Re: AT-TLS ? Very Basic Questions
Thanks! This conversation really helped me understand. And Mike just pointed out that not only are things headed to AT-TLS, but it may be the ONLY way to encrypt in the near future. On 7/1/2020 9:21 AM, Charles Mills wrote: Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO. In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written programmatic "users" of TLS libraries. If you write a General Ledger program and the ledgers don't cross-foot, the CFO tells you. If you write an "encrypted" communication program and the encryption has a logical flaw, generally no one tells you. :-( Centralizing the use of TLS, not just the TLS APIs, is a step toward addressing that problem. https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 9:46 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
I think programs will be able to; IBM just does not intend to spend to maintain encryption in two places: AT-TLS *and* all of the listed applications. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mike Wawiorko Sent: Wednesday, July 1, 2020 6:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Some programs will soon no longer be able to do their own TLS encryption. https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html&request_locale=en#sodx Statements of direction Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and DCAS z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet server, FTP server, and Digital Certificate Access Server (DCAS) will support direct invocation of System SSL APIs for TLS/SSL protection. In the future, the only TLS/SSL protection option for these servers will be Application Transparent Transport Layer Security (AT-TLS). The direct System SSL support in each of these components is functionally outdated and only supports TLS protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, FTP server, and DCAS configurations to use AT-TLS, which supports the latest System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related cipher suites. Note that while native TLS/SSL support for z/OS FTP client is not being withdrawn at this time, no future enhancements are planned for that support. IBM recommends using AT-TLS to secure FTP client traffic. Mike Wawiorko -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: 01 July 2020 05:46 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions This mail originated from outside our organisation - t...@tombrennansoftware.com Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO. In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written programmatic "users" of TLS libraries. If you write a General Ledger program and the ledgers don't cross-foot, the CFO tells you. If you write an "encrypted" communication program and the encryption has a logical flaw, generally no one tells you. :-( Centralizing the use of TLS, not just the TLS APIs, is a step toward addressing that problem. https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 9:46 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
Some programs will soon no longer be able to do their own TLS encryption. https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html&request_locale=en#sodx Statements of direction Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and DCAS z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet server, FTP server, and Digital Certificate Access Server (DCAS) will support direct invocation of System SSL APIs for TLS/SSL protection. In the future, the only TLS/SSL protection option for these servers will be Application Transparent Transport Layer Security (AT-TLS). The direct System SSL support in each of these components is functionally outdated and only supports TLS protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, FTP server, and DCAS configurations to use AT-TLS, which supports the latest System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related cipher suites. Note that while native TLS/SSL support for z/OS FTP client is not being withdrawn at this time, no future enhancements are planned for that support. IBM recommends using AT-TLS to secure FTP client traffic. Mike Wawiorko -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: 01 July 2020 05:46 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions This mail originated from outside our organisation - t...@tombrennansoftware.com Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Execution Services Limited provides support and administrative services across Barclays group. Barclays Execution Services Limited is an appointed representative of Barclays Bank UK plc, Barclays Bank plc and Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale Financial Services Limited is authorised and regulated by the Financial Conduct Authority. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
I tried "Let's Encrypt" https://letsencrypt.org/ once for some web site names I have on a Linux server under my desk. I can't remember why I didn't like it, but I ended up making my own CA cert to sign my https certificates, and then got the few people using the sites to import my CA into their browser. Cheating a bit but it works great for isolated use. But yes, if things like certificates could be all piled into one application and handled by one person in a company, things would get easier. The first time I dealt with a certificate on the mainframe was for IBM's ITIM system which (the developer mentioned) had just switched to use OpenSSL. We had multiple meetings with project leaders and others just to get a paid-for certificate in place (2 year expiration), when we probably could have created something self-signed with a 30 year expiration if we knew better :) On 6/30/2020 10:23 PM, kekronbekron wrote: I believe that's the idea. Now with zERT being available, more encrypted workload types will get surfaced; will probably lead to adding more application/transport types being added under AT-TLS's capability. Just speculation anyway.. What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic cert generation, renewal involved in it) for all the east-west traffic in new-age workload. Starting with a "port" of Let's Encrypt for Z. Don't know if any of these make sense, just a wild wishlist. - KB ‐‐‐ Original Message ‐‐‐ On Wednesday, July 1, 2020 10:16 AM, Tom Brennan wrote: Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. On 6/30/2020 9:16 PM, kekronbekron wrote: Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want to do the same to see which of those are the most useful to you. - KB ‐‐‐ Original Message ‐‐‐ On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com wrote: I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote: Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: https://www.lbdsoftware.com https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@list
Re: AT-TLS ? Very Basic Questions
I believe that's the idea. Now with zERT being available, more encrypted workload types will get surfaced; will probably lead to adding more application/transport types being added under AT-TLS's capability. Just speculation anyway.. What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic cert generation, renewal involved in it) for all the east-west traffic in new-age workload. Starting with a "port" of Let's Encrypt for Z. Don't know if any of these make sense, just a wild wishlist. - KB ‐‐‐ Original Message ‐‐‐ On Wednesday, July 1, 2020 10:16 AM, Tom Brennan wrote: > Thanks KB... I think I got my basic question answered, which is that > one thing AT-TLS was designed for is to encrypt data for TCP/IP programs > that weren't originally written with encryption. In addition, it sounds > like even programs that can do their own encryption (i.e. TN3270) can > also use AT-TLS. If so, that's a smart plan - putting encryption > processing in one bucket with one set of controls, and one spot to > update when TLS1.x comes along. > > But if I'm wrong with any of the general notes above, please correct me. > > On 6/30/2020 9:16 PM, kekronbekron wrote: > > > Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ > > I also got 200 hits for 'AT-TLS' after logging in to share.org; you might > > want to do the same to see which of those are the most useful to you. > > > > - KB > > > > ‐‐‐ Original Message ‐‐‐ > > On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com > > wrote: > > > > > I've tried to skim some of the AT-TLS doc, and even attended an IBM > > > webinar last week, but I'm still missing what I imagine are important > > > background points. Maybe someone here can explain things, but don't > > > worry too much about it. > > > Client and server programs like SSH/SSHD call programs such as OpenSSL > > > to handle the encryption handshake and processing. So when you set > > > those up, there is no AT-TLS needed for encryption. Same with the > > > TN3270 server and client, as long as you set that up with keys and > > > parameters on the host side, and settings on the client side. > > > I'm thinking because of the name "Application Transparent" that AT-TLS > > > was made for programs that DON'T have their own logic to call OpenSSL > > > (or whatever) to do their own encryption. Let's use clear-text FTP as > > > an example. So somehow, AT-TLS hooks into the processing and provides > > > an encrypted "tunnel", kind of like VPN does, but only for that one > > > application. Does that sound correct? > > > If so, then the encryption is "transparent" to the FTP server code and > > > FTP does not need to be changed, which I think is the whole idea here. > > > Yet we now have an encrypted session. Does that sound correct? > > > Then if so, what happens on the FTP client side? I certainly can't use > > > the Windows FTP command, for example, because it's not setup for any > > > kind of encryption. That's kind of my big question here. > > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > > > > > > > Sweet - thank you > > > > Lionel B. Dyck < > > > > Website: https://www.lbdsoftware.com > > > > "Worry more about your character than your reputation. Character is > > > > what you are, reputation merely what others think you are." - John > > > > Wooden > > > > -Original Message- > > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf > > > > Of kekronbekron > > > > Sent: Tuesday, June 30, 2020 2:34 AM > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > Subject: Re: AT-TLS ? > > > > Hi LBD!, > > > > Check these out- > > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > > > > > > > - KB > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote: > > > > > > > > > Anyone have any pointers for configuring AT-TLS on z/OS? > > > > > Lionel B. Dyck < > > > > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com > > > > > "Worry more about your character than your reputation. Character is > > > > > what you are, reputation merely what others think you are." - John > > > > > Wooden > > > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu wit
Re: AT-TLS ? Very Basic Questions
Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use AT-TLS. If so, that's a smart plan - putting encryption processing in one bucket with one set of controls, and one spot to update when TLS1.x comes along. But if I'm wrong with any of the general notes above, please correct me. On 6/30/2020 9:16 PM, kekronbekron wrote: Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want to do the same to see which of those are the most useful to you. - KB ‐‐‐ Original Message ‐‐‐ On Tuesday, June 30, 2020 10:27 PM, Tom Brennan wrote: I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote: Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: https://www.lbdsoftware.com https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want to do the same to see which of those are the most useful to you. - KB ‐‐‐ Original Message ‐‐‐ On Tuesday, June 30, 2020 10:27 PM, Tom Brennan wrote: > I've tried to skim some of the AT-TLS doc, and even attended an IBM > webinar last week, but I'm still missing what I imagine are important > background points. Maybe someone here can explain things, but don't > worry too much about it. > > Client and server programs like SSH/SSHD call programs such as OpenSSL > to handle the encryption handshake and processing. So when you set > those up, there is no AT-TLS needed for encryption. Same with the > TN3270 server and client, as long as you set that up with keys and > parameters on the host side, and settings on the client side. > > I'm thinking because of the name "Application Transparent" that AT-TLS > was made for programs that DON'T have their own logic to call OpenSSL > (or whatever) to do their own encryption. Let's use clear-text FTP as > an example. So somehow, AT-TLS hooks into the processing and provides > an encrypted "tunnel", kind of like VPN does, but only for that one > application. Does that sound correct? > > If so, then the encryption is "transparent" to the FTP server code and > FTP does not need to be changed, which I think is the whole idea here. > Yet we now have an encrypted session. Does that sound correct? > > Then if so, what happens on the FTP client side? I certainly can't use > the Windows FTP command, for example, because it's not setup for any > kind of encryption. That's kind of my big question here. > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > > > Sweet - thank you > > Lionel B. Dyck < > > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > > you are, reputation merely what others think you are." - John Wooden > > -Original Message- > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of > > kekronbekron > > Sent: Tuesday, June 30, 2020 2:34 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > > > - KB > > > > ‐‐‐ Original Message ‐‐‐ > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote: > > > > > Anyone have any pointers for configuring AT-TLS on z/OS? > > > Lionel B. Dyck < > > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com > > > "Worry more about your character than your reputation. Character is > > > what you are, reputation merely what others think you are." - John > > > Wooden > > > > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > For IBM-MAIN subscribe / signoff / archive access instructions, send email > > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
AT-TLS Operates at the transport layer of the OSI model. SFTP (open SSH,...) operates at the session layer of the OSI model. BTW, TLS has been supported "forever" by FTP, etc. The problem is, with TLS, the application needs to be modified to make TLS calls in the session layer. With AT-TLS, session layer TLS calls are moved to the transport layer and eliminated from the session layer. No application changes are needed. HTH, -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 4:22 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Thanks Allan. In TCP/IP programs I've written in C (both mainframe and non-mainframe), I've used connect(), send(), recv() and similar C functions for clear-text communication. So I think that would be called the "logical layer". And I'm assuming the "physical layer" would be at the point where software is talking to an OSA card. In this case that would be the TCPIP address space, since my program doesn't talk directly to hardware. That would mean AT-TLS comes into play via the TCPIP task, doing the encryption at that point, while my clear-text program has no idea and doesn't care. Certificates and other encryption parameters would be handled by AT-TLS at that point. That's the picture I have so far. Now in my own program if I called OpenSSL functions like SSL_connect() or SSL_read(), then encryption would be done at the logical layer, and my own program would then be responsible for certificates. AT-TLS would not be needed, well, unless an auditor doesn't trust my SSL code. That actually could be a consideration even for things like SFTP I guess - there's your first flame :) On 6/30/2020 1:42 PM, Allan Staller wrote: > Hopefully this will provide the clarity needed. > > AT-TLS works at the physical layer. > FTPS and SFTP work at the logical layer > > Although not mutually exclusive, If you are doing one, the other is > unnecessary. > > Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP! > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Tom Brennan > Sent: Tuesday, June 30, 2020 12:19 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions > > [CAUTION: This Email is from outside the Organization. Unless you > trust the sender, Don’t click links or open attachments as it may be a > Phishing email, which can steal your Information and compromise your > Computer.] > > Do you know if either of those require AT-TLS? When I installed and > configured SSHD last (a couple of years ago) it did its own encryption. > I never worked with anything called FTPS. > > On 6/30/2020 10:12 AM, Marshall Stone wrote: >> There are 2 types of FTP in use today on most mainframes. >> >> SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) >> and the encryption/authentication is generally provided by the use of >> RSA/DSA public/private key pairs. The public keys are exchanged and >> stored in known_hosts files (if acting as client) or authorized_keys >> file (if acting as server) - Uses Server PORT 22 and ephemeral ports >> >> FTPS - completely different mechanism the AT/TLS functions are >> provided by ICSF and policy agent (PAGENT) - You must configure an >> FTPS TLS rule to allow the connection and the partner side also will >> require a similar rule. The encryption/authentication come from the >> PAGENT rule and the use of x.509 certificates. These are exchanged >> between partners and loaded onto the RACF keyring. The PAGNET rule >> points back to the keyring. - Uses Server PORT 990 by an old implicit >> default most sites use a different port and connect clients with >> ephemeral port ranges. FTPS handles MVS datasets better if possible >> use FTPS for MF to MF and use SFTP for MF to Other >> platforms(MS,UNIX,etc) >> >> MS >> >> -Original Message- >> From: IBM Mainframe Discussion List On >> Behalf Of Tom Brennan >> Sent: Tuesday, June 30, 2020 12:58 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions >> >> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar >> last week, but I'm still missing what I imagine are important background >> points. Maybe someone here can explain things, but don't w
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
Thanks Allan. In TCP/IP programs I've written in C (both mainframe and non-mainframe), I've used connect(), send(), recv() and similar C functions for clear-text communication. So I think that would be called the "logical layer". And I'm assuming the "physical layer" would be at the point where software is talking to an OSA card. In this case that would be the TCPIP address space, since my program doesn't talk directly to hardware. That would mean AT-TLS comes into play via the TCPIP task, doing the encryption at that point, while my clear-text program has no idea and doesn't care. Certificates and other encryption parameters would be handled by AT-TLS at that point. That's the picture I have so far. Now in my own program if I called OpenSSL functions like SSL_connect() or SSL_read(), then encryption would be done at the logical layer, and my own program would then be responsible for certificates. AT-TLS would not be needed, well, unless an auditor doesn't trust my SSL code. That actually could be a consideration even for things like SFTP I guess - there's your first flame :) On 6/30/2020 1:42 PM, Allan Staller wrote: Hopefully this will provide the clarity needed. AT-TLS works at the physical layer. FTPS and SFTP work at the logical layer Although not mutually exclusive, If you are doing one, the other is unnecessary. Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP! -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: There are 2 types of FTP in use today on most mainframes. SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the encryption/authentication is generally provided by the use of RSA/DSA public/private key pairs. The public keys are exchanged and stored in known_hosts files (if acting as client) or authorized_keys file (if acting as server) - Uses Server PORT 22 and ephemeral ports FTPS - completely different mechanism the AT/TLS functions are provided by ICSF and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the connection and the partner side also will require a similar rule. The encryption/authentication come from the PAGENT rule and the use of x.509 certificates. These are exchanged between partners and loaded onto the RACF keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by an old implicit default most sites use a different port and connect clients with ephemeral port ranges. FTPS handles MVS datasets better if possible use FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc) MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B.
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
Hopefully this will provide the clarity needed. AT-TLS works at the physical layer. FTPS and SFTP work at the logical layer Although not mutually exclusive, If you are doing one, the other is unnecessary. Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP! -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: > There are 2 types of FTP in use today on most mainframes. > > SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) > and the encryption/authentication is generally provided by the use of > RSA/DSA public/private key pairs. The public keys are exchanged and > stored in known_hosts files (if acting as client) or authorized_keys > file (if acting as server) - Uses Server PORT 22 and ephemeral ports > > FTPS - completely different mechanism the AT/TLS functions are > provided by ICSF and policy agent (PAGENT) - You must configure an > FTPS TLS rule to allow the connection and the partner side also will > require a similar rule. The encryption/authentication come from the > PAGENT rule and the use of x.509 certificates. These are exchanged > between partners and loaded onto the RACF keyring. The PAGNET rule > points back to the keyring. - Uses Server PORT 990 by an old implicit > default most sites use a different port and connect clients with > ephemeral port ranges. FTPS handles MVS datasets better if possible > use FTPS for MF to MF and use SFTP for MF to Other > platforms(MS,UNIX,etc) > > MS > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Tom Brennan > Sent: Tuesday, June 30, 2020 12:58 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions > > I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar > last week, but I'm still missing what I imagine are important background > points. Maybe someone here can explain things, but don't worry too much > about it. > > Client and server programs like SSH/SSHD call programs such as OpenSSL > to handle the encryption handshake and processing. So when you set > those up, there is no AT-TLS needed for encryption. Same with the > TN3270 server and client, as long as you set that up with keys and parameters > on the host side, and settings on the client side. > > I'm thinking because of the name "Application Transparent" that AT-TLS was > made for programs that DON'T have their own logic to call OpenSSL (or > whatever) to do their own encryption. Let's use clear-text FTP as an > example. So somehow, AT-TLS hooks into the processing and provides an > encrypted "tunnel", kind of like VPN does, but only for that one application. > Does that sound correct? > > If so, then the encryption is "transparent" to the FTP server code and FTP > does not need to be changed, which I think is the whole idea here. > Yet we now have an encrypted session. Does that sound correct? > > Then if so, what happens on the FTP client side? I certainly can't use the > Windows FTP command, for example, because it's not setup for any kind of > encryption. That's kind of my big question here. > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote: >> Sweet - thank you >> >> >> Lionel B. Dyck < >> Website: >> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >> .lbdsoftware.com%2F&data=02%7C01%7Callan.staller%40HCL.COM%7Cd879 >> db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7 >> C0%7C637291343650296855&sdata=rYCeChKI6R6cKaQRyHKEfhk3QR%2Fya0rHS >> %2FSvJedIZJo%3D&reserved=0 >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> -Original Message- >> From: IBM Mainframe Discussion List On >> Behalf Of kekronbekron >> Sent: Tuesday, June 30, 2020 2:34 AM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: AT-TLS ? >> >> Hi LBD!, >> >> Check these out- >> >> >> https://apc01.saf
Re: AT-TLS ? Very Basic Questions
AT-TLS is required for TN3270 (and others The above is incorrect. AT-TLS is *NEVER* a requirement. It is up to the installation to determine whether or not AT-TLS will be used. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: Tuesday, June 30, 2020 12:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > lbdsoftware.com%2F&data=02%7C01%7Callan.staller%40HCL.COM%7C99280d > f69a7f440f7b7808d81d18718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0% > 7C637291338121879218&sdata=5nqFVRanvSo1qssQhIXSYEfVhYkVYkyBEbm9E4% > 2BTfqA%3D&reserved=0 > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0 > 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5416& > ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18 > 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a > mp;sdata=L6mKfTNfEkpFoIuP81EHxeZ09JTFc5kHH%2F8uZwYQGHw%3D&reserved > =0 > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0 > 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5415& > ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18 > 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a > mp;sdata=ccHKGe0thy6RCiB8j%2BWb2Adx3E9GiAtOyKB2p0O1K4s%3D&reserved > =0 > https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0 > 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5414& > ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18 > 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a > mp;sdata=xnkVymfVN8Xm0q4fsppLRRxZgQvNvmwII9jeUv6lrOs%3D&reserved=0 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website
Re: AT-TLS ? Very Basic Questions
AT-TLS has been around for a while. What is causing problems for tools like CL/Supersession, CA-TPX And such is PAGENT. Once PAGENT is turned on all bets are off -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 11:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what you > are, reputation merely what others think you are." - John Wooden > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >> -- >> -- >> - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
Some years ago this publication helped me come to a basic understanding of AT-TLS (apologies if already shared)... https://www.ibm.com/support/pages/leveraging-zos-communications-server-application-transparent-transport-layer-security-tls-lower-cost-and-more-rapid-tls-deployment HTH Mike -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Tuesday, June 30, 2020 1:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Caution! This message was sent from outside your organization. On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote: >... >Then if so, what happens on the FTP client side? I certainly can't use >the Windows FTP command, for example, because it's not setup for any >kind of encryption. That's kind of my big question here. > I believe that (sometimes) there's a proxy involved. Beyond that, only GIYF: https://www.google.com/search?q=at-tls+proxy+ftp which links to: ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
In article you wrote: > I've tried to skim some of the AT-TLS doc, and even attended an IBM > webinar last week, but I'm still missing what I imagine are important > background points. Maybe someone here can explain things, but don't > worry too much about it. > Client and server programs like SSH/SSHD call programs such as OpenSSL > to handle the encryption handshake and processing. So when you set > those up, there is no AT-TLS needed for encryption. Same with the > TN3270 server and client, as long as you set that up with keys and > parameters on the host side, and settings on the client side. > I'm thinking because of the name "Application Transparent" that AT-TLS > was made for programs that DON'T have their own logic to call OpenSSL > (or whatever) to do their own encryption. Let's use clear-text FTP as > an example. So somehow, AT-TLS hooks into the processing and provides > an encrypted "tunnel", kind of like VPN does, but only for that one > application. Does that sound correct? > If so, then the encryption is "transparent" to the FTP server code and > FTP does not need to be changed, which I think is the whole idea here. > Yet we now have an encrypted session. Does that sound correct? > Then if so, what happens on the FTP client side? I certainly can't use > the Windows FTP command, for example, because it's not setup for any > kind of encryption. That's kind of my big question here. I can't see that anyone answered your last question. Yes, the default Windows FTP doesn't support encryption. There are third-party FTPS client programs you can purchase that do so. Or your could run lftp on the Windows Ubuntu shell. -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
Ah, maybe he was going on this or something similar, and it got garbled in translation: https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12 First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: Tuesday, June 30, 2020 1:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [Originated Externally]Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] My turn to say interesting! I didn't look it up; just going on what the Comm guy assured me. We're still on 2.2 (shortly on to 2.4), so maybe that makes a difference. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lennie Dymoke-Bradshaw Sent: Tuesday, June 30, 2020 1:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie Dymoke-Bradshaw Consultant working on contract for BMC Mainframe Services by RSM Partners ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: 30 June 2020 18:10 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >>
Re: AT-TLS ? Very Basic Questions
On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote: >... >Then if so, what happens on the FTP client side? I certainly can't use >the Windows FTP command, for example, because it's not setup for any >kind of encryption. That's kind of my big question here. > I believe that (sometimes) there's a proxy involved. Beyond that, only GIYF: https://www.google.com/search?q=at-tls+proxy+ftp which links to: ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
My turn to say interesting! I didn't look it up; just going on what the Comm guy assured me. We're still on 2.2 (shortly on to 2.4), so maybe that makes a difference. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lennie Dymoke-Bradshaw Sent: Tuesday, June 30, 2020 1:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie Dymoke-Bradshaw Consultant working on contract for BMC Mainframe Services by RSM Partners ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: 30 June 2020 18:10 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >> - >> - >> - >> - >> - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > --
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
Anything SFTP on Open/SSH will never use AT-TLS FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, setup to force authentication and use AT/TLS for encryption MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 1:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: > There are 2 types of FTP in use today on most mainframes. > > SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) > and the encryption/authentication is generally provided by the use of > RSA/DSA public/private key pairs. The public keys are exchanged and > stored in known_hosts files (if acting as client) or authorized_keys > file (if acting as server) - Uses Server PORT 22 and ephemeral ports > > FTPS - completely different mechanism the AT/TLS functions are > provided by ICSF and policy agent (PAGENT) - You must configure an > FTPS TLS rule to allow the connection and the partner side also will > require a similar rule. The encryption/authentication come from the > PAGENT rule and the use of x.509 certificates. These are exchanged > between partners and loaded onto the RACF keyring. The PAGNET rule > points back to the keyring. - Uses Server PORT 990 by an old implicit > default most sites use a different port and connect clients with > ephemeral port ranges. FTPS handles MVS datasets better if possible > use FTPS for MF to MF and use SFTP for MF to Other > platforms(MS,UNIX,etc) > > MS > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Tom Brennan > Sent: Tuesday, June 30, 2020 12:58 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions > > I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar > last week, but I'm still missing what I imagine are important background > points. Maybe someone here can explain things, but don't worry too much > about it. > > Client and server programs like SSH/SSHD call programs such as OpenSSL > to handle the encryption handshake and processing. So when you set > those up, there is no AT-TLS needed for encryption. Same with the > TN3270 server and client, as long as you set that up with keys and parameters > on the host side, and settings on the client side. > > I'm thinking because of the name "Application Transparent" that AT-TLS was > made for programs that DON'T have their own logic to call OpenSSL (or > whatever) to do their own encryption. Let's use clear-text FTP as an > example. So somehow, AT-TLS hooks into the processing and provides an > encrypted "tunnel", kind of like VPN does, but only for that one application. > Does that sound correct? > > If so, then the encryption is "transparent" to the FTP server code and FTP > does not need to be changed, which I think is the whole idea here. > Yet we now have an encrypted session. Does that sound correct? > > Then if so, what happens on the FTP client side? I certainly can't use the > Windows FTP command, for example, because it's not setup for any kind of > encryption. That's kind of my big question here. > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote: >> Sweet - thank you >> >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> -Original Message- >> From: IBM Mainframe Discussion List On >> Behalf Of kekronbekron >> Sent: Tuesday, June 30, 2020 2:34 AM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: AT-TLS ? >> >> Hi LBD!, >> >> Check these out- >> >> >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 >> >> - KB >> >> ‐‐‐ Original Message ‐‐‐ >> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: >> >>> Anyone have any pointers for configuring AT-TLS on z/OS? >>> >>> Lionel B. Dyck < >>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >>&
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: There are 2 types of FTP in use today on most mainframes. SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the encryption/authentication is generally provided by the use of RSA/DSA public/private key pairs. The public keys are exchanged and stored in known_hosts files (if acting as client) or authorized_keys file (if acting as server) - Uses Server PORT 22 and ephemeral ports FTPS - completely different mechanism the AT/TLS functions are provided by ICSF and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the connection and the partner side also will require a similar rule. The encryption/authentication come from the PAGENT rule and the use of x.509 certificates. These are exchanged between partners and loaded onto the RACF keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by an old implicit default most sites use a different port and connect clients with ephemeral port ranges. FTPS handles MVS datasets better if possible use FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc) MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: https://www.lbdsoftware.com https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden - - - - - For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAI
Re: AT-TLS ? Very Basic Questions
I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie Dymoke-Bradshaw Consultant working on contract for BMC Mainframe Services by RSM Partners ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: 30 June 2020 18:10 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >> - >> - >> - >> - >> - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confid
Re: AT-TLS ? Very Basic Questions
Interesting! I've set up the TN3270 parms on the mainframe for SSL/TLS but that was before TLS1.2 On 6/30/2020 10:09 AM, Jackson, Rob wrote: A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: https://www.lbdsoftware.com https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden - - - - - For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN --
Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
There are 2 types of FTP in use today on most mainframes. SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the encryption/authentication is generally provided by the use of RSA/DSA public/private key pairs. The public keys are exchanged and stored in known_hosts files (if acting as client) or authorized_keys file (if acting as server) - Uses Server PORT 22 and ephemeral ports FTPS - completely different mechanism the AT/TLS functions are provided by ICSF and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the connection and the partner side also will require a similar rule. The encryption/authentication come from the PAGENT rule and the use of x.509 certificates. These are exchanged between partners and loaded onto the RACF keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by an old implicit default most sites use a different port and connect clients with ephemeral port ranges. FTPS handles MVS datasets better if possible use FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc) MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >> - >> - >> - >> - >> - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- For IBM-MAIN subscri
Re: AT-TLS ? Very Basic Questions
A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: > Sweet - thank you > > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is > what you are, reputation merely what others think you are." - John > Wooden > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of kekronbekron > Sent: Tuesday, June 30, 2020 2:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS ? > > Hi LBD!, > > Check these out- > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 > > - KB > > ‐‐‐ Original Message ‐‐‐ > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: > >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> Lionel B. Dyck < >> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> >> - >> - >> - >> - >> - >> >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS ? Very Basic Questions
I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs such as OpenSSL to handle the encryption handshake and processing. So when you set those up, there is no AT-TLS needed for encryption. Same with the TN3270 server and client, as long as you set that up with keys and parameters on the host side, and settings on the client side. I'm thinking because of the name "Application Transparent" that AT-TLS was made for programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption. Let's use clear-text FTP as an example. So somehow, AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of like VPN does, but only for that one application. Does that sound correct? If so, then the encryption is "transparent" to the FTP server code and FTP does not need to be changed, which I think is the whole idea here. Yet we now have an encrypted session. Does that sound correct? Then if so, what happens on the FTP client side? I certainly can't use the Windows FTP command, for example, because it's not setup for any kind of encryption. That's kind of my big question here. On 6/30/2020 1:44 AM, Lionel B Dyck wrote: Sweet - thank you Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29, 2020 3:56 AM, Lionel B Dyck wrote: Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: https://www.lbdsoftware.com https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -- -- - For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN