Some free SSL/TLS/Certificates education if you are interested

2020-10-25 Thread Charles Mills
In case anyone is interested I am doing a free one-hour Webinar on the
"internals" of the certificate and SSL/TLS protocols this coming Tuesday. I
have absolutely nothing to sell you - this is not a pitch for some
certificate-management package or anything like that.

It is *NOT* "how to install a certificate in RACF" or similar. That's a good
topic, but it's not this topic. It's a pure look at the protocol flow and so
forth. It's independent of any particular security subsystem and actually
not even really mainframe-specific - it's about the protocol flow,
independent of the boxes it is running on. It's equally relevant to RACF,
ACF2 and TSS, and for that matter equally relevant to Linux and Windows.
I've done it at SHARE twice and for NewEra once and it was well-received.
Hope you can join us.

I think NewEra will automatically sign you up to be notified of future
webinars. That's not a bad thing but it you don't like it I am sure they
will honor an unsubscribe.

Scroll down near the bottom here: https://www.newera-info.com/Month.html  

X-Posted IBM-MAIN, RACF-L, IBMVM and IBMTCP-L.

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS issues with FTP and SSH

2020-09-27 Thread Rob Schramm
True..but if you do it wrong you can lock out pretty much everything for
TCP/IP...it's loads of fun!!

It's why I always set it up to OBEY for TCP IP after the stack is up and
running...just in case security does something weird.

Rob Schramm

On Tue, Sep 22, 2020, 17:02 Kirk Wolf  wrote:

> That will do it!
>
> BTW: AT-TLS has no relationship with IBM z/OS OpenSSH.
>
> On Tue, Sep 22, 2020 at 12:00 PM Lionel B Dyck  wrote:
>
> > Found issue with SSH - I had created (mkdir) the .ssh directory so it had
> > the default permissions.  Should have let ssh-keygen create it.
> >
> > Tried adding logging to pagent for ftp - overloaded with messages and
> > reading them now.
> >
> > Thank you
> >
> >
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List  On Behalf
> > Of
> > Mike Hochee
> > Sent: Tuesday, September 22, 2020 11:39 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS issues with FTP and SSH
> >
> > Regarding the AT-TLS issue, your pagent is likely encountering a problem
> in
> > the FTP section (of course!).  Look at the log it generates, and if you
> > don't have one, add the logging option to the pagent start command. If I
> > remember correctly, there's also a verbose setting. I found the logs to
> be
> > extremely useful.
> >
> > HTH,
> > Mike
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> > Behalf Of Lionel B Dyck
> > Sent: Tuesday, September 22, 2020 11:08 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: AT-TLS issues with FTP and SSH
> >
> > Caution! This message was sent from outside your organization.
> >
> > We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into
> two
> > issues:
> >
> > 1. The FTP Client ceased to work (until we commented the FTP section in
> the
> > pagent_TTLS.conf file)
> > a. No issues doing an FTP into this LPAR.
> > 2. Git stopped working due to SSH.
> >
> > A simple test is:ssh mailto:g...@github.com
> >
> > And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
> > terminals
> >
> > If we stop PAGENT then everything works.
> >
> > Can anyone offer any pointers/tips/solutions to either of these problems?
> >
> > Thanks in advance.
> >
> >
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Kirk Wolf
That will do it!

BTW: AT-TLS has no relationship with IBM z/OS OpenSSH.

On Tue, Sep 22, 2020 at 12:00 PM Lionel B Dyck  wrote:

> Found issue with SSH - I had created (mkdir) the .ssh directory so it had
> the default permissions.  Should have let ssh-keygen create it.
>
> Tried adding logging to pagent for ftp - overloaded with messages and
> reading them now.
>
> Thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of
> Mike Hochee
> Sent: Tuesday, September 22, 2020 11:39 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS issues with FTP and SSH
>
> Regarding the AT-TLS issue, your pagent is likely encountering a problem in
> the FTP section (of course!).  Look at the log it generates, and if you
> don't have one, add the logging option to the pagent start command. If I
> remember correctly, there's also a verbose setting. I found the logs to be
> extremely useful.
>
> HTH,
> Mike
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Lionel B Dyck
> Sent: Tuesday, September 22, 2020 11:08 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS issues with FTP and SSH
>
> Caution! This message was sent from outside your organization.
>
> We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
> issues:
>
> 1. The FTP Client ceased to work (until we commented the FTP section in the
> pagent_TTLS.conf file)
> a. No issues doing an FTP into this LPAR.
> 2. Git stopped working due to SSH.
>
> A simple test is:ssh mailto:g...@github.com
>
> And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
> terminals
>
> If we stop PAGENT then everything works.
>
> Can anyone offer any pointers/tips/solutions to either of these problems?
>
> Thanks in advance.
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck
Found issue with SSH - I had created (mkdir) the .ssh directory so it had
the default permissions.  Should have let ssh-keygen create it.

Tried adding logging to pagent for ftp - overloaded with messages and
reading them now.

Thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Mike Hochee
Sent: Tuesday, September 22, 2020 11:39 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS issues with FTP and SSH

Regarding the AT-TLS issue, your pagent is likely encountering a problem in
the FTP section (of course!).  Look at the log it generates, and if you
don't have one, add the logging option to the pagent start command. If I
remember correctly, there's also a verbose setting. I found the logs to be
extremely useful.   

HTH,
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Lionel B Dyck
Sent: Tuesday, September 22, 2020 11:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS issues with FTP and SSH

Caution! This message was sent from outside your organization.

We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
terminals

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Mike Hochee
Regarding the AT-TLS issue, your pagent is likely encountering a problem in the 
FTP section (of course!).  Look at the log it generates, and if you don't have 
one, add the logging option to the pagent start command. If I remember 
correctly, there's also a verbose setting. I found the logs to be extremely 
useful.   

HTH, 
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lionel B Dyck
Sent: Tuesday, September 22, 2020 11:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS issues with FTP and SSH

Caution! This message was sent from outside your organization.

We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the 
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that I'm getting: FOTS3322 Passwords may not be entered from 3270 
terminals

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Paul Gilmartin
On Tue, 22 Sep 2020 10:07:57 -0500, Lionel B Dyck wrote:
>
>And for that I�m getting: FOTS3322 Passwords may not be entered from 3270
>terminals  
> 
They're giving you a hint.  Eschew 3270; don't be a masochist.

Years ago, I discovered that if I start "script" under 3270 OMVS, then
I can enter passwords.  Evidently script masked the 3270-ness.  I don't
know whether IBM has declared that a weakness and reinforced it.

I did some tests.  In a script I issued "stty -echo"; prompted for a
string; "stty echo".  In a C program, I used tcsetattr([~ECHO]) to
disable echoing; read a string; and restored echoing.

In both cases, the password was hidden in an ssh session but displayed
momentarily in a 3270 session.

I went to SR with both problems.  I didn't mention my "script" hack lest 
they break it.  They fixed stty somehow but chose to leave fcntl() broken.
Go figger.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck
We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that I’m getting: FOTS3322 Passwords may not be entered from 3270
terminals  

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Gibney, Dave


> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Ed Jaffe
> Sent: Friday, September 04, 2020 8:37 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: TLS 1.3 in z/OS 2.3?
> 
> On 9/3/2020 11:45 PM, Timothy Sipples wrote:
> > Dave Gibney wrote:
> >> Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4.
> >> Is this true? Any prospect of a implemnting PTF?
> > To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System
> SSL,
> > and I'm not aware of any plans to do so. Of course you can ask:
> >
> >
> https://urldefense.com/v3/__https://www.ibm.com/developerworks/rfe/_
> _;!!JmPEgBY0HMszNaDT!4ABcvW5_MqnqCTjLsR7yNE9JgbiMi4KqmqvfSPeM
> bwRQDf717GaukWT86NVSUg$
> >
> > Hypothetically you could run another software implementation of TLS 1.3
> > directly on z/OS 2.3 as a possible stopgap measure until you can upgrade
> > to z/OS 2.4.
> 
> Haha! You haven't been paying much attention. Dave has no intention of
> upgrading...
> 

I guess, to be clear, I'd upgrade it all, as rapidly as I am able.
My management has no intention of upgrading, and is trying to pull the final 
shutdown even sooner, ☹

> 
> --
> Phoenix Software International
> Edward E. Jaffe
> 831 Parkview Drive North
> El Segundo, CA 90245
> https://urldefense.com/v3/__https://www.phoenixsoftware.com/__;!!JmP
> EgBY0HMszNaDT!4ABcvW5_MqnqCTjLsR7yNE9JgbiMi4KqmqvfSPeMbwRQDf
> 717GaukWT4WRCd8g$
> 
> 
> 
> This e-mail message, including any attachments, appended messages and
> the
> information contained therein, is for the sole use of the intended
> recipient(s). If you are not an intended recipient or have otherwise
> received this email message in error, any use, dissemination, distribution,
> review, storage or copying of this e-mail message and the information
> contained therein is strictly prohibited. If you are not an intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of this email message and do not otherwise utilize or retain this email
> message or any or all of the information contained therein. Although this
> email message and any attachments or appended messages are believed to
> be
> free of any virus or other defect that might affect any computer system into
> which it is received and opened, it is the responsibility of the recipient
> to ensure that it is virus free and no responsibility is accepted by the
> sender for any loss or damage arising in any way from its opening or use.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Ed Jaffe

On 9/3/2020 11:45 PM, Timothy Sipples wrote:

Dave Gibney wrote:

Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4.
Is this true? Any prospect of a implemnting PTF?

To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL,
and I'm not aware of any plans to do so. Of course you can ask:

https://www.ibm.com/developerworks/rfe/

Hypothetically you could run another software implementation of TLS 1.3
directly on z/OS 2.3 as a possible stopgap measure until you can upgrade
to z/OS 2.4.


Haha! You haven't been paying much attention. Dave has no intention of 
upgrading...



--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://www.phoenixsoftware.com/



This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TLS 1.3 in z/OS 2.3?

2020-09-04 Thread Timothy Sipples
Dave Gibney wrote:
>Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4.
>Is this true? Any prospect of a implemnting PTF?

To my knowledge TLS 1.3 support was not backported to z/OS 2.3 System SSL, 
and I'm not aware of any plans to do so. Of course you can ask:

https://www.ibm.com/developerworks/rfe/

Hypothetically you could run another software implementation of TLS 1.3 
directly on z/OS 2.3 as a possible stopgap measure until you can upgrade 
to z/OS 2.4. For example, I think it might be possible to compile and run 
the Squid proxy server on z/OS if you're looking specifically for HTTPS 
with TLS 1.3. There are scattered reports, including one from IBM many 
years ago, that it's possible. Squid supports TLS 1.3 according to the 
documentation I found. The performance might not be wonderful, but it 
looks technically viable. Squid's source code and documentation are 
available here:

http://www.squid-cache.org

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-04 Thread Timothy Sipples
I don't think you're going to be able to "hack in" support for higher TLS 
levels. I think you've got a couple near-term options, not necessarily 
mutually exclusive:

A. Place one or a couple newer release CICS regions on the "front side" to 
handle the network connectivity, and connect them to your existing CICS TS 
3.1 regions until you can get your CICS TS 3.1 regions upgraded. As I 
write this, CICS TS Version 5.6 is the latest generally available release, 
and it is compatible with your currently installed z/OS release. Broadly, 
generally speaking this means upgrading some or all of the CICS "Terminal 
Owning Regions" ("TORs") while leaving "Application Owning Regions" 
("AORs") temporarily backlevel if you must. The exact details depend on 
your particular CICS deployment.

If you're using CICS's own TLS support, that's currently up to TLS 1.2. 
CICS TS Version 5.1 is the first CICS release that added TLS 1.1 and TLS 
1.2, but I cannot think of any reason why you'd pick something prior to 
the current release in this role. IBM ended Single Version Charge (SVC) 
restrictions in 2017, so there should be no additional charge to run both 
(or multiple) CICS releases as long as you need to. Check with "your 
friendly IBM representative" if there's any doubt.

B. Configure z/OS AT-TLS to handle the connections while CICS TS 3.1 
blithely assumes that the connections are unencrypted. The documentation 
for newer CICS TS releases includes some information on migrating from 
CICS TLS to z/OS AT-TLS, and probably that information will be reasonably 
useful if you attempt the same with CICS TS 3.1.

Please note that z/OS 2.3 AT-TLS supports up to TLS 1.2. For TLS 1.3 
you'll need z/OS 2.4 AT-TLS, and z/OS 2.4 AT-TLS is currently the only 
official/supported way to get TLS 1.3 with CICS TS. IBM's published 
benchmarks suggest that z/OS AT-TLS is slightly more efficient than 
CICS-configured TLS, but results may vary.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TLS 1.3 in z/OS 2.3?

2020-09-03 Thread Attila Fogarasi
It is true, TLS 2.3 support is new function in Communication Server z/OS
2.4.  My guess is that it won't be retrofitted, but you can always ask
IBM.

On Fri, Sep 4, 2020 at 5:45 AM Gibney, Dave  wrote:

> Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. Is this true?
> Any prospect of a implemnting PTF?
>
> Dave Gibney
> Information Technology Services
> Washington State University
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Attila Fogarasi
You can specify the ciphers in a USS .xml file, the path is set by
USSCONFIG and the file name is in the CICS CIPHERS parameter (which can be
a list of 2 digit cipher codes or the file name).  Good luck, CICS 3.1 is 5
years out of support so it won't have PTFs for anything newer in TLS.  Most
likely the ciphers you are trying to use are not supported once out of
service.

On Fri, Sep 4, 2020 at 4:15 AM Gibney, Dave  wrote:

>   First of all, I know that CICS 3.1 is is very far and away out of
> service. My CICS Sysprog retired over a decade ago, I only fake knowledge
> of CIS when it becomes a necessity.
> SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This
> is a good thing security wise. But, I can't seem to specify tls 1.2 or 1.3
> ciphers via the 3.1 CEDA panels.
> I am thinking I might be able to slip in around the CICS definitions via
> gsk environment variables.
>   I am asking for your collective thoughts and suggestions.
>
> Widely x-posted
>
> Dave Gibney
> Information Technology Services
> Washington State University
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


TLS 1.3 in z/OS 2.3?

2020-09-03 Thread Gibney, Dave
Over on CICS-L, I was told that TLS 2.3 requires z/OS 2.4. Is this true? Any 
prospect of a implemnting PTF?

Dave Gibney
Information Technology Services
Washington State University


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


z/OS 2.3, CICS Transaction Server 3.1!! and TLS 1.3

2020-09-03 Thread Gibney, Dave
  First of all, I know that CICS 3.1 is is very far and away out of service. My 
CICS Sysprog retired over a decade ago, I only fake knowledge of CIS when it 
becomes a necessity.
SystemSSL in z/OS 2.3 has changed the defaults and available ciphers. This is a 
good thing security wise. But, I can't seem to specify tls 1.2 or 1.3 ciphers 
via the 3.1 CEDA panels.
I am thinking I might be able to slip in around the CICS definitions via gsk 
environment variables.
  I am asking for your collective thoughts and suggestions.

Widely x-posted

Dave Gibney
Information Technology Services
Washington State University


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-03 Thread Charles Mills
Yup.

In the TLS protocol that is referred to as a "server certificate." It tells the 
client about the authenticity of the server. It "certifies" the server (for the 
client).

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Brian Westerman
Sent: Wednesday, September 2, 2020 10:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

It's from the server box, but they have it marked "client side to use our cert".

Brian

On Wed, 2 Sep 2020 08:22:19 -0700, Charles Mills  wrote:

>*Client* certificate? I think you mean Server Certificate. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Brian Westerman
It's from the server box, but they have it marked "client side to use our cert".

Brian

On Wed, 2 Sep 2020 08:22:19 -0700, Charles Mills  wrote:

>*Client* certificate? I think you mean Server Certificate. 
>
>Charles
>
>
>-Original Message-
>From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
>Behalf Of Brian Westerman
>Sent: Tuesday, September 1, 2020 9:34 PM
>To: IBM-MAIN@LISTSERV.UA.EDU
>Subject: Re: setting up CSSMTP to use TLS-SSL
>
>Okay, I see now.  The client cert is available from our email server, i twas 
>just a matter of downloading it and adding to RACF.
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Charles Mills
*Client* certificate? I think you mean Server Certificate. 

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Brian Westerman
Sent: Tuesday, September 1, 2020 9:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

Okay, I see now.  The client cert is available from our email server, i twas 
just a matter of downloading it and adding to RACF.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-02 Thread Timothy Sipples
Brian Westerman asked:
>So does this all mean that (currently) no one on the list
>uses TLS-SSL to forward their mail from CSSMTP to the
>target mail server?

I see "Yes, we use TLS" replies have overtaken this question. That said, I 
assume you wouldn't want and don't expect anyone in an open forum to 
confess to having an open, potential security exposure...that they're 
quickly closing right now.

- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Brian Westerman
Okay, I see now.  The client cert is available from our email server, i twas 
just a matter of downloading it and adding to RACF.

Thanks,

Brian

On Tue, 1 Sep 2020 08:21:13 -0500, Peter Vander Woude  
wrote:

>Brian,
>
>I do use AT-TLS with CSSMTP to our internal e-mail relay.  For the keyring, 
>you need to add the CA's that have signed the ssl cert for the server.
>
>If the e-mail server is using a self-signed certificate, you need them to send 
>a copy of it (only the public portion) and it has to be added as a certificate 
>authority.
>
>Peter
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Peter Vander Woude
Brian,

I do use AT-TLS with CSSMTP to our internal e-mail relay.  For the keyring, you 
need to add the CA's that have signed the ssl cert for the server.

If the e-mail server is using a self-signed certificate, you need them to send 
a copy of it (only the public portion) and it has to be added as a certificate 
authority.

Peter

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Statler, David
We have ours setup to use TLS from CSSMTP to an internal Proofpoint mail 
server. We have Secure set to Yes in the CSSMTP config and then use Policy 
Agent (AT-TLS) to handle the handshake.

David

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Brian Westerman
Sent: Monday, August 31, 2020 11:33 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

So does this all mean that (currently) no one on the list uses TLS-SSL to 
forward their mail from CSSMTP to the target mail server?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-09-01 Thread Stuart Holland
I think the most common approach is to have CSSMTP send the mail to an 
enterprise (internal) mail server and let it take care of security going 
out to the internet.


On 8/31/20 11:33 PM, Brian Westerman wrote:

So does this all mean that (currently) no one on the list uses TLS-SSL to 
forward their mail from CSSMTP to the target mail server?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
So does this all mean that (currently) no one on the list uses TLS-SSL to 
forward their mail from CSSMTP to the target mail server?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
Thanks, easier said than done, but does answer that part.

On Mon, 31 Aug 2020 07:12:07 +, Gibney, Dave  wrote:

>If the certificate they present is signed by a recognized CA, you should be 
>able to get root and any required intermediates from the signing CA's site.
>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of Brian Westerman
>> Sent: Sunday, August 30, 2020 11:55 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: setting up CSSMTP to use TLS-SSL
>> 
>> Hi,
>> 
>> Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward
>> the email to a target email server that only supports TLS-SSL?
>> 
>> I see the steps in the CSSMTP configuration "Steps for using Transport Layer
>> Security for CSSMTP", but it's unclear to me where I get the certificate.
>> 
>> Step 2(a) says:
>> 
>> a. Create the key ring.
>> The client key ring needs the root certification used to sign the server
>> certificates. For a TLS/SSL primer and some step-by-step examples, see
>> TLS/SSL security. For more information about managing key rings and
>> certificates with RACF® and the RACDCERT command, see z/OS Security
>> Server RACF Security Administrator's Guide. For more information about
>> managing key rings and certificates with gskkyman, see z/OS
>> Cryptographic Services System SSL Programming.
>> 
>> How do I get the root certification used to sign the server certificates?  
>> Is that
>> something that the people that take care of the server are supposed to
>> supply to me?
>> 
>> then 2(c) is 5 steps and says:
>> c. Configure the client system to use TLS with AT-TLS policies as follows:
>> 
>> 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
>> the client stack. For information about the TCPCONFIG statement, see
>> z/OS Communications Server: IP Configuration Reference.
>>(I understand this one)
>> 
>> 2) Block the ability of applications to open a socket before AT-TLS policy is
>> loaded into the TCP/IP stack by setting up
>> EZB.INITSTACK.sysname.tcpname for the client stack.
>> (this seems like a optional step)
>> 
>> 3) Create a main Policy Agent configuration file containing a TcpImage
>> statement for the client stack, and create a TcpImage policy file for the
>> client stack.
>> (this seems pretty simple, but where does it go?)
>> 
>> 4) Add a TTLSConfig statement to each TcpImage policy file to identify the
>> TTLSConfig policy file location:
>> TTLSConfig clientPath
>> (I am assuming that the clientPath is some USS file I create that 
>> indicates
>> the information to find the keyring from 2(a) above, is that correct?)  
>> (Where
>> does the TcpImage policy file go?  i.e. how do I define it?)
>> 
>> 5) Add the AT-TLS policy statements to the clientPath file
>> (they have an example for this step right in the manual so that's pretty
>> easy to follow)
>> 
>> Thanks for your help, any examples of a working configuration would be
>> really helpful.
>> 
>> Brian
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>--
>For IBM-MAIN subscribe / signoff / archive access instructions,
>send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor

On 8/31/20 11:02 AM, Charles Mills wrote:
- The more critical task IMHO is proving to the user that she 
is actually talking to the URL she intended to talk to: that her 
session is really, truly with Bank of America and not with some 
man-in-the-middle pretending to be Bank of America.


Conceptually, I agree.

But this is where the trustworthiness of a CA comes into play and may be 
called into question.


Each and every single trusted Root CA can issue completely independent 
certificates for the same subject (CN / SAN).  This starts to be germane 
when someone / something with recognized authority or unauthorized 
access directs a CA to issue a certificate for someone else, things get 
... dicey.  E.g. questionable political regime directs an in country CA 
to issue them a certificate for a specific web site that they want to 
surreptitiously access encrypted content via an undetected 
man-in-the-middle attack.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor

On 8/31/20 10:29 AM, Charles Mills wrote:
Also! Let me nitpick myself before someone else does it for me: When 
I wrote "the CA vouches that the*subject name*  in the certificate 
belongs to Charles Mills" -- that should be "the subject names" 
(plural) belong to Charles Mills.


Ya.  The mandatory Common Name (CN) field vs the optional Subject 
Alternate Name (SAN) field can get entertaining.  Especially when you 
consider how some contemporary web browsers require the CN to be listed 
in the SAN as well.  So much so that they are starting to ignore the CN.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
Forgive me for droning on about this. I just did that certificate class for 
NewEra and this stuff is on my brain.

> the CA vouches that your public key belongs to the
> entity that once called itself "Charles Mills"

As I said, not exactly. One of the reasons certificates can be so confusing is 
that they accomplish two largely unrelated tasks (I am speaking of end entity 
certificates, "server certificates" here):

- The one that gets much of the attention is really the less interesting part: 
setting up the data encryption for the session. The public key in the 
certificate is the first step in that process. That is what it is used for. It 
does not "prove" anything to the user.

- The more critical task IMHO is proving to the user that she is actually 
talking to the URL she intended to talk to: that her session is really, truly 
with Bank of America and not with some man-in-the-middle pretending to be Bank 
of America.

That's why the CA's validation that the folks they are issuing the certificate 
to are really who they claim to be is so critically important.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Monday, August 31, 2020 7:47 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote:

>A self-signed certificate *is* a root certificate -- the two terms are 
>essentially synonymous (although they are used with different implications). 
>If the SMTP server is presenting a self-signed certificate then it effectively 
>is its own CA certificate, and you will have to install it in RACF.
> 
What does "self-signed certificate" mean?  Who should trust one?
I'm imagining, in the extreme, a certificate self-signed by
Guccifer 2.0.

What is the trail of authentication?  I understand you have a cert.
What did you need to do to authenticate yourself to the CA?  Is it
merely that the CA vouches that your public key belongs to the
entity that once called itself "Charles Mills" and paid with a credit
card?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
Interesting. Certainly does show that "who do you trust?" is a significant 
decision. Marking a certificate in RACF as trusted is not just housekeeping; it 
is a significant security decision. You are not just saying "I need RACF to be 
able to use this as a CA certificate"; you are saying "this organization is 
willing to bet its security on the trustworthiness of this certificate."

I think that is why IBM stopped shipping a RACF database with pre-installed CA 
certificates. IBM does not want to be in the business of making those decisions 
for you.

Also! Let me nitpick myself before someone else does it for me: When I wrote 
"the CA vouches that the *subject name* in the certificate belongs to Charles 
Mills" -- that should be "the subject names" (plural) belong to Charles Mills.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Grant Taylor
Sent: Monday, August 31, 2020 8:50 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

On 8/31/20 9:34 AM, Charles Mills wrote:
> Are CA's perfect? I don't*know*  of a CA hack but I do know of (I 
> should probably say "alleged") CA sloppiness:

DigiNotar was compromised:

"...it had become clear that a security breach had resulted in the 
fraudulent issuing of certificates..."

Link - DigiNotar
  - https://en.wikipedia.org/wiki/DigiNotar

I believe there have been others in the past.  But DigiNotar was one of 
the most prominent breaches that I remember.  I think part of their 
problem was how they failed to handle the situation.

I think Comodo has had problems too.  I don't know the circumstances 
around them.

I don't know how much of a problem (if that's the correct term) it is on 
the mainframe world, but Windows used to trust hundreds of CAs.  that 
means hundreds of entities that could sign certificates for any given 
subject.  A common scapegoat for a popular podcast is that the Hongkong 
Post can sign certificates for ibm.com or listserv.ua.edu.  Any of the 
multiple hundred Root CAs can do it.

CAA records offer some protection for this, but that is no guarantee.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Grant Taylor

On 8/31/20 9:34 AM, Charles Mills wrote:
Are CA's perfect? I don't*know*  of a CA hack but I do know of (I 
should probably say "alleged") CA sloppiness:


DigiNotar was compromised:

"...it had become clear that a security breach had resulted in the 
fraudulent issuing of certificates..."


