTP will make the policy > file > > more complicated and I am wondering whether NCA is the best way. > > > > Keith > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > -- > Politics: Poli (many) - tics (blood sucking parasites) > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/osmf Network Configuration Assistant
On 10/26/2020 12:21 PM, Keith Gooding wrote: Is anyone using this to maintain AT-TLS policies or any other policies ? Any views on NCA vs manual editing of the policy file ? When I first encountered AT-TLS I used the Windows version to generate a simple policy file for one type of application and thereafter did manual edits to the policy file (all applications were similar). Using AT-TLS for z/OS-supplied applications such as Telnet and FTP will make the policy file more complicated and I am wondering whether NCA is the best way. Keith -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Keith, IBM decided that AT-TLS was so inscrutable that you needed an app to configure it. Untrue. You can manually configure AT-TLS for TN3270 in less than a day, provided you can do all the tasks necessary. Please check out my presentation on this (WTW): https://www.newera.com/INFO/Top_11_Things_032018.pdf Please let me know if you have any questions or concerns. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/osmf Network Configuration Assistant
We are using manual modifications. Before, we used the Windows application which was excellent. We tried z/OSMF NCA but don't like it. Maybe IBM will force us to use it. On Mon, Oct 26, 2020 at 12:21 PM Keith Gooding < 034af3894af4-dmarc-requ...@listserv.ua.edu> wrote: > Is anyone using this to maintain AT-TLS policies or any other policies ? > > Any views on NCA vs manual editing of the policy file ? > > When I first encountered AT-TLS I used the Windows version to generate a > simple policy file for one type of application and thereafter did manual > edits to the policy file (all applications were similar). Using AT-TLS for > z/OS-supplied applications such as Telnet and FTP will make the policy file > more complicated and I am wondering whether NCA is the best way. > > Keith > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Politics: Poli (many) - tics (blood sucking parasites) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/osmf Network Configuration Assistant
If you are going beyond 2-3 simple rules you'll love NCA in ZOSMF once you get it going. Chances of getting what you want is minimal with more than half a dozen complex rules if coding it manually. Health Check proves you have valid syntax and lets you check your work. Mike Wawiorko -Original Message- From: IBM Mainframe Discussion List On Behalf Of Keith Gooding Sent: 26 October 2020 16:11 To: IBM-MAIN@LISTSERV.UA.EDU Subject: z/osmf Network Configuration Assistant This mail originated from outside our organisation - 034af3894af4-dmarc-requ...@listserv.ua.edu Is anyone using this to maintain AT-TLS policies or any other policies ? Any views on NCA vs manual editing of the policy file ? When I first encountered AT-TLS I used the Windows version to generate a simple policy file for one type of application and thereafter did manual edits to the policy file (all applications were similar). Using AT-TLS for z/OS-supplied applications such as Telnet and FTP will make the policy file more complicated and I am wondering whether NCA is the best way. Keith -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/osmf Network Configuration Assistant
Is anyone using this to maintain AT-TLS policies or any other policies ? Any views on NCA vs manual editing of the policy file ? When I first encountered AT-TLS I used the Windows version to generate a simple policy file for one type of application and thereafter did manual edits to the policy file (all applications were similar). Using AT-TLS for z/OS-supplied applications such as Telnet and FTP will make the policy file more complicated and I am wondering whether NCA is the best way. Keith -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN