Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Kirk Wolf
That will do it! BTW: AT-TLS has no relationship with IBM z/OS OpenSSH. On Tue, Sep 22, 2020 at 12:00 PM Lionel B Dyck wrote: > Found issue with SSH - I had created (mkdir) the .ssh directory so it had > the default permissions. Should have let ssh-keygen create it. > > Tried ad

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck
To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS issues with FTP and SSH Regarding the AT-TLS issue, your pagent is likely encountering a problem in the FTP section (of course!). Look at the log it generates, and if you don't have one, add the logging option to the pagent start command. If I remember correctly,

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Mike Hochee
Regarding the AT-TLS issue, your pagent is likely encountering a problem in the FTP section (of course!). Look at the log it generates, and if you don't have one, add the logging option to the pagent start command. If I remember correctly, there's also a verbose setting. I found the logs

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Paul Gilmartin
On Tue, 22 Sep 2020 10:07:57 -0500, Lionel B Dyck wrote: > >And for that I�m getting: FOTS3322 Passwords may not be entered from 3270 >terminals > They're giving you a hint. Eschew 3270; don't be a masochist. Years ago, I discovered that if I start "script" under 3270 OMVS, then I can

AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck
We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two issues: 1. The FTP Client ceased to work (until we commented the FTP section in the pagent_TTLS.conf file) a. No issues doing an FTP into this LPAR. 2. Git stopped working due to SSH. A simple test is:ssh

Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Gibney, Dave
> -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Ed Jaffe > Sent: Friday, September 04, 2020 8:37 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: TLS 1.3 in z/OS 2.3? > > On 9/3/2020 11:45 PM, Timothy Sipples wrote: > > Dave Gib

Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Ed Jaffe
On 9/3/2020 11:45 PM, Timothy Sipples wrote: Dave Gibney wrote: Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. Is this true? Any prospect of a implemnting PTF? To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL, and I'm not aware of any plans to do so

Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Timothy Sipples
Dave Gibney wrote: >Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. >Is this true? Any prospect of a implemnting PTF? To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL, and I'm not aware of any plans to do so. Of course you can ask: https://www.i

Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-04 Thread Timothy Sipples
I don't think you're going to be able to "hack in" support for higher TLS levels. I think you've got a couple near-term options, not necessarily mutually exclusive: A. Place one or a couple newer release CICS regions on the "front side" to handle the network connectivi

Re: TLS 1.3 in z/OS 2.3?

2020-09-03 Thread Attila Fogarasi
It is true, TLS 2.3 support is new function in Communication Server z/OS 2.4. My guess is that it won't be retrofitted, but you can always ask IBM. On Fri, Sep 4, 2020 at 5:45 AM Gibney, Dave wrote: > Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. Is this true? > Any pr

Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Attila Fogarasi
You can specify the ciphers in a USS .xml file, the path is set by USSCONFIG and the file name is in the CICS CIPHERS parameter (which can be a list of 2 digit cipher codes or the file name). Good luck, CICS 3.1 is 5 years out of support so it won't have PTFs for anything newer in TLS. Most

TLS 1.3 in z/OS 2.3?

2020-09-03 Thread Gibney, Dave
Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. Is this true? Any prospect of a implemnting PTF? Dave Gibney Information Technology Services Washington State University -- For IBM-MAIN subscribe / signoff / archive

z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Gibney, Dave
can't seem to specify tls 1.2 or 1.3 ciphers via the 3.1 CEDA panels. I am thinking I might be able to slip in around the CICS definitions via gsk environment variables. I am asking for your collective thoughts and suggestions. Widely x-posted Dave Gibney Information Technology Services Washington

Re: setting up CSSMTP to use TLS-SSL

2020-09-03 Thread Charles Mills
Yup. In the TLS protocol that is referred to as a "server certificate." It tells the client about the authenticity of the server. It "certifies" the server (for the client). Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSE

Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Brian Westerman
: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >Behalf Of Brian Westerman >Sent: Tuesday, September 1, 2020 9:34 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: setting up CSSMTP to use TLS-SSL > >Okay, I see now. The client cert is available from our email server, i

Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Charles Mills
to use TLS-SSL Okay, I see now. The client cert is available from our email server, i twas just a matter of downloading it and adding to RACF. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email

Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Timothy Sipples
Brian Westerman asked: >So does this all mean that (currently) no one on the list >uses TLS-SSL to forward their mail from CSSMTP to the >target mail server? I see "Yes, we use TLS" replies have overtaken this question. That said, I assume you wouldn't want and don't expec

Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Brian Westerman
Okay, I see now. The client cert is available from our email server, i twas just a matter of downloading it and adding to RACF. Thanks, Brian On Tue, 1 Sep 2020 08:21:13 -0500, Peter Vander Woude wrote: >Brian, > >I do use AT-TLS with CSSMTP to our internal e-mail relay. For th

Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Peter Vander Woude
Brian, I do use AT-TLS with CSSMTP to our internal e-mail relay. For the keyring, you need to add the CA's that have signed the ssl cert for the server. If the e-mail server is using a self-signed certificate, you need them to send a copy of it (only the public portion) and it has to be added

Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Statler, David
We have ours setup to use TLS from CSSMTP to an internal Proofpoint mail server. We have Secure set to Yes in the CSSMTP config and then use Policy Agent (AT-TLS) to handle the handshake. David -Original Message- From: IBM Mainframe Discussion List On Behalf Of Brian Westerman Sent

Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Stuart Holland
I think the most common approach is to have CSSMTP send the mail to an enterprise (internal) mail server and let it take care of security going out to the internet. On 8/31/20 11:33 PM, Brian Westerman wrote: So does this all mean that (currently) no one on the list uses TLS-SSL to forward

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
So does this all mean that (currently) no one on the list uses TLS-SSL to forward their mail from CSSMTP to the target mail server? Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
riginal Message- >> From: IBM Mainframe Discussion List On >> Behalf Of Brian Westerman >> Sent: Sunday, August 30, 2020 11:55 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: setting up CSSMTP to use TLS-SSL >> >> Hi, >> >> Has an

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor
On 8/31/20 11:02 AM, Charles Mills wrote: - The more critical task IMHO is proving to the user that she is actually talking to the URL she intended to talk to: that her session is really, truly with Bank of America and not with some man-in-the-middle pretending to be Bank of America.

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor
On 8/31/20 10:29 AM, Charles Mills wrote: Also! Let me nitpick myself before someone else does it for me: When I wrote "the CA vouches that the*subject name* in the certificate belongs to Charles Mills" -- that should be "the subject names" (plural) belong to Charles Mills. Ya. The

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
ist [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Monday, August 31, 2020 7:47 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
om: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Grant Taylor Sent: Monday, August 31, 2020 8:50 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On 8/31/20 9:34 AM, Charles Mills wrote: > Are CA's perfect? I don't*know* of a CA hack but

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor
On 8/31/20 9:34 AM, Charles Mills wrote: Are CA's perfect? I don't*know* of a CA hack but I do know of (I should probably say "alleged") CA sloppiness: DigiNotar was compromised: "...it had become clear that a security breach had resulted in the fraudulent issuing of certificates..." Link

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
iginal Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Monday, August 31, 2020 7:47 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wro

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Paul Gilmartin
On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms are >essentially synonymous (although they are used with different implications). >If the SMTP server is presenting a self-signed certificate then it effectively >is its

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Roberto Halais Sent: Monday, August 31, 2020 1:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL Do you get a root if it’s a self signed

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
: setting up CSSMTP to use TLS-SSL If the certificate they present is signed by a recognized CA, you should be able to get root and any required intermediates from the signing CA's site. > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Brian Westerman >

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Roberto Halais
t; -Original Message- > > > From: IBM Mainframe Discussion List On > > > Behalf Of Brian Westerman > > > Sent: Sunday, August 30, 2020 11:55 PM > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > Subject: setting up CSSMTP to use TLS-SSL > > > >

Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Gibney, Dave
020 11:55 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: setting up CSSMTP to use TLS-SSL > > Hi, > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward > the email to a target email server that only supports TLS-SSL? > > I see the steps in th

setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
Hi, Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward the email to a target email server that only supports TLS-SSL? I see the steps in the CSSMTP configuration "Steps for using Transport Layer Security for CSSMTP", but it's unclear to me where I get the c

Some free SSL/TLS/Certificates education if you are interested

2020-08-24 Thread Charles Mills
In case anyone is interested I am doing a one-hour Webinar on the "internals" of the certificate and SSL/TLS protocols. It's free, and I have absolutely nothing to sell you - this is not a pitch for some certificate-management package or anything like that. It is *NOT* "

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Tom Brennan
Thanks! This conversation really helped me understand. And Mike just pointed out that not only are things headed to AT-TLS, but it may be the ONLY way to encrypt in the near future. On 7/1/2020 9:21 AM, Charles Mills wrote: Tom, I believe you have nailed it exactly. Those are the two main

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
I think programs will be able to; IBM just does not intend to spend to maintain encryption in two places: AT-TLS *and* all of the listed applications. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mike Wawiorko Sent

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO. In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written programmatic "users" of TLS libraries. If you write a General Ledger program and the ledgers don't cross-foot, the

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Mike Wawiorko
Some programs will soon no longer be able to do their own TLS encryption. https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx Statements of direction Removal of native TLS/SSL support from TN3270E Telnet server, FTP server

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
. What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic cert generation, renewal involved in it) for all the east-west traffic in new-age workload. Starting with a "port" of Let's Encrypt for Z. Don't know if any of these make sense, just a wild wishlist. - KB

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
I believe that's the idea. Now with zERT being available, more encrypted workload types will get surfaced; will probably lead to adding more application/transport types being added under AT-TLS's capability. Just speculation anyway.. What'll be interesting is if AT-TLS evolves to support mTLS

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't originally written with encryption. In addition, it sounds like even programs that can do their own encryption (i.e. TN3270) can also use

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want to do the same to see which of those are the most useful to you. - KB ‐‐‐ Original Message ‐‐‐ On Tuesday, June 30, 2020 10:27 PM, Tom

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
AT-TLS Operates at the transport layer of the OSI model. SFTP (open SSH,...) operates at the session layer of the OSI model. BTW, TLS has been supported "forever" by FTP, etc. The problem is, with TLS, the application needs to be modified to make TLS calls in the session layer. W

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
ould be at the point where software is talking to an OSA card. In this case that would be the TCPIP address space, since my program doesn't talk directly to hardware. That would mean AT-TLS comes into play via the TCPIP task, doing the encryption at that point, while my clear-text program has

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
Hopefully this will provide the clarity needed. AT-TLS works at the physical layer. FTPS and SFTP work at the logical layer Although not mutually exclusive, If you are doing one, the other is unnecessary. Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP! -Original Message

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
AT-TLS is required for TN3270 (and others The above is incorrect. AT-TLS is *NEVER* a requirement. It is up to the installation to determine whether or not AT-TLS will be used. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jackson, Rob Sent: Tuesday, June 30

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Steve Beaver
AT-TLS has been around for a while. What is causing problems for tools like CL/Supersession, CA-TPX And such is PAGENT. Once PAGENT is turned on all bets are off -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Mike Hochee
Some years ago this publication helped me come to a basic understanding of AT-TLS (apologies if already shared)... https://www.ibm.com/support/pages/leveraging-zos-communications-server-application-transparent-transport-layer-security-tls-lower-cost-and-more-rapid-tls-deployment HTH Mike

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Don Poitras
In article you wrote: > I've tried to skim some of the AT-TLS doc, and even attended an IBM > webinar last week, but I'm still missing what I imagine are important > background points. Maybe someone here can explain things, but don't > worry too much about it. > Client and

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
Ah, maybe he was going on this or something similar, and it got garbled in translation: https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12 First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Paul Gilmartin
that (sometimes) there's a proxy involved. Beyond that, only GIYF: https://www.google.com/search?q=at-tls+proxy+ftp which links to: ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf -- gil -- For IBM-MAIN subs

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
Of Lennie Dymoke-Bradshaw Sent: Tuesday, June 30, 2020 1:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
Anything SFTP on Open/SSH will never use AT-TLS FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, setup to force authentication and use AT/TLS for encryption MS -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: There are 2 types of FTP in use today on most mainframes. SFTP

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Lennie Dymoke-Bradshaw
I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie Dymoke-Bradshaw Consultant working on contract for BMC Mainframe Services by RSM Partners ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Interesting! I've set up the TN3270 parms on the mainframe for SSL/TLS but that was before TLS1.2 On 6/30/2020 10:09 AM, Jackson, Rob wrote: A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
(if acting as client) or authorized_keys file (if acting as server) - Uses Server PORT 22 and ephemeral ports FTPS - completely different mechanism the AT/TLS functions are provided by ICSF and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the connection and the partner

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
A note, without addressing your entire post (certainly not my area of expertise): AT-TLS is required for TN3270 (and others) if you want to use TLS 1.2 and higher. In your TELNETPARMS for the port, instead of using SECUREPORT, you use TTLSPORT, referencing a port specified in a TTLSRule

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client and server programs like SSH/SSHD call programs

Re: AT-TLS ?

2020-06-30 Thread Lionel B Dyck
st On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ib

Re: AT-TLS ?

2020-06-30 Thread kekronbekron
, 2020 3:56 AM, Lionel B Dyck wrote: > Anyone have any pointers for configuring AT-TLS on z/OS? > > Lionel B. Dyck < > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > you are,

Re: AT-TLS ?

2020-06-29 Thread Rob Schramm
ers for configuring AT-TLS on z/OS? > > > > > > Lionel B. Dyck < > Website: <https://www.lbdsoftware.com> https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > you are, reputation m

Re: AT-TLS ?

2020-06-29 Thread Roberto Halais
r character than your reputation. Character is what > you are, reputation merely what others think you are." - John Wooden > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of > Mike Hochee > Sent: Sunday, June 28, 2020 7:08 PM > To: IBM-MAIN@LIS

Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
The goal is to enable RRSF which requires AT-TLS and then enable secure FTP TLS and TN3270 with it. Installing CoZ:SFTP for improved sftp capabilities as well. Thanks Lionel B. Dyck < Website: https://www.lbdsoftware.com "Worry more about your character than your reputation. C

Re: AT-TLS ?

2020-06-29 Thread Wendell Lovewell
Lionel, what type of endpoints are you wanting to use AT-TLS to secure? I might have some notes that would help. Here is some general information about diagnosing AT-TLS errors: If there is a problem making the connection, AT-TLS will display error on the console. Here are a few examples

Re: AT-TLS ?

2020-06-29 Thread Steve Beaver
;> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: AT-TLS ? >> >> Anyone have any pointers for configuring AT-TLS on z/OS? >> >> >> >> >> >> Lionel B. Dyck < >> Website: >> <https://urldefense.com/v3/__https://www.lb

Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Sunday, June 28, 2020 7:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi Lionel, I did this a few years back and utilized it for a product. Below are a few items from the product doc a

Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The Redbook : http://www.redbooks.ibm.com/redbooks/pdfs/sg248041.pdf On Mon, Jun 29, 2020 at 3:30 PM Wayne Bickerdike wrote: > The IBM Redbook for RACF RRSF has most of the information needed to > configure AT-TLS. > > We're in the process of rolling out RRSF for RACF passwor

Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The IBM Redbook for RACF RRSF has most of the information needed to configure AT-TLS. We're in the process of rolling out RRSF for RACF password sync. It's working between two of our plexes, I followed the book, used SYS1.SAMPLIB examples rather than attempting via zOSMF. On Mon, Jun 29, 2020

Re: AT-TLS ?

2020-06-28 Thread Itschak Mugzach
wrote: > Anyone have any pointers for configuring AT-TLS on z/OS? > > > > > > Lionel B. Dyck < > Website: <https://www.lbdsoftware.com> https://www.lbdsoftware.com > > "Worry more about your character than your reputation. Character is what > y

Re: AT-TLS ?

2020-06-28 Thread Gibney, Dave
The details in the documentation is a bit scattered. Including separate sections for FTPS and tn3270 > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Lionel B Dyck > Sent: Sunday, June 28, 2020 3:26 PM > To: IBM-MAIN@LISTSERV.UA.EDU &g

Re: AT-TLS ?

2020-06-28 Thread Mike Hochee
) and Policy Applications. Also in the IP Configuration Guide, there is a chapter on AT-TLS Security Data Protection, topic TCPIP Stack Initialization. - Use z/OSMF for generation of your initial set of PA config files and inputs, then consider manually tailoring. I opted for this approach under z

AT-TLS ?

2020-06-28 Thread Lionel B Dyck
Anyone have any pointers for configuring AT-TLS on z/OS? Lionel B. Dyck < Website: <https://www.lbdsoftware.com> https://www.lbdsoftware.com "Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are.&

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-15 Thread Kirk Wolf
On Fri, Jun 12, 2020 at 3:56 PM Paul Gilmartin < 000433f07816-dmarc-requ...@listserv.ua.edu> wrote: > On Fri, 12 Jun 2020 20:46:49 +, Jackson, Rob wrote: > > >Before I found out about Co:Z I used shell scripts and REXX in OMVS to > copy the files back and forth from MVS datasets to OMVS

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Jackson, Rob
@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? [External Email. Exercise caution when clicking links or opening attachments.] THANK YOU. Yes, PASSIVEIGNOREADDR is the key (and BTW you can then eliminate CCC with its security exposure). Shows what a kludge FTP

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Charles Mills
g Yeah, I always just do it by hand in Outlook. I have a > key. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jackson, Rob Sent: Saturday, June 13, 2020 6:17 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive F

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Jackson, Rob
My cruddy email application (Outlook) doesn't do the >-style quoting (or at least I don't know how to make it), so let me try below with tabs; it will probably be ugly. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
age- > From: IBM Mainframe Discussion List On > Behalf Of Paul Gilmartin > Sent: Friday, June 12, 2020 1:36 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: How is Passive FTP with TLS and NAT supposed to work? > > On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote: &

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Friday, June 12, 2020 3:17 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? Thanks all! Thanks much! Let me try to do one reply here to hold down

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
Thanks all! Thanks much! Let me try to do one reply here to hold down the noise. > active mode is the one using PORT; passive mode uses PASV Thank you! It's a detail but I want to have the details right. Details are of the essence here. What *exactly* does the server send? On the client end I

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Paul Gilmartin
On Fri, 12 Jun 2020 20:46:49 +, Jackson, Rob wrote: >Before I found out about Co:Z I used shell scripts and REXX in OMVS to copy >the files back and forth from MVS datasets to OMVS file systems (if sending to >the mainframe, they would follow up the copy with a SSH and execute a script

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Jackson, Rob
Of Paul Gilmartin Sent: Friday, June 12, 2020 4:36 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? [External Email. Exercise caution when clicking links or opening attachments.] On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote: >Aside from

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Paul Gilmartin
On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote: >Aside from, I think this is still true, absent Dovetail extensions, the >requirement that SFTP only works with ZFS/HFS files >> What's the intended recipient? If desktop or Open Systems, zFS/HFS should be acceptable. If z/OS,

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Seymour J Metz
@LISTSERV.UA.EDU] on behalf of Jackson, Rob [rwjack...@firsthorizon.com] Sent: Friday, June 12, 2020 2:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How is Passive FTP with TLS and NAT supposed to work? Well, your point is made und understood, but active mode is the one using PORT; passive mode uses PASV

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
t; To: IBM-MAIN@LISTSERV.UA.EDU > Subject: How is Passive FTP with TLS and NAT supposed to work? > > X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both > urgent for us and perhaps a little obscure. > > With Passive FTP, the server uses a PORT command to say to the c

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
; Mainframe Technical Support > > > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Charles Mills > Sent: Friday, June 12, 2020 2:01 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: How is Passive FTP with TLS and NAT supposed to work? > > [E

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Kirk Wolf
r > routers that support NAT are apparently smart enough to translate that PORT > command from an internal to an external address, and everything works > wonderfully. > > The wrinkle comes with TLS: the control connection is encrypted and > inaccessible to the firewall or router.

Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Jackson, Rob
Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Charles Mills Sent: Friday, June 12, 2020 2:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: How is Passive FTP with TLS and NAT supposed to work? [External Email. Exercise caution when clicking links

How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
al address that is meaningless at the client. Many firewalls or routers that support NAT are apparently smart enough to translate that PORT command from an internal to an external address, and everything works wonderfully. The wrinkle comes with TLS: the control connection is encrypted and inaccessible to th

Re: TELNET under TLS - Performance impact?

2018-12-10 Thread Wolfgang Fritz
check this product on mainframe and your problem will be solved https://dovetail.com/products/sftp.html regards Wolfgang Fritz Am 10.12.2018 um 16:07 schrieb Juan Mautalen: Hi! We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we haveconfigured PAGENT, that installs

TELNET under TLS - Performance impact?

2018-12-10 Thread Juan Mautalen
Hi! We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we haveconfigured PAGENT, that installs its AT-TLS policies to the TCPIP stack). Wealso have ICSF up and running, and digital certificates private keys are stored inICSF. Also CPACF coprocessors are available

Re: SSL/TLS MSU usage

2018-08-14 Thread Parwez Hamid
Mounif, I am unable to comment on any 'increase' of the CP utilization. CPACF has been around for a very long time. Both the systems you mention have the CPACF function. You will need a no charge feature (not available for embargoed countries) for microcode to enable CPACF. The other key point

Re: SSL/TLS MSU usage

2018-08-13 Thread Brian Westerman
The z13 (and I think b|ec12s) have CPACF built into each physical CPU, the older machines had CPACF but it was shared between multiple processors. There is some extra CPU involved when you don't have a cryptoexpress (CEX), but you have to remember that not everything is or can be offloaded to

SSL/TLS MSU usage

2018-08-13 Thread Munif Sadek
Hello All We have zBC12 and z13s but no crypto cards. As we are moving all our IP communications to SSL/TLS, Is there a way to estimate additional MSU used in this encryption/decryption and key negotiations. IP traffic is CICS socket, HTTPS , FTPS, TN3270S, DB2 DDF , SSH etc..Its all over

Re: AT-TLS for HTTP

2018-07-05 Thread Rob Schramm
even need those if you can filter based on a unique port range. > I've been impressed with AT-TLS, as it offers a lot of customization > options, as well as quite a few OOB use cases. An underrated feature of > comm server IMO. > > HTH, > Mike > > -Original Message- >

Re: AT-TLS for HTTP

2018-07-05 Thread Mike Hochee
I have not used it for that specifically, but I don't see why not. The policy based rules allow for job/task names and support wildcards, and you might not even need those if you can filter based on a unique port range. I've been impressed with AT-TLS, as it offers a lot of customization

AT-TLS for HTTP

2018-07-05 Thread Rob Schramm
This might be a weird one. I have used Policy Agent AT-TLS in the past to secure JDBC communication with a UDB data base. Can I use Policy agent to secure an existing HTTP GET process (assembler program), by doing a similar process? Has anyone else done this? Thanks, Rob Schramm -- Rob

Re: AT-TLS replace ICF processor ?

2017-05-02 Thread Charles Mills
I believe AT-TLS generally utilizes ICSF which in turn may utilize your crypto hardware. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Tuesday, May 2, 2017 11:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re

  1   2   >