Link - DigiNotar
 - https://en.wikipedia.org/wiki/DigiNotar

I believe there have been others in the past.  But DigiNotar was one of 
the most prominent breaches that I remember.  I think part of their 
problem was how they failed to handle the situation.


I think Comodo has had problems too.  I don't know the circumstances 
around them.


I don't know how much of a problem (if that's the correct term) it is on 
the mainframe world, but Windows used to trust hundreds of CAs.  that 
means hundreds of entities that could sign certificates for any given 
subject.  A common scapegoat for a popular podcast is that the Hongkong 
Post can sign certificates for ibm.com or listserv.ua.edu.  Any of the 
multiple hundred Root CAs can do it.


CAA records offer some protection for this, but that is no guarantee.



--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
"Self-signed certificate" means a certificate that is at the bottom of the 
chain: there is no higher (mixing my tops and bottoms here) authority that 
vouches for it.

Every CA root certificate is self-signed. (Who else would sign it? The Pope? 
Bill Gates? Stephen Hawking?)

For a normal endpoint certificate you accept it because the CA certificate that 
is at the head of its authentication chain is pre-installed. For a self-signed 
certificate, that is the certificate itself.

Every time you install a root certificate as trusted you are saying "I trust 
this certificate. We trust this certificate." That is equally true for a 
DigiCert certificate or a Foobar the CA certificate.

There is nothing inherently wrong with self-signed certificates. Just like 
every other certificate -- if you are going to trust it you have to know what 
you are doing.

Why should a particular CA be trusted? That is up to the trustor to decide. 
There is never any higher authority. (See above.)

> What is the trail of authentication? ...  Is it
> merely that the CA vouches that your public key belongs to the
> entity that once called itself "Charles Mills" and paid with a credit
> card?

Basically, yes. I would say "the CA vouches that the *subject name* in the 
certificate belongs to Charles Mills." (The certificate *has* a public key -- 
that key is part of the certificate and does not "belong to" anyone else. The 
owner of the certificate presumably has under safekeeping the corresponding 
private key.)

Are CA's perfect? I don't *know* of a CA hack but I do know of (I should 
probably say "alleged") CA sloppiness:
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html 

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Monday, August 31, 2020 7:47 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote:

>A self-signed certificate *is* a root certificate -- the two terms are 
>essentially synonymous (although they are used with different implications). 
>If the SMTP server is presenting a self-signed certificate then it effectively 
>is its own CA certificate, and you will have to install it in RACF.
> 
What does "self-signed certificate" mean?  Who should trust one?
I'm imagining, in the extreme, a certificate self-signed by
Guccifer 2.0.

What is the trail of authentication?  I understand you have a cert.
What did you need to do to authenticate yourself to the CA?  Is it
merely that the CA vouches that your public key belongs to the
entity that once called itself "Charles Mills" and paid with a credit
card?

And quis custodiet ipsos custodes?  Why should a particular CA be
trusted other than the authority of a higher CA?  I understand there
have been compromised CAs, by hacks rather than intrinsic fraud.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Paul Gilmartin
On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote:

>A self-signed certificate *is* a root certificate -- the two terms are 
>essentially synonymous (although they are used with different implications). 
>If the SMTP server is presenting a self-signed certificate then it effectively 
>is its own CA certificate, and you will have to install it in RACF.
> 
What does "self-signed certificate" mean?  Who should trust one?
I'm imagining, in the extreme, a certificate self-signed by
Guccifer 2.0.

What is the trail of authentication?  I understand you have a cert.
What did you need to do to authenticate yourself to the CA?  Is it
merely that the CA vouches that your public key belongs to the
entity that once called itself "Charles Mills" and paid with a credit
card?

And quis custodiet ipsos custodes?  Why should a particular CA be
trusted other than the authority of a higher CA?  I understand there
have been compromised CAs, by hacks rather than intrinsic fraud.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
A self-signed certificate *is* a root certificate -- the two terms are 
essentially synonymous (although they are used with different implications). If 
the SMTP server is presenting a self-signed certificate then it effectively is 
its own CA certificate, and you will have to install it in RACF.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Roberto Halais
Sent: Monday, August 31, 2020 1:48 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

Do you get a root if it’s a self signed certificate?


On Mon, Aug 31, 2020 at 3:12 AM Gibney, Dave  wrote:

> If the certificate they present is signed by a recognized CA, you should
> be able to get root and any required intermediates from the signing CA's
> site.
>
>
>
> > -Original Message-
>
> > From: IBM Mainframe Discussion List  On
>
> > Behalf Of Brian Westerman
>
> > Sent: Sunday, August 30, 2020 11:55 PM
>
> > To: IBM-MAIN@LISTSERV.UA.EDU
>
> > Subject: setting up CSSMTP to use TLS-SSL
>
> >
>
> > Hi,
>
> >
>
> > Has anyone on the list set up their CSSMTP client to use TLS-SSL to
> forward
>
> > the email to a target email server that only supports TLS-SSL?
>
> >
>
> > I see the steps in the CSSMTP configuration "Steps for using Transport
> Layer
>
> > Security for CSSMTP", but it's unclear to me where I get the certificate.
>
> >
>
> > Step 2(a) says:
>
> >
>
> > a. Create the key ring.
>
> > The client key ring needs the root certification used to sign the server
>
> > certificates. For a TLS/SSL primer and some step-by-step examples, see
>
> > TLS/SSL security. For more information about managing key rings and
>
> > certificates with RACF® and the RACDCERT command, see z/OS Security
>
> > Server RACF Security Administrator's Guide. For more information about
>
> > managing key rings and certificates with gskkyman, see z/OS
>
> > Cryptographic Services System SSL Programming.
>
> >
>
> > How do I get the root certification used to sign the server
> certificates?  Is that
>
> > something that the people that take care of the server are supposed to
>
> > supply to me?
>
> >
>
> > then 2(c) is 5 steps and says:
>
> > c. Configure the client system to use TLS with AT-TLS policies as
> follows:
>
> >
>
> > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
>
> > the client stack. For information about the TCPCONFIG statement, see
>
> > z/OS Communications Server: IP Configuration Reference.
>
> >(I understand this one)
>
> >
>
> > 2) Block the ability of applications to open a socket before AT-TLS
> policy is
>
> > loaded into the TCP/IP stack by setting up
>
> > EZB.INITSTACK.sysname.tcpname for the client stack.
>
> > (this seems like a optional step)
>
> >
>
> > 3) Create a main Policy Agent configuration file containing a TcpImage
>
> > statement for the client stack, and create a TcpImage policy file for the
>
> > client stack.
>
> > (this seems pretty simple, but where does it go?)
>
> >
>
> > 4) Add a TTLSConfig statement to each TcpImage policy file to identify
> the
>
> > TTLSConfig policy file location:
>
> > TTLSConfig clientPath
>
> > (I am assuming that the clientPath is some USS file I create that
> indicates
>
> > the information to find the keyring from 2(a) above, is that correct?)
> (Where
>
> > does the TcpImage policy file go?  i.e. how do I define it?)
>
> >
>
> > 5) Add the AT-TLS policy statements to the clientPath file
>
> > (they have an example for this step right in the manual so that's
> pretty
>
> > easy to follow)
>
> >
>
> > Thanks for your help, any examples of a working configuration would be
>
> > really helpful.
>
> >
>
> > Brian
>
> >
>
> > --
>
> > For IBM-MAIN subscribe / signoff / archive access instructions,
>
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
Politics: Poli (many) - tics (blood sucking parasites)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Charles Mills
Or it may already be installed, or they may be willing to supply it to you.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Gibney, Dave
Sent: Monday, August 31, 2020 12:12 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: setting up CSSMTP to use TLS-SSL

If the certificate they present is signed by a recognized CA, you should be 
able to get root and any required intermediates from the signing CA's site.

> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Brian Westerman
> Sent: Sunday, August 30, 2020 11:55 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: setting up CSSMTP to use TLS-SSL
> 
> Hi,
> 
> Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward
> the email to a target email server that only supports TLS-SSL?
> 
> I see the steps in the CSSMTP configuration "Steps for using Transport Layer
> Security for CSSMTP", but it's unclear to me where I get the certificate.
> 
> Step 2(a) says:
> 
> a. Create the key ring.
> The client key ring needs the root certification used to sign the server
> certificates. For a TLS/SSL primer and some step-by-step examples, see
> TLS/SSL security. For more information about managing key rings and
> certificates with RACF® and the RACDCERT command, see z/OS Security
> Server RACF Security Administrator's Guide. For more information about
> managing key rings and certificates with gskkyman, see z/OS
> Cryptographic Services System SSL Programming.
> 
> How do I get the root certification used to sign the server certificates?  Is 
> that
> something that the people that take care of the server are supposed to
> supply to me?
> 
> then 2(c) is 5 steps and says:
> c. Configure the client system to use TLS with AT-TLS policies as follows:
> 
> 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
> the client stack. For information about the TCPCONFIG statement, see
> z/OS Communications Server: IP Configuration Reference.
>(I understand this one)
> 
> 2) Block the ability of applications to open a socket before AT-TLS policy is
> loaded into the TCP/IP stack by setting up
> EZB.INITSTACK.sysname.tcpname for the client stack.
> (this seems like a optional step)
> 
> 3) Create a main Policy Agent configuration file containing a TcpImage
> statement for the client stack, and create a TcpImage policy file for the
> client stack.
> (this seems pretty simple, but where does it go?)
> 
> 4) Add a TTLSConfig statement to each TcpImage policy file to identify the
> TTLSConfig policy file location:
> TTLSConfig clientPath
> (I am assuming that the clientPath is some USS file I create that 
> indicates
> the information to find the keyring from 2(a) above, is that correct?)  (Where
> does the TcpImage policy file go?  i.e. how do I define it?)
> 
> 5) Add the AT-TLS policy statements to the clientPath file
> (they have an example for this step right in the manual so that's pretty
> easy to follow)
> 
> Thanks for your help, any examples of a working configuration would be
> really helpful.
> 
> Brian
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Roberto Halais
Do you get a root if it’s a self signed certificate?


On Mon, Aug 31, 2020 at 3:12 AM Gibney, Dave  wrote:

> If the certificate they present is signed by a recognized CA, you should
> be able to get root and any required intermediates from the signing CA's
> site.
>
>
>
> > -Original Message-
>
> > From: IBM Mainframe Discussion List  On
>
> > Behalf Of Brian Westerman
>
> > Sent: Sunday, August 30, 2020 11:55 PM
>
> > To: IBM-MAIN@LISTSERV.UA.EDU
>
> > Subject: setting up CSSMTP to use TLS-SSL
>
> >
>
> > Hi,
>
> >
>
> > Has anyone on the list set up their CSSMTP client to use TLS-SSL to
> forward
>
> > the email to a target email server that only supports TLS-SSL?
>
> >
>
> > I see the steps in the CSSMTP configuration "Steps for using Transport
> Layer
>
> > Security for CSSMTP", but it's unclear to me where I get the certificate.
>
> >
>
> > Step 2(a) says:
>
> >
>
> > a. Create the key ring.
>
> > The client key ring needs the root certification used to sign the server
>
> > certificates. For a TLS/SSL primer and some step-by-step examples, see
>
> > TLS/SSL security. For more information about managing key rings and
>
> > certificates with RACF® and the RACDCERT command, see z/OS Security
>
> > Server RACF Security Administrator's Guide. For more information about
>
> > managing key rings and certificates with gskkyman, see z/OS
>
> > Cryptographic Services System SSL Programming.
>
> >
>
> > How do I get the root certification used to sign the server
> certificates?  Is that
>
> > something that the people that take care of the server are supposed to
>
> > supply to me?
>
> >
>
> > then 2(c) is 5 steps and says:
>
> > c. Configure the client system to use TLS with AT-TLS policies as
> follows:
>
> >
>
> > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
>
> > the client stack. For information about the TCPCONFIG statement, see
>
> > z/OS Communications Server: IP Configuration Reference.
>
> >(I understand this one)
>
> >
>
> > 2) Block the ability of applications to open a socket before AT-TLS
> policy is
>
> > loaded into the TCP/IP stack by setting up
>
> > EZB.INITSTACK.sysname.tcpname for the client stack.
>
> > (this seems like a optional step)
>
> >
>
> > 3) Create a main Policy Agent configuration file containing a TcpImage
>
> > statement for the client stack, and create a TcpImage policy file for the
>
> > client stack.
>
> > (this seems pretty simple, but where does it go?)
>
> >
>
> > 4) Add a TTLSConfig statement to each TcpImage policy file to identify
> the
>
> > TTLSConfig policy file location:
>
> > TTLSConfig clientPath
>
> > (I am assuming that the clientPath is some USS file I create that
> indicates
>
> > the information to find the keyring from 2(a) above, is that correct?)
> (Where
>
> > does the TcpImage policy file go?  i.e. how do I define it?)
>
> >
>
> > 5) Add the AT-TLS policy statements to the clientPath file
>
> > (they have an example for this step right in the manual so that's
> pretty
>
> > easy to follow)
>
> >
>
> > Thanks for your help, any examples of a working configuration would be
>
> > really helpful.
>
> >
>
> > Brian
>
> >
>
> > --
>
> > For IBM-MAIN subscribe / signoff / archive access instructions,
>
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
Politics: Poli (many) - tics (blood sucking parasites)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Gibney, Dave
If the certificate they present is signed by a recognized CA, you should be 
able to get root and any required intermediates from the signing CA's site.

> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Brian Westerman
> Sent: Sunday, August 30, 2020 11:55 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: setting up CSSMTP to use TLS-SSL
> 
> Hi,
> 
> Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward
> the email to a target email server that only supports TLS-SSL?
> 
> I see the steps in the CSSMTP configuration "Steps for using Transport Layer
> Security for CSSMTP", but it's unclear to me where I get the certificate.
> 
> Step 2(a) says:
> 
> a. Create the key ring.
> The client key ring needs the root certification used to sign the server
> certificates. For a TLS/SSL primer and some step-by-step examples, see
> TLS/SSL security. For more information about managing key rings and
> certificates with RACF® and the RACDCERT command, see z/OS Security
> Server RACF Security Administrator's Guide. For more information about
> managing key rings and certificates with gskkyman, see z/OS
> Cryptographic Services System SSL Programming.
> 
> How do I get the root certification used to sign the server certificates?  Is 
> that
> something that the people that take care of the server are supposed to
> supply to me?
> 
> then 2(c) is 5 steps and says:
> c. Configure the client system to use TLS with AT-TLS policies as follows:
> 
> 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
> the client stack. For information about the TCPCONFIG statement, see
> z/OS Communications Server: IP Configuration Reference.
>(I understand this one)
> 
> 2) Block the ability of applications to open a socket before AT-TLS policy is
> loaded into the TCP/IP stack by setting up
> EZB.INITSTACK.sysname.tcpname for the client stack.
> (this seems like a optional step)
> 
> 3) Create a main Policy Agent configuration file containing a TcpImage
> statement for the client stack, and create a TcpImage policy file for the
> client stack.
> (this seems pretty simple, but where does it go?)
> 
> 4) Add a TTLSConfig statement to each TcpImage policy file to identify the
> TTLSConfig policy file location:
> TTLSConfig clientPath
> (I am assuming that the clientPath is some USS file I create that 
> indicates
> the information to find the keyring from 2(a) above, is that correct?)  (Where
> does the TcpImage policy file go?  i.e. how do I define it?)
> 
> 5) Add the AT-TLS policy statements to the clientPath file
> (they have an example for this step right in the manual so that's pretty
> easy to follow)
> 
> Thanks for your help, any examples of a working configuration would be
> really helpful.
> 
> Brian
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


setting up CSSMTP to use TLS-SSL

2020-08-31 Thread Brian Westerman
Hi,

Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward the 
email to a target email server that only supports TLS-SSL?

I see the steps in the CSSMTP configuration "Steps for using Transport Layer 
Security for CSSMTP", but it's unclear to me where I get the certificate.  

Step 2(a) says:

a. Create the key ring.
The client key ring needs the root certification used to sign the server
certificates. For a TLS/SSL primer and some step-by-step examples, see
TLS/SSL security. For more information about managing key rings and
certificates with RACF® and the RACDCERT command, see z/OS Security
Server RACF Security Administrator's Guide. For more information about
managing key rings and certificates with gskkyman, see z/OS
Cryptographic Services System SSL Programming.

How do I get the root certification used to sign the server certificates?  Is 
that something that the people that take care of the server are supposed to 
supply to me?

then 2(c) is 5 steps and says:
c. Configure the client system to use TLS with AT-TLS policies as follows:

1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for
the client stack. For information about the TCPCONFIG statement, see
z/OS Communications Server: IP Configuration Reference.
   (I understand this one)

2) Block the ability of applications to open a socket before AT-TLS policy is
loaded into the TCP/IP stack by setting up
EZB.INITSTACK.sysname.tcpname for the client stack.
(this seems like a optional step)

3) Create a main Policy Agent configuration file containing a TcpImage
statement for the client stack, and create a TcpImage policy file for the
client stack. 
(this seems pretty simple, but where does it go?)

4) Add a TTLSConfig statement to each TcpImage policy file to identify the
TTLSConfig policy file location:
TTLSConfig clientPath
(I am assuming that the clientPath is some USS file I create that indicates 
the information to find the keyring from 2(a) above, is that correct?)  (Where 
does the TcpImage policy file go?  i.e. how do I define it?)

5) Add the AT-TLS policy statements to the clientPath file
(they have an example for this step right in the manual so that's pretty 
easy to follow)

Thanks for your help, any examples of a working configuration would be really 
helpful.

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Some free SSL/TLS/Certificates education if you are interested

2020-08-24 Thread Charles Mills
In case anyone is interested I am doing a one-hour Webinar on the
"internals" of the certificate and SSL/TLS protocols. It's free, and I have
absolutely nothing to sell you - this is not a pitch for some
certificate-management package or anything like that.

It is *NOT* "how to install a certificate in RACF" or similar. That's a good
topic, but it's not this topic. It's a pure look at the protocol flow and so
forth. It's independent of any particular security subsystem and actually
not even really mainframe-specific - it's about the protocol flow,
independent of the boxes it is running on. I've done it at SHARE twice and
it was well-received. Hope you can join us.

Scroll down to the bottom here: https://www.newera-info.com/Month.html 

X-Posted IBM-MAIN, RACF-L and IBMVM.

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Tom Brennan
Thanks!  This conversation really helped me understand.  And Mike just 
pointed out that not only are things headed to AT-TLS, but it may be the 
ONLY way to encrypt in the near future.


On 7/1/2020 9:21 AM, Charles Mills wrote:

Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written 
programmatic "users" of TLS libraries. If you write a General Ledger program and the 
ledgers don't cross-foot, the CFO tells you. If you write an "encrypted" communication 
program and the encryption has a logical flaw, generally no one tells you. :-( Centralizing the use 
of TLS, not just the TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption.  In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS.  If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
I think programs will be able to; IBM just does not intend to spend to maintain 
encryption in two places: AT-TLS *and* all of the listed applications.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mike Wawiorko
Sent: Wednesday, July 1, 2020 6:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of 
poorly-written programmatic "users" of TLS libraries. If you write a General 
Ledger program and the ledgers don't cross-foot, the CFO tells you. If you 
write an "encrypted" communication program and the encryption has a logical 
flaw, generally no one tells you. :-( Centralizing the use of TLS, not just the 
TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf 

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Mike Wawiorko
Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
I tried "Let's Encrypt" https://letsencrypt.org/ once for some web site 
names I have on a Linux server under my desk.  I can't remember why I 
didn't like it, but I ended up making my own CA cert to sign my https 
certificates, and then got the few people using the sites to import my 
CA into their browser.  Cheating a bit but it works great for isolated use.


But yes, if things like certificates could be all piled into one 
application and handled by one person in a company, things would get 
easier.  The first time I dealt with a certificate on the mainframe was 
for IBM's ITIM system which (the developer mentioned) had just switched 
to use OpenSSL.  We had multiple meetings with project leaders and 
others just to get a paid-for certificate in place (2 year expiration), 
when we probably could have created something self-signed with a 30 year 
expiration if we knew better :)


On 6/30/2020 10:23 PM, kekronbekron wrote:

I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:


Thanks KB... I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption. In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS. If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:


Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

-   KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.
Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.
I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?
If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?
Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.
On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden
For IBM

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:

> Thanks KB... I think I got my basic question answered, which is that
> one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
> that weren't originally written with encryption. In addition, it sounds
> like even programs that can do their own encryption (i.e. TN3270) can
> also use AT-TLS. If so, that's a smart plan - putting encryption
> processing in one bucket with one set of controls, and one spot to
> update when TLS1.x comes along.
>
> But if I'm wrong with any of the general notes above, please correct me.
>
> On 6/30/2020 9:16 PM, kekronbekron wrote:
>
> > Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
> > I also got 200 hits for 'AT-TLS' after logging in to share.org; you might 
> > want to do the same to see which of those are the most useful to you.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
> > wrote:
> >
> > > I've tried to skim some of the AT-TLS doc, and even attended an IBM
> > > webinar last week, but I'm still missing what I imagine are important
> > > background points. Maybe someone here can explain things, but don't
> > > worry too much about it.
> > > Client and server programs like SSH/SSHD call programs such as OpenSSL
> > > to handle the encryption handshake and processing. So when you set
> > > those up, there is no AT-TLS needed for encryption. Same with the
> > > TN3270 server and client, as long as you set that up with keys and
> > > parameters on the host side, and settings on the client side.
> > > I'm thinking because of the name "Application Transparent" that AT-TLS
> > > was made for programs that DON'T have their own logic to call OpenSSL
> > > (or whatever) to do their own encryption. Let's use clear-text FTP as
> > > an example. So somehow, AT-TLS hooks into the processing and provides
> > > an encrypted "tunnel", kind of like VPN does, but only for that one
> > > application. Does that sound correct?
> > > If so, then the encryption is "transparent" to the FTP server code and
> > > FTP does not need to be changed, which I think is the whole idea here.
> > > Yet we now have an encrypted session. Does that sound correct?
> > > Then if so, what happens on the FTP client side? I certainly can't use
> > > the Windows FTP command, for example, because it's not setup for any
> > > kind of encryption. That's kind of my big question here.
> > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> > >
> > > > Sweet - thank you
> > > > Lionel B. Dyck <
> > > > Website: https://www.lbdsoftware.com
> > > > "Worry more about your character than your reputation. Character is 
> > > > what you are, reputation merely what others think you are." - John 
> > > > Wooden
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf 
> > > > Of kekronbekron
> > > > Sent: Tuesday, June 30, 2020 2:34 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: AT-TLS ?
> > > > Hi LBD!,
> > > > Check these out-
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> > > >
> > > > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > > > Lionel B. Dyck <
> > > > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > > > "Worry more about your character than your reputation. Ch

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.


But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:

Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?

Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:

> I've tried to skim some of the AT-TLS doc, and even attended an IBM
> webinar last week, but I'm still missing what I imagine are important
> background points. Maybe someone here can explain things, but don't
> worry too much about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing. So when you set
> those up, there is no AT-TLS needed for encryption. Same with the
> TN3270 server and client, as long as you set that up with keys and
> parameters on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS
> was made for programs that DON'T have their own logic to call OpenSSL
> (or whatever) to do their own encryption. Let's use clear-text FTP as
> an example. So somehow, AT-TLS hooks into the processing and provides
> an encrypted "tunnel", kind of like VPN does, but only for that one
> application. Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and
> FTP does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session. Does that sound correct?
>
> Then if so, what happens on the FTP client side? I certainly can't use
> the Windows FTP command, for example, because it's not setup for any
> kind of encryption. That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>
> > Sweet - thank you
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> > "Worry more about your character than your reputation. Character is what 
> > you are, reputation merely what others think you are." - John Wooden
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > kekronbekron
> > Sent: Tuesday, June 30, 2020 2:34 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS ?
> > Hi LBD!,
> > Check these out-
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> >
> > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > Lionel B. Dyck <
> > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > "Worry more about your character than your reputation. Character is
> > > what you are, reputation merely what others think you are." - John
> > > Wooden
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
AT-TLS Operates at the transport layer of the OSI model.
SFTP (open SSH,...) operates at the session layer of the OSI model.

BTW, TLS has been supported "forever" by FTP, etc. The problem is, with TLS, 
the application needs to be modified to make TLS calls in the session layer. 
With AT-TLS, session layer TLS calls are moved to the transport layer and 
eliminated from the session layer. 
No application changes are needed.

HTH,

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 4:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C functions for 
clear-text communication.  So I think that would be called the "logical layer".

And I'm assuming the "physical layer" would be at the point where software is 
talking to an OSA card.  In this case that would be the TCPIP address space, 
since my program doesn't talk directly to hardware.

That would mean AT-TLS comes into play via the TCPIP task, doing the encryption 
at that point, while my clear-text program has no idea and doesn't care.  
Certificates and other encryption parameters would be handled by AT-TLS at that 
point.

That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() or 
SSL_read(), then encryption would be done at the logical layer, and my own 
program would then be responsible for certificates.  AT-TLS would not be 
needed, well, unless an auditor doesn't trust my SSL code.  That actually could 
be a consideration even for things like SFTP I guess - there's your first flame 
:)

On 6/30/2020 1:42 PM, Allan Staller wrote:
> Hopefully this will provide the clarity needed.
>
> AT-TLS works at the physical layer.
> FTPS and SFTP work at the logical layer
>
> Although not mutually exclusive, If you are doing one, the other is 
> unnecessary.
>
> Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:19 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> [CAUTION: This Email is from outside the Organization. Unless you 
> trust the sender, Don’t click links or open attachments as it may be a 
> Phishing email, which can steal your Information and compromise your 
> Computer.]
>
> Do you know if either of those require AT-TLS?  When I installed and 
> configured SSHD last (a couple of years ago) it did its own encryption.
> I never worked with anything called FTPS.
>
> On 6/30/2020 10:12 AM, Marshall Stone wrote:
>> There are 2 types of FTP in use today on most mainframes.
>>
>> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
>> and the encryption/authentication is generally provided by the use of 
>> RSA/DSA public/private key pairs. The public keys are exchanged and 
>> stored in known_hosts files (if acting as client) or authorized_keys 
>> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>>
>> FTPS - completely different mechanism the AT/TLS functions are 
>> provided by ICSF and policy agent (PAGENT) - You must configure an 
>> FTPS TLS rule to allow the connection and the partner side also will 
>> require a similar rule. The encryption/authentication come from the 
>> PAGENT rule and the use of x.509 certificates.  These are exchanged 
>> between partners and loaded onto the RACF keyring. The PAGNET rule 
>> points back to the keyring. - Uses Server PORT 990 by an old implicit 
>> default most sites use a different port and connect clients with 
>> ephemeral port ranges. FTPS handles MVS datasets better if possible 
>> use FTPS for MF to MF and use SFTP for MF to Other
>> platforms(MS,UNIX,etc)
>>
>> MS
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On 
>> Behalf Of Tom Brennan
>> Sent: Tuesday, June 30, 2020 12:58 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>>
>> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
>> last week, but I'm still missing what I imagine are important background 
>> points.  Maybe someone here can explain things, but don't worry too much 
>> about it.
>>
>>

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C 
functions for clear-text communication.  So I think that would be called 
the "logical layer".


And I'm assuming the "physical layer" would be at the point where 
software is talking to an OSA card.  In this case that would be the 
TCPIP address space, since my program doesn't talk directly to hardware.


That would mean AT-TLS comes into play via the TCPIP task, doing the 
encryption at that point, while my clear-text program has no idea and 
doesn't care.  Certificates and other encryption parameters would be 
handled by AT-TLS at that point.


That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() 
or SSL_read(), then encryption would be done at the logical layer, and 
my own program would then be responsible for certificates.  AT-TLS would 
not be needed, well, unless an auditor doesn't trust my SSL code.  That 
actually could be a consideration even for things like SFTP I guess - 
there's your first flame :)


On 6/30/2020 1:42 PM, Allan Staller wrote:

Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:

There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
and the encryption/authentication is generally provided by the use of
RSA/DSA public/private key pairs. The public keys are exchanged and
stored in known_hosts files (if acting as client) or authorized_keys
file (if acting as server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are
provided by ICSF and policy agent (PAGENT) - You must configure an
FTPS TLS rule to allow the connection and the partner side also will
require a similar rule. The encryption/authentication come from the
PAGENT rule and the use of x.509 certificates.  These are exchanged
between partners and loaded onto the RACF keyring. The PAGNET rule
points back to the keyring. - Uses Server PORT 990 by an old implicit
default most sites use a different port and connect clients with
ephemeral port ranges. FTPS handles MVS datasets better if possible
use FTPS for MF to MF and use SFTP for MF to Other
platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of Tom Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing.  So when you set
those up, there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
>
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
> and the encryption/authentication is generally provided by the use of
> RSA/DSA public/private key pairs. The public keys are exchanged and
> stored in known_hosts files (if acting as client) or authorized_keys
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>
> FTPS - completely different mechanism the AT/TLS functions are
> provided by ICSF and policy agent (PAGENT) - You must configure an
> FTPS TLS rule to allow the connection and the partner side also will
> require a similar rule. The encryption/authentication come from the
> PAGENT rule and the use of x.509 certificates.  These are exchanged
> between partners and loaded onto the RACF keyring. The PAGNET rule
> points back to the keyring. - Uses Server PORT 990 by an old implicit
> default most sites use a different port and connect clients with
> ephemeral port ranges. FTPS handles MVS datasets better if possible
> use FTPS for MF to MF and use SFTP for MF to Other
> platforms(MS,UNIX,etc)
>
> MS
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing.  So when you set
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
>
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <
>> Website:
>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .lbdsoftware.com%2Fdata=02%7C01%7Callan.staller%40HCL.COM%7Cd879
>> db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7
>> C0%7C637291343650296855sdata=rYCeChKI6R6cKaQRyHKEfhk3QR%2Fya0rHS
>> %2FSvJedIZJo%3Dreserved=0
>>
>> "Worry more about your character than your reputation.  Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-
>> 0

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
 AT-TLS is required for TN3270 (and others 

The above is incorrect. AT-TLS is *NEVER* a requirement.
It is up to the installation to determine whether or not AT-TLS will be used.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: Tuesday, June 30, 2020 12:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> lbdsoftware.com%2Fdata=02%7C01%7Callan.staller%40HCL.COM%7C99280d
> f69a7f440f7b7808d81d18718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%
> 7C637291338121879218sdata=5nqFVRanvSo1qssQhIXSYEfVhYkVYkyBEbm9E4%
> 2BTfqA%3Dreserved=0
>
> "Worry more about your character than your reputation.  Character is
> what you are, reputation merely what others think you are." - John
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5416
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=L6mKfTNfEkpFoIuP81EHxeZ09JTFc5kHH%2F8uZwYQGHw%3Dreserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5415
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=ccHKGe0thy6RCiB8j%2BWb2Adx3E9GiAtOyKB2p0O1K4s%3Dreserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5414
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=xnkVymfVN8Xm0q4fsppLRRxZgQvNvmwII9jeUv6lrOs%3Dreserved=0
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website:
>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .lbdsoftware.com%

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Steve Beaver
AT-TLS has been around for a while.  What is causing problems for tools like 
CL/Supersession, CA-TPX
And such is PAGENT.

Once PAGENT is turned on all bets are off

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 11:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM 
webinar last week, but I'm still missing what I imagine are important 
background points.  Maybe someone here can explain things, but don't 
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL 
to handle the encryption handshake and processing.  So when you set 
those up, there is no AT-TLS needed for encryption.  Same with the 
TN3270 server and client, as long as you set that up with keys and 
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS 
was made for programs that DON'T have their own logic to call OpenSSL 
(or whatever) to do their own encryption.  Let's use clear-text FTP as 
an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one 
application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and 
FTP does not need to be changed, which I think is the whole idea here. 
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use 
the Windows FTP command, for example, because it's not setup for any 
kind of encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
> 
> 
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
> 
> "Worry more about your character than your reputation.  Character is what you 
> are, reputation merely what others think you are." - John Wooden
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
> 
> Hi LBD!,
> 
> Check these out-
> 
> 
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> 
> - KB
> 
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
> 
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>>
>> --
>> --
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Mike Hochee
Some years ago this publication helped me come to a basic understanding of 
AT-TLS (apologies if already shared)...   
https://www.ibm.com/support/pages/leveraging-zos-communications-server-application-transparent-transport-layer-security-tls-lower-cost-and-more-rapid-tls-deployment
 
HTH
Mike 
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Tuesday, June 30, 2020 1:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Caution! This message was sent from outside your organization.

On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote:
>...
>Then if so, what happens on the FTP client side?  I certainly can't use 
>the Windows FTP command, for example, because it's not setup for any 
>kind of encryption.  That's kind of my big question here.
>
I believe that (sometimes) there's a proxy involved.  Beyond that, only GIYF:
https://www.google.com/search?q=at-tls+proxy+ftp
which links to:
ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Don Poitras
In article  you 
wrote:
> I've tried to skim some of the AT-TLS doc, and even attended an IBM 
> webinar last week, but I'm still missing what I imagine are important 
> background points.  Maybe someone here can explain things, but don't 
> worry too much about it.

> Client and server programs like SSH/SSHD call programs such as OpenSSL 
> to handle the encryption handshake and processing.  So when you set 
> those up, there is no AT-TLS needed for encryption.  Same with the 
> TN3270 server and client, as long as you set that up with keys and 
> parameters on the host side, and settings on the client side.

> I'm thinking because of the name "Application Transparent" that AT-TLS 
> was made for programs that DON'T have their own logic to call OpenSSL 
> (or whatever) to do their own encryption.  Let's use clear-text FTP as 
> an example.  So somehow, AT-TLS hooks into the processing and provides 
> an encrypted "tunnel", kind of like VPN does, but only for that one 
> application.  Does that sound correct?

> If so, then the encryption is "transparent" to the FTP server code and 
> FTP does not need to be changed, which I think is the whole idea here. 
> Yet we now have an encrypted session.  Does that sound correct?

> Then if so, what happens on the FTP client side?  I certainly can't use 
> the Windows FTP command, for example, because it's not setup for any 
> kind of encryption.  That's kind of my big question here.

I can't see that anyone answered your last question. Yes, the default Windows
FTP doesn't support encryption. There are third-party FTPS client programs you 
can purchase that do so. Or your could run lftp on the Windows Ubuntu shell.

-- 
Don Poitras - SAS Development  -  SAS Institute Inc. - SAS Campus Drive
sas...@sas.com   (919) 531-5637Cary, NC 27513

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
Ah, maybe he was going on this or something similar, and it got garbled in 
translation:

https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: Tuesday, June 30, 2020 1:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [Originated Externally]Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

My turn to say interesting!  I didn't look it up; just going on what the Comm 
guy assured me.  We're still on 2.2 (shortly on to 2.4), so maybe that makes a 
difference.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Tuesday, June 30, 2020 1:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Paul Gilmartin
On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote:
>...
>Then if so, what happens on the FTP client side?  I certainly can't use
>the Windows FTP command, for example, because it's not setup for any
>kind of encryption.  That's kind of my big question here.
>
I believe that (sometimes) there's a proxy involved.  Beyond that, only GIYF:
https://www.google.com/search?q=at-tls+proxy+ftp
which links to:
ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
My turn to say interesting!  I didn't look it up; just going on what the Comm 
guy assured me.  We're still on 2.2 (shortly on to 2.4), so maybe that makes a 
difference.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Tuesday, June 30, 2020 1:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MA

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
Anything SFTP on Open/SSH will never use AT-TLS

FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, 
setup to force authentication and use AT/TLS for encryption

MS
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 1:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption. 
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
> 
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
> and the encryption/authentication is generally provided by the use of 
> RSA/DSA public/private key pairs. The public keys are exchanged and 
> stored in known_hosts files (if acting as client) or authorized_keys 
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
> 
> FTPS - completely different mechanism the AT/TLS functions are 
> provided by ICSF and policy agent (PAGENT) - You must configure an 
> FTPS TLS rule to allow the connection and the partner side also will 
> require a similar rule. The encryption/authentication come from the 
> PAGENT rule and the use of x.509 certificates.  These are exchanged 
> between partners and loaded onto the RACF keyring. The PAGNET rule 
> points back to the keyring. - Uses Server PORT 990 by an old implicit 
> default most sites use a different port and connect clients with 
> ephemeral port ranges. FTPS handles MVS datasets better if possible 
> use FTPS for MF to MF and use SFTP for MF to Other 
> platforms(MS,UNIX,etc)
> 
> MS
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
> 
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
> 
> Client and server programs like SSH/SSHD call programs such as OpenSSL 
> to handle the encryption handshake and processing.  So when you set 
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
> 
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
> 
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
> 
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
> 
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation.  Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On 
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>>
>> - KB
>>
>> ‐‐‐ Original Message ‐‐‐
>> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>>
>>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>>
>>> Lionel B. Dyck <
>>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>>
>>> "Worry more about your chara

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Do you know if either of those require AT-TLS?  When I installed and 
configured SSHD last (a couple of years ago) it did its own encryption. 
I never worked with anything called FTPS.


On 6/30/2020 10:12 AM, Marshall Stone wrote:

There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the 
encryption/authentication is generally provided by the use of RSA/DSA 
public/private key pairs. The public keys are exchanged and stored in 
known_hosts files (if acting as client) or authorized_keys file (if acting as 
server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are provided by ICSF 
and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the 
connection and the partner side also will require a similar rule. The 
encryption/authentication come from the PAGENT rule and the use of x.509 
certificates.  These are exchanged between partners and loaded onto the RACF 
keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by 
an old implicit default most sites use a different port and connect clients 
with ephemeral port ranges. FTPS handles MVS datasets better if possible use 
FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is
what you are, reputation merely what others think you are." - John
Wooden

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


-
-
-
-
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This message (including any attachments) i

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Lennie Dymoke-Bradshaw
I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality 
notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intend

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Interesting!  I've set up the TN3270 parms on the mainframe for SSL/TLS 
but that was before TLS1.2


On 6/30/2020 10:09 AM, Jackson, Rob wrote:

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is
what you are, reputation merely what others think you are." - John
Wooden

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


-
-
-
-
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the 
encryption/authentication is generally provided by the use of RSA/DSA 
public/private key pairs. The public keys are exchanged and stored in 
known_hosts files (if acting as client) or authorized_keys file (if acting as 
server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are provided by ICSF 
and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the 
connection and the partner side also will require a similar rule. The 
encryption/authentication come from the PAGENT rule and the use of x.509 
certificates.  These are exchanged between partners and loaded onto the RACF 
keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by 
an old implicit default most sites use a different port and connect clients 
with ephemeral port ranges. FTPS handles MVS datasets better if possible use 
FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is
> what you are, reputation merely what others think you are." - John
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructio

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
I've tried to skim some of the AT-TLS doc, and even attended an IBM 
webinar last week, but I'm still missing what I imagine are important 
background points.  Maybe someone here can explain things, but don't 
worry too much about it.


Client and server programs like SSH/SSHD call programs such as OpenSSL 
to handle the encryption handshake and processing.  So when you set 
those up, there is no AT-TLS needed for encryption.  Same with the 
TN3270 server and client, as long as you set that up with keys and 
parameters on the host side, and settings on the client side.


I'm thinking because of the name "Application Transparent" that AT-TLS 
was made for programs that DON'T have their own logic to call OpenSSL 
(or whatever) to do their own encryption.  Let's use clear-text FTP as 
an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one 
application.  Does that sound correct?


If so, then the encryption is "transparent" to the FTP server code and 
FTP does not need to be changed, which I think is the whole idea here. 
Yet we now have an encrypted session.  Does that sound correct?


Then if so, what happens on the FTP client side?  I certainly can't use 
the Windows FTP command, for example, because it's not setup for any 
kind of encryption.  That's kind of my big question here.


On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you are, 
reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


--
--
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-30 Thread Lionel B Dyck
Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
>
> --
> --
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-30 Thread kekronbekron
Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Rob Schramm
Redbooks are both helpful and not.
There was an old presentation on it (share) that I found really helpful and
insightful.

Do you have zosmf setup?  If not it is possible to use the samples to set
it up.



On Sun, Jun 28, 2020, 18:26 Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Roberto Halais
GSK trace was very helpful!

On Mon, Jun 29, 2020 at 6:14 AM Lionel B Dyck  wrote:

> Thank you everyone for your advice - this morning will be time deep in the
> doc.
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of
> Mike Hochee
> Sent: Sunday, June 28, 2020 7:08 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi Lionel,
>
> I did this a few years back and utilized it for a product. Below are a few
> items from the product doc and a few more that remain in accessible memory
> areas...
>
> - Read the relevant sections of Comm Server IP Configuration Ref,
> specifically in the chapter on Policy Agent (PA) and Policy Applications.
> Also in the IP Configuration Guide, there is a chapter on AT-TLS Security
> Data Protection, topic TCPIP Stack Initialization.
>
> - Use z/OSMF for generation of your initial set of PA config files and
> inputs, then consider manually tailoring. I opted for this approach under
> z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe
> you can use z/OSMF exclusively w/out too much pain these days.
>
> - Configure the syslog daemon, and test it to ensure messages are being
> collected for whatever you're interested in (TCPIP is not a pre-req for
> syslogd)
>
> - Configure PROFILE.TCPIP, you will need to add a TTLS parm to the
> TCPCONFIG
> statement
>
> - Create the resource profile used to block access to the TCPIP stack
> during
> initialization, the name of the resource will be
> EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or
> TSS)
>
> - Create a server keyring and x509 certificate, and then connect the cert
> to
> the keyring, and depending on what you're doing you may need to permit
> access so the keyring and cert can be listed (resources are
> IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST)
>
> - Once you have done the above and are ready to test:
> Ensure syslogd running
> Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the
> TCPIP
> AS and watch for msg EZZ4248E, after which you should start your PA daemon
> (eventually, you'll want to automate this), the start will probably look
> something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c
> /etc/pagent.conf &
>
> - Once started, check out the following for messages...
> MVS system log
> Pagent log file
> Output from the pasearch -t command
>
> If you need additional detail, please feel free to email me directly.
>
> HTH,
> Mike
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Lionel B Dyck
> Sent: Sunday, June 28, 2020 6:26 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS ?
>
> Caution! This message was sent from outside your organization.
>
> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Politics: Poli (many) - tics (blood sucking parasites)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
The goal is to enable RRSF which requires AT-TLS and then enable secure FTP TLS 
 and TN3270 with it.  Installing CoZ:SFTP for improved sftp capabilities as 
well.

Thanks

Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Wendell Lovewell
Sent: Monday, June 29, 2020 8:38 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Lionel, what type of endpoints are you wanting to use AT-TLS to secure?  I 
might have some notes that would help.  

Here is some general information about diagnosing AT-TLS errors:

If there is a problem making the connection, AT-TLS will display error on the 
console.  Here are a few examples.  The endpoints were a started task (XYZSTC) 
and a CICS region (CICSA):

EZD1287I TTLS Error RC:  417 Initial Handshake 560
  LOCAL: 10.1.1.1..1213
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0013 CONNID: 06DE EZD1287I 
TTLS Error RC:  435 Initial Handshake 561
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1213
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0014 CONNID: 06DF

EZD1287I TTLS Error RC:  508 Initial Handshake 462
  LOCAL: 10.1.1.1..1206
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0010 CONNID: 06B9 EZD1287I 
TTLS Error RC:  438 Initial Handshake 463
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1206
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0011 CONNID: 06BA

EZD1287I TTLS Error RC: 5006 Initial Handshake 476
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1173
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 000E CONNID: 05A4 EZD1287I TTLS 
Error RC:  406 Initial Handshake 477
  LOCAL: 10.1.1.1..1173
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule


The RC values are most helpful.  Since there is a policy used for both inbound 
(XYZ_CICS_Rule) and outbound (XYZ_STC_Rule—note the rules in play are also 
displayed on the console), there will likely be two EZD1287I messages displayed 
if there is a problem.  (Both sides will experience a problem.)  You can find 
an explanation for these in the SC14-7495-30 Cryptographic Services System 
Secure Sockets Layer Programming manual, currently in chapter 13.

SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS 
policy (/etc/pagent_TTLS.conf).

GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors.

SA23-2292-30 Security Server RACF Command Language Reference contains the 
syntax for the RACDCERT instructions.

If you need to see the GKY messages, set the Trace value in the TTLSGroupAction 
parms for both the XYZ_CICS_Rule and XYZ_STC_Rule to Trace 255.  When you 
upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy.

If you make RACF changes to the keyrings, you need to tell the policy agent to 
refresh it’s settings for them.  You can do this by changing the 
EnvironmentAction value & reloading the pagent_TTLS.conf file.

Hth,
Wendell

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Wendell Lovewell
Lionel, what type of endpoints are you wanting to use AT-TLS to secure?  I 
might have some notes that would help.  

Here is some general information about diagnosing AT-TLS errors:

If there is a problem making the connection, AT-TLS will display error on the 
console.  Here are a few examples.  The endpoints were a started task (XYZSTC) 
and a CICS region (CICSA):

EZD1287I TTLS Error RC:  417 Initial Handshake 560
  LOCAL: 10.1.1.1..1213
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0013 CONNID: 06DE
EZD1287I TTLS Error RC:  435 Initial Handshake 561
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1213
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0014 CONNID: 06DF

EZD1287I TTLS Error RC:  508 Initial Handshake 462
  LOCAL: 10.1.1.1..1206
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0010 CONNID: 06B9
EZD1287I TTLS Error RC:  438 Initial Handshake 463
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1206
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0011 CONNID: 06BA

EZD1287I TTLS Error RC: 5006 Initial Handshake 476
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1173
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 000E CONNID: 05A4
EZD1287I TTLS Error RC:  406 Initial Handshake 477
  LOCAL: 10.1.1.1..1173
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule


The RC values are most helpful.  Since there is a policy used for both inbound 
(XYZ_CICS_Rule) and outbound (XYZ_STC_Rule—note the rules in play are also 
displayed on the console), there will likely be two EZD1287I messages displayed 
if there is a problem.  (Both sides will experience a problem.)  You can find 
an explanation for these in the SC14-7495-30 Cryptographic Services System 
Secure Sockets Layer Programming manual, currently in chapter 13.

SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS 
policy (/etc/pagent_TTLS.conf).

GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors.

SA23-2292-30 Security Server RACF Command Language Reference contains the 
syntax for the RACDCERT instructions.

If you need to see the GKY messages, set the Trace value in the TTLSGroupAction 
parms for both the XYZ_CICS_Rule and XYZ_STC_Rule to Trace 255.  When you 
upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy.

If you make RACF changes to the keyrings, you need to tell the policy agent to 
refresh it’s settings for them.  You can do this by changing the 
EnvironmentAction value & reloading the pagent_TTLS.conf file.

Hth,
Wendell

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Steve Beaver
Well that does take digital certs and pagant. Now there are currently no 
vendors that support AT-ALS if you are looking for something like TPX or CL/SS 
the answer is no

Sent from my iPhone

I promise you I can’t type or
Spell on any smartphone 

> On Jun 28, 2020, at 22:04, Gibney, Dave  wrote:
> 
> The details in the documentation is a bit scattered. Including separate 
> sections for  FTPS and tn3270
> 
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of Lionel B Dyck
>> Sent: Sunday, June 28, 2020 3:26 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: AT-TLS ?
>> 
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>> 
>> 
>> 
>> 
>> 
>> Lionel B. Dyck <
>> Website:
>> <https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY
>> 0HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
>> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$ >
>> https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY0
>> HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
>> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$
>> 
>> "Worry more about your character than your reputation.  Character is what
>> you are, reputation merely what others think you are." - John Wooden
>> 
>> 
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
Thank you everyone for your advice - this morning will be time deep in the
doc.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Mike Hochee
Sent: Sunday, June 28, 2020 7:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few
items from the product doc and a few more that remain in accessible memory
areas...

- Read the relevant sections of Comm Server IP Configuration Ref,
specifically in the chapter on Policy Agent (PA) and Policy Applications.
Also in the IP Configuration Guide, there is a chapter on AT-TLS Security
Data Protection, topic TCPIP Stack Initialization. 

- Use z/OSMF for generation of your initial set of PA config files and
inputs, then consider manually tailoring. I opted for this approach under
z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe
you can use z/OSMF exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being
collected for whatever you're interested in (TCPIP is not a pre-req for
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG
statement

- Create the resource profile used to block access to the TCPIP stack during
initialization, the name of the resource will be
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to
the keyring, and depending on what you're doing you may need to permit
access so the keyring and cert can be listed (resources are
IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running
Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the TCPIP
AS and watch for msg EZZ4248E, after which you should start your PA daemon
(eventually, you'll want to automate this), the start will probably look
something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c
/etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH,
Mike  
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The Redbook : http://www.redbooks.ibm.com/redbooks/pdfs/sg248041.pdf

On Mon, Jun 29, 2020 at 3:30 PM Wayne Bickerdike  wrote:

> The IBM Redbook for RACF RRSF has most of the information needed to
> configure AT-TLS.
>
> We're in the process of rolling out RRSF for RACF password sync. It's
> working between two of our plexes, I followed the book, used SYS1.SAMPLIB
> examples rather than attempting via zOSMF.
>
> On Mon, Jun 29, 2020 at 3:15 PM Itschak Mugzach <
> 0305158ad67d-dmarc-requ...@listserv.ua.edu> wrote:
>
>> A simpler way is to write the protocol yourself. It requires zero
>> configuration other than a set of certificates. Have a look at z/os web
>> enablement toolkit (Http/https protocol enabler portion). Works great and
>> fully supports Rexx.
>>
>> ITschak
>>
>> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
>> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
>> and IBM I **|  *
>>
>> *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404
>> **|*
>> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*
>>
>>
>>
>>
>>
>> On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:
>>
>> > Anyone have any pointers for configuring AT-TLS on z/OS?
>> >
>> >
>> >
>> >
>> >
>> > Lionel B. Dyck <
>> > Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
>> >
>> > "Worry more about your character than your reputation.  Character is
>> what
>> > you are, reputation merely what others think you are." - John Wooden
>> >
>> >
>> >
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>
> --
> Wayne V. Bickerdike
>
>

-- 
Wayne V. Bickerdike

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The IBM Redbook for RACF RRSF has most of the information needed to
configure AT-TLS.

We're in the process of rolling out RRSF for RACF password sync. It's
working between two of our plexes, I followed the book, used SYS1.SAMPLIB
examples rather than attempting via zOSMF.

On Mon, Jun 29, 2020 at 3:15 PM Itschak Mugzach <
0305158ad67d-dmarc-requ...@listserv.ua.edu> wrote:

> A simpler way is to write the protocol yourself. It requires zero
> configuration other than a set of certificates. Have a look at z/os web
> enablement toolkit (Http/https protocol enabler portion). Works great and
> fully supports Rexx.
>
> ITschak
>
> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
> and IBM I **|  *
>
> *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*
>
>
>
>
>
> On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:
>
> > Anyone have any pointers for configuring AT-TLS on z/OS?
> >
> >
> >
> >
> >
> > Lionel B. Dyck <
> > Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> >
> >
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Wayne V. Bickerdike

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Itschak Mugzach
A simpler way is to write the protocol yourself. It requires zero
configuration other than a set of certificates. Have a look at z/os web
enablement toolkit (Http/https protocol enabler portion). Works great and
fully supports Rexx.

ITschak

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*





On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Gibney, Dave
The details in the documentation is a bit scattered. Including separate 
sections for  FTPS and tn3270

> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Lionel B Dyck
> Sent: Sunday, June 28, 2020 3:26 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS ?
> 
> Anyone have any pointers for configuring AT-TLS on z/OS?
> 
> 
> 
> 
> 
> Lionel B. Dyck <
> Website:
> <https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY
> 0HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$ >
> https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY0
> HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$
> 
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
> 
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Mike Hochee
Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few 
items from the product doc and a few more that remain in accessible memory 
areas...

- Read the relevant sections of Comm Server IP Configuration Ref, specifically 
in the chapter on Policy Agent (PA) and Policy Applications. Also in the IP 
Configuration Guide, there is a chapter on AT-TLS Security Data Protection, 
topic TCPIP Stack Initialization. 

- Use z/OSMF for generation of your initial set of PA config files and inputs, 
then consider manually tailoring. I opted for this approach under z/OS 2.2, but 
z/OSMF has undoubtedly improved greatly since then, so maybe you can use z/OSMF 
exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being 
collected for whatever you're interested in (TCPIP is not a pre-req for 
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG 
statement

- Create the resource profile used to block access to the TCPIP stack during 
initialization, the name of the resource will be 
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or 
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to 
the keyring, and depending on what you're doing you may need to permit access 
so the keyring and cert can be listed (resources are IRR.DIGTCERT.LISTRING and 
IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running 
Stop the TCPIP AS (there are undoubtedly less invasive ways) 
Start the TCPIP AS and watch for msg EZZ4248E, after which you should start 
your PA daemon (eventually, you'll want to automate this), the start will 
probably look something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log 
-c /etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log 
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH, 
Mike  
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


AT-TLS ?

2020-06-28 Thread Lionel B Dyck
Anyone have any pointers for configuring AT-TLS on z/OS?

 

 

Lionel B. Dyck <
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-15 Thread Kirk Wolf
On Fri, Jun 12, 2020 at 3:56 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Fri, 12 Jun 2020 20:46:49 +, Jackson, Rob wrote:
>
> >Before I found out about Co:Z I used shell scripts and REXX in OMVS to
> copy the files back and forth from MVS datasets to OMVS file systems (if
> sending to the mainframe, they would follow up the copy with a SSH and
> execute a script with a table of DSNs with DCBs to copy to a MVS dataset .
> . . or supply their own DCB and dataset name).  It was very cumbersome
> indeed.  Co:Z makes all that go away; it's simple to install, implement,
> and use.  Highly recommended.
> >
> How does it handle a program object library in a PDSE?  Or should
> I presume FSVO "makes all that go away"?
>
> Release 6.0.0 of Co:Z SFTP supports sending PDS and PDSE libraries

Kirk Wolf
Dovetailed Technologies
http://dovetail.com
Download and use Co:Z SFTP free under our Community License
http://dovetail.com/support.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Jackson, Rob
A yeah, my bad, that looks right.  Details do count.  I was going from faulty 
memory.  :)  Thanks!

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: Saturday, June 13, 2020 12:28 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

[External Email. Exercise caution when clicking links or opening attachments.]

THANK YOU. Yes, PASSIVEIGNOREADDR is the key (and BTW you can then eliminate 
CCC with its security exposure).

Shows what a kludge FTP is. The client says "Let's go into passive mode. Tell 
me what IP address to use, and I will ignore it. Thank you. Because after all, 
I already know your IP address."

BTW, with EPSV4 I do *not* see 227 response would be (, , , ,8,106). Instead I 
see a 229 response:

EZA1701I >>> EPSV
SC3311 getReply: entered
SC4479 getNextReply: entered with waitForData = TRUE
229 Entering Extended Passive Mode (|||2158|)
SC5291 epsvReply: entered
SC5209 parseEPSVreply: entered
SC5221 parseEPSVreply: tmpreply 229 Entering Extended Passive Mode (|||2158|)
SC5240 parseEPSVreply: i 9 tmpstr (|||2158|)
SC5249 parseEPSVReply: delimiter is |/4f

But no matter. EPSV4 seems to be a nice-to-have. PASSIVEIGNOREADDR is the key.

For anyone following this thread who is wondering what the heck I have been 
talking about there is a good (non-mainframe, but it is the same issue) 
explanation here:

https://bit.ly/2Yv0BOp

> My cruddy email application (Outlook) doesn't do the >-style quoting

Yeah, I always just do it by hand in Outlook. I have a > key.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jackson, Rob
Sent: Saturday, June 13, 2020 6:17 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

My cruddy email application (Outlook) doesn't do the >-style quoting (or at 
least I don't know how to make it), so let me try below with tabs; it will 
probably be ugly.

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills


Thanks all! Thanks much! Let me try to do one reply here to hold down the noise.

> active mode is the one using PORT; passive mode uses PASV

Thank you! It's a detail but I want to have the details right. Details are of 
the essence here. What *exactly* does the server send? On the client end I see

SC1373 initDsConnection: entered
SC2848 sendCmd: entered
EZA1701I >>> PASV
SC3311 getReply: entered
SC4479 getNextReply: entered with waitForData = TRUE
227 Entering Passive Mode (10,200,40,20,8,106)

Where *exactly* did the client get that 10.200.40.20 from? What *does* the 
serve send to convey "open your data connection on this address"?

Correct, the 227 is the server response.  The first four 
comma-delimited bytes-in-decimal are the server IP; the second two are the 
port:  256*8+106.

In other news:

- "Switching to another type of FTP" is non-trivial because the use of FTP is 
embedded in another product that builds control files on the fly. It would be a 
development project to use "a different FTP." Not out of the question, but a 
development project nonetheless.
- Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all 
under control presently.

Perfect; that should make it easier.
In SYSFTPD on the client side, the first of the below sets PASV; you 
have that.  The second
tells the client to ignore the returned IP and stick with the one it 
opened;
the third tells the server to use EPSV and not to respond with one in 
the first place (227 response would be (, , , ,8,106))
FWFRIENDLY  TRUE;
PASSIVEIGNOREADDR TRUE;
EPSV4 TRUE;

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Charles Mills
THANK YOU. Yes, PASSIVEIGNOREADDR is the key (and BTW you can then eliminate 
CCC with its security exposure).

Shows what a kludge FTP is. The client says "Let's go into passive mode. Tell 
me what IP address to use, and I will ignore it. Thank you. Because after all, 
I already know your IP address."

BTW, with EPSV4 I do *not* see 227 response would be (, , , ,8,106). Instead I 
see a 229 response:

EZA1701I >>> EPSV  
SC3311 getReply: entered   
SC4479 getNextReply: entered with waitForData = TRUE   
229 Entering Extended Passive Mode (|||2158|)  
SC5291 epsvReply: entered  
SC5209 parseEPSVreply: entered 
SC5221 parseEPSVreply: tmpreply 229 Entering Extended Passive Mode (|||2158|)  
SC5240 parseEPSVreply: i 9 tmpstr (|||2158|)   
SC5249 parseEPSVReply: delimiter is |/4f   

But no matter. EPSV4 seems to be a nice-to-have. PASSIVEIGNOREADDR is the key.

For anyone following this thread who is wondering what the heck I have been 
talking about there is a good (non-mainframe, but it is the same issue) 
explanation here:

https://bit.ly/2Yv0BOp

> My cruddy email application (Outlook) doesn't do the >-style quoting

Yeah, I always just do it by hand in Outlook. I have a > key.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Jackson, Rob
Sent: Saturday, June 13, 2020 6:17 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

My cruddy email application (Outlook) doesn't do the >-style quoting (or at 
least I don't know how to make it), so let me try below with tabs; it will 
probably be ugly.

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills


Thanks all! Thanks much! Let me try to do one reply here to hold down the noise.

> active mode is the one using PORT; passive mode uses PASV

Thank you! It's a detail but I want to have the details right. Details are of 
the essence here. What *exactly* does the server send? On the client end I see

SC1373 initDsConnection: entered
SC2848 sendCmd: entered
EZA1701I >>> PASV
SC3311 getReply: entered
SC4479 getNextReply: entered with waitForData = TRUE
227 Entering Passive Mode (10,200,40,20,8,106)

Where *exactly* did the client get that 10.200.40.20 from? What *does* the 
serve send to convey "open your data connection on this address"?

Correct, the 227 is the server response.  The first four 
comma-delimited bytes-in-decimal are the server IP; the second two are the 
port:  256*8+106.

In other news:

- "Switching to another type of FTP" is non-trivial because the use of FTP is 
embedded in another product that builds control files on the fly. It would be a 
development project to use "a different FTP." Not out of the question, but a 
development project nonetheless.
- Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all 
under control presently.

Perfect; that should make it easier.
In SYSFTPD on the client side, the first of the below sets PASV; you 
have that.  The second
tells the client to ignore the returned IP and stick with the one it 
opened;
the third tells the server to use EPSV and not to respond with one in 
the first place (227 response would be (, , , ,8,106))
FWFRIENDLY  TRUE;  
PASSIVEIGNOREADDR TRUE;
EPSV4 TRUE;

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-13 Thread Jackson, Rob
My cruddy email application (Outlook) doesn't do the >-style quoting (or at 
least I don't know how to make it), so let me try below with tabs; it will 
probably be ugly.

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills


Thanks all! Thanks much! Let me try to do one reply here to hold down the noise.

> active mode is the one using PORT; passive mode uses PASV

Thank you! It's a detail but I want to have the details right. Details are of 
the essence here. What *exactly* does the server send? On the client end I see

SC1373 initDsConnection: entered
SC2848 sendCmd: entered
EZA1701I >>> PASV
SC3311 getReply: entered
SC4479 getNextReply: entered with waitForData = TRUE
227 Entering Passive Mode (10,200,40,20,8,106)

Where *exactly* did the client get that 10.200.40.20 from? What *does* the 
serve send to convey "open your data connection on this address"?

Correct, the 227 is the server response.  The first four 
comma-delimited bytes-in-decimal are the server IP; the second two are the 
port:  256*8+106.

In other news:

- "Switching to another type of FTP" is non-trivial because the use of FTP is 
embedded in another product that builds control files on the fly. It would be a 
development project to use "a different FTP." Not out of the question, but a 
development project nonetheless.
- Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all 
under control presently.

Perfect; that should make it easier.
In SYSFTPD on the client side, the first of the below sets PASV; you 
have that.  The second
tells the client to ignore the returned IP and stick with the one it 
opened;
the third tells the server to use EPSV and not to respond with one in 
the first place (227 response would be (, , , ,8,106))
FWFRIENDLY  TRUE;  
PASSIVEIGNOREADDR TRUE;
EPSV4 TRUE;

- I guess "IBM" SFTP does not support legacy datasets but Dovetail SFTP does? 
Is that right?

Right, including GDSs.  The only thing I can't make it do is wildcard 
DSNs, though wildcarding OMVS files is fine.

- Big question on SFTP: does it support anything like SITE FILETYPE=JES/GET 
jcl_file system_messages ? That is, submit a job and wait for completion? 
Without that it is a re-architecting, not a re=writing project.

The manual says it supports JES2 and JES3 job submissions, status, and 
spool-file transfers; I've never tried this.

- No program objects at this point but possibly in the future.

It supports PDSE; I've never had a need to send a program object from 
distributed to MVS or vice versa, so I dunno about that.

- Yes, having to install another product is a HUGE obstacle. Not impossible, 
not saying Dovetail is not wonderfulness, just the reality of sales is that 
"you have to install this other product in order to try our product" is always 
a huge obstacle.

But it is free, and it's so good, we've never had to have support 
(sorry, Kirk).

- > FTP's dual port architecture is simply a nightmare. Yeah, it always seemed 
so to me. Why do you need two sessions -- by default initiated in opposite 
directions -- to transfer both files and control information?

I agree!

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
In my case, it  was and is long stable FTPS jobs using standard files and no 
knowledgeable staff with time to refit to stfp.
 About a decade ago, I experimented with the idea of wrapping a PROC around the 
whole process.  Ran out of available time to solve all issues.
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Paul Gilmartin
> Sent: Friday, June 12, 2020 1:36 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: How is Passive FTP with TLS and NAT supposed to work?
> 
> On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote:
> 
> >Aside from, I think this is still true, absent Dovetail extensions, the
> >requirement that SFTP only works with ZFS/HFS files
> >>
> What's the intended recipient?  If desktop or Open Systems, zFS/HFS should
> be acceptable.  If z/OS, cumbersomely flatten with TRSMAIN or TSO
> TRANSMIT; copy to zFS and SFTP.
> 
> >> There are other things, I'm sure I'm forgetting.  Switch to SFTP, and
> >> life gets much easier--most of the time.
> 
> There's some echo here of the "retire mainframe" thread.  z/OS doesn't
> "play well with others."
> 
> -- gil
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
I am gathering from reading the RFC that that 227 Entering Passive Mode 
(10,200,40,20,8,106) is a verbatim message from the server, and for the 
question "what *does* the server send?" the answer is "that 227 message."

Is that correct?

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Friday, June 12, 2020 3:17 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

Thanks all! Thanks much! Let me try to do one reply here to hold down the noise.

> active mode is the one using PORT; passive mode uses PASV

Thank you! It's a detail but I want to have the details right. Details are of 
the essence here. What *exactly* does the server send? On the client end I see

SC1373 initDsConnection: entered 
SC2848 sendCmd: entered  
EZA1701I >>> PASV
SC3311 getReply: entered 
SC4479 getNextReply: entered with waitForData = TRUE 
227 Entering Passive Mode (10,200,40,20,8,106)   

Where *exactly* did the client get that 10.200.40.20 from? What *does* the 
serve send to convey "open your data connection on this address"?

In other news:

- "Switching to another type of FTP" is non-trivial because the use of FTP is 
embedded in another product that builds control files on the fly. It would be a 
development project to use "a different FTP." Not out of the question, but a 
development project nonetheless.
- Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all 
under control presently.
- I guess "IBM" SFTP does not support legacy datasets but Dovetail SFTP does? 
Is that right? 
- Big question on SFTP: does it support anything like SITE FILETYPE=JES/GET 
jcl_file system_messages ? That is, submit a job and wait for completion? 
Without that it is a re-architecting, not a re=writing project.
- No program objects at this point but possibly in the future.
- Yes, having to install another product is a HUGE obstacle. Not impossible, 
not saying Dovetail is not wonderfulness, just the reality of sales is that 
"you have to install this other product in order to try our product" is always 
a huge obstacle.
- > FTP's dual port architecture is simply a nightmare. Yeah, it always seemed 
so to me. Why do you need two sessions -- by default initiated in opposite 
directions -- to transfer both files and control information?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
Thanks all! Thanks much! Let me try to do one reply here to hold down the noise.

> active mode is the one using PORT; passive mode uses PASV

Thank you! It's a detail but I want to have the details right. Details are of 
the essence here. What *exactly* does the server send? On the client end I see

SC1373 initDsConnection: entered 
SC2848 sendCmd: entered  
EZA1701I >>> PASV
SC3311 getReply: entered 
SC4479 getNextReply: entered with waitForData = TRUE 
227 Entering Passive Mode (10,200,40,20,8,106)   

Where *exactly* did the client get that 10.200.40.20 from? What *does* the 
serve send to convey "open your data connection on this address"?

In other news:

- "Switching to another type of FTP" is non-trivial because the use of FTP is 
embedded in another product that builds control files on the fly. It would be a 
development project to use "a different FTP." Not out of the question, but a 
development project nonetheless.
- Both ends are z/OS FWIW. There is a mix of "legacy" and zFS. That is all 
under control presently.
- I guess "IBM" SFTP does not support legacy datasets but Dovetail SFTP does? 
Is that right? 
- Big question on SFTP: does it support anything like SITE FILETYPE=JES/GET 
jcl_file system_messages ? That is, submit a job and wait for completion? 
Without that it is a re-architecting, not a re=writing project.
- No program objects at this point but possibly in the future.
- Yes, having to install another product is a HUGE obstacle. Not impossible, 
not saying Dovetail is not wonderfulness, just the reality of sales is that 
"you have to install this other product in order to try our product" is always 
a huge obstacle.
- > FTP's dual port architecture is simply a nightmare. Yeah, it always seemed 
so to me. Why do you need two sessions -- by default initiated in opposite 
directions -- to transfer both files and control information?

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Paul Gilmartin
On Fri, 12 Jun 2020 20:46:49 +, Jackson, Rob wrote:

>Before I found out about Co:Z I used shell scripts and REXX in OMVS to copy 
>the files back and forth from MVS datasets to OMVS file systems (if sending to 
>the mainframe, they would follow up the copy with a SSH and execute a script 
>with a table of DSNs with DCBs to copy to a MVS dataset . . . or supply their 
>own DCB and dataset name).  It was very cumbersome indeed.  Co:Z makes all 
>that go away; it's simple to install, implement, and use.  Highly recommended.
>
How does it handle a program object library in a PDSE?  Or should
I presume FSVO "makes all that go away"?

Must both the sender and the recipient have Co:Z installed?  That might
be a business obstacle.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Jackson, Rob
Before I found out about Co:Z I used shell scripts and REXX in OMVS to copy the 
files back and forth from MVS datasets to OMVS file systems (if sending to the 
mainframe, they would follow up the copy with a SSH and execute a script with a 
table of DSNs with DCBs to copy to a MVS dataset . . . or supply their own DCB 
and dataset name).  It was very cumbersome indeed.  Co:Z makes all that go 
away; it's simple to install, implement, and use.  Highly recommended.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gilmartin
Sent: Friday, June 12, 2020 4:36 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

[External Email. Exercise caution when clicking links or opening attachments.]

On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote:

>Aside from, I think this is still true, absent Dovetail extensions, the 
>requirement that SFTP only works with ZFS/HFS files
>>
What's the intended recipient?  If desktop or Open Systems, zFS/HFS should be 
acceptable.  If z/OS, cumbersomely flatten with TRSMAIN or TSO TRANSMIT; copy 
to zFS and SFTP.

>> There are other things, I'm sure I'm forgetting.  Switch to SFTP, and 
>> life gets much easier--most of the time.

There's some echo here of the "retire mainframe" thread.  z/OS doesn't "play 
well with others."

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Paul Gilmartin
On Fri, 12 Jun 2020 18:21:47 +, Gibney, Dave wrote:

>Aside from, I think this is still true, absent Dovetail extensions, the 
>requirement that SFTP only works with ZFS/HFS files
>>  
What's the intended recipient?  If desktop or Open Systems, zFS/HFS should
be acceptable.  If z/OS, cumbersomely flatten with TRSMAIN or TSO TRANSMIT;
copy to zFS and SFTP.

>> There are other things, I'm sure I'm forgetting.  Switch to SFTP, and life 
>> gets
>> much easier--most of the time.

There's some echo here of the "retire mainframe" thread.  z/OS doesn't "play
well with others."

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Seymour J Metz
I've never understood why RFC 4960 Stream Control Transmission Protocol (SCTP) 
didn't catch on and get exploited by a new FTP protocol.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Jackson, Rob [rwjack...@firsthorizon.com]
Sent: Friday, June 12, 2020 2:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: How is Passive FTP with TLS and NAT supposed to work?

Well, your point is made und understood, but active mode is the one using PORT; 
passive mode uses PASV.  They both have their FW/load balancer issues.

We tend to use a variety of "fixes" for the various issues, given our 
convoluted (typical?) environment.  EPSV can help.  Some clients have the 
option to ignore PASV IP returned.  Our load balancers host our server certs in 
some cases so they can decrypt and modify the IP.  Our MFT proxy cluster has 
multiple nodes of FTP server adapter pairs, and each can be defined to return 
the same IP in the PASV response (they are session-break proxies, so they don't 
use the MFT servers' certs for encryption; they use their own); this IP would 
be the exposed forwarding VIP on the internet.

There are other things, I'm sure I'm forgetting.  Switch to SFTP, and life gets 
much easier--most of the time.

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: Friday, June 12, 2020 2:01 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: How is Passive FTP with TLS and NAT supposed to work?

[External Email. Exercise caution when clicking links or opening attachments.]

X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both urgent 
for us and perhaps a little obscure.

With Passive FTP, the server uses a PORT command to say to the client "open the 
data connection on this IP address." Unfortunately with NAT that is an internal 
address that is meaningless at the client. Many firewalls or routers that 
support NAT are apparently smart enough to translate that PORT command from an 
internal to an external address, and everything works wonderfully.

The wrinkle comes with TLS: the control connection is encrypted and 
inaccessible to the firewall or router.

Enter CCC:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha
lz001/ftpcastlsrfclevel.htm
https://secure-web.cisco.com/1XiMpdy7YXR-qJrSax9Cfz6Tkc-XqxJhBDV0eW0mQfjMw62un15xXVivwXbA9XzBQA0DcZVGFk4rkS8GCnMjxCrQ1C9CF_Gzg7xXzRAzLCCC8ec_rGjSEBfqJhBLPCvzNvJ3QH5UJMjevLqbV3NzuRnnQ3wWgu_Mw6x60j6INpAC8VNwQcHaZTqvxgPK0g00dy68Nu9hbVhUiGXPWOz-cZ2EgKIKYmU9Vn5VE3UxQ5arhR8dF2xQEKrOKz_oS1SAPS-rG5dI8Nvn0wpwUMUzh7wmoQ3xrqNqiczFA6gczyF-bStlOQYaMkNEa6rDmthBjsHuJhap6js7FB-ftEM0Ua8_WgotL7MuMsogUVDS69DGPq8y2JnseDH0nMtLCN6_SH960zKssv5t9STlJY09k8xal2jrt3A9T5FhwPUOpX1idMpkolxOldKP4G_qSgzHK9RJz652lxNFv0LerbUbYgA/https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc4217#page-19

CCC says "stop encrypting the control connection (so the router or firewall can 
see and translate it).

Apparently -- and this is where my knowledge gets fuzzy -- the RFC now requires 
that the partners close the control connection at that point, but z/OS FTP 
perhaps does not support that (?).

CCC has security red flags all over it, which is understandable, and it looks 
like we may be encountering a firewall or router that does not support it, or 
perhaps does not support the non-RFC version of it.

I am asking here "what is the 'right' answer?" How is passive FTP supposed to 
work over a TLS session with NAT in effect?

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
We live behind an f5 Load Balancer. It knows our certificates and can 
decrypt/recrypt to determine the PORT. We flat don't do active FTPS

> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Charles Mills
> Sent: Friday, June 12, 2020 11:01 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: How is Passive FTP with TLS and NAT supposed to work?
> 
> X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both
> urgent for us and perhaps a little obscure.
> 
> With Passive FTP, the server uses a PORT command to say to the client "open
> the data connection on this IP address." Unfortunately with NAT that is an
> internal address that is meaningless at the client. Many firewalls or routers
> that support NAT are apparently smart enough to translate that PORT
> command from an internal to an external address, and everything works
> wonderfully.
> 
> The wrinkle comes with TLS: the control connection is encrypted and
> inaccessible to the firewall or router.
> 
> Enter CCC:
> https://urldefense.com/v3/__https://www.ibm.com/support/knowledgece
> nter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha__;!!JmPEgBY0HMszNaDT!4GFT57hI
> EMxPnyEcFR2djCexl1wVxTZKmL93Rb-QYqbEZ85Iosv_oseQGLlj0A$
> lz001/ftpcastlsrfclevel.htm
> https://urldefense.com/v3/__https://tools.ietf.org/html/rfc4217*page-
> 19__;Iw!!JmPEgBY0HMszNaDT!4GFT57hIEMxPnyEcFR2djCexl1wVxTZKmL93R
> b-QYqbEZ85Iosv_osfVrkck8g$
> 
> CCC says "stop encrypting the control connection (so the router or firewall
> can see and translate it).
> 
> Apparently -- and this is where my knowledge gets fuzzy -- the RFC now
> requires that the partners close the control connection at that point, but
> z/OS FTP perhaps does not support that (?).
> 
> CCC has security red flags all over it, which is understandable, and it looks 
> like
> we may be encountering a firewall or router that does not support it, or
> perhaps does not support the non-RFC version of it.
> 
> I am asking here "what is the 'right' answer?" How is passive FTP supposed to
> work over a TLS session with NAT in effect?
> 
> Charles
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Gibney, Dave
Aside from, I think this is still true, absent Dovetail extensions, the 
requirement that SFTP only works with ZFS/HFS files
> 
> There are other things, I'm sure I'm forgetting.  Switch to SFTP, and life 
> gets
> much easier--most of the time.
> 
> First Horizon Bank
> Mainframe Technical Support
> 
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Charles Mills
> Sent: Friday, June 12, 2020 2:01 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: How is Passive FTP with TLS and NAT supposed to work?
> 
> [External Email. Exercise caution when clicking links or opening attachments.]
> 
> X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both
> urgent for us and perhaps a little obscure.
> 
> With Passive FTP, the server uses a PORT command to say to the client "open
> the data connection on this IP address." Unfortunately with NAT that is an
> internal address that is meaningless at the client. Many firewalls or routers
> that support NAT are apparently smart enough to translate that PORT
> command from an internal to an external address, and everything works
> wonderfully.
> 
> The wrinkle comes with TLS: the control connection is encrypted and
> inaccessible to the firewall or router.
> 
> Enter CCC:
> https://urldefense.com/v3/__https://www.ibm.com/support/knowledgece
> nter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha__;!!JmPEgBY0HMszNaDT!-
> 06qLbj3iAJvLUmVpYTxCYdOLC2h3vao1713bsoyuv6dekXwEPzQAxiTIwQt9Q$
> lz001/ftpcastlsrfclevel.htm
> https://urldefense.com/v3/__https://tools.ietf.org/html/rfc4217*page-
> 19__;Iw!!JmPEgBY0HMszNaDT!-
> 06qLbj3iAJvLUmVpYTxCYdOLC2h3vao1713bsoyuv6dekXwEPzQAxhEdET62Q$
> 
> CCC says "stop encrypting the control connection (so the router or firewall
> can see and translate it).
> 
> Apparently -- and this is where my knowledge gets fuzzy -- the RFC now
> requires that the partners close the control connection at that point, but
> z/OS FTP perhaps does not support that (?).
> 
> CCC has security red flags all over it, which is understandable, and it looks 
> like
> we may be encountering a firewall or router that does not support it, or
> perhaps does not support the non-RFC version of it.
> 
> I am asking here "what is the 'right' answer?" How is passive FTP supposed to
> work over a TLS session with NAT in effect?
> 
> Charles
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality
> notice:
> This e-mail message, including any attachments, may contain legally
> privileged and/or confidential information. If you are not the intended
> recipient(s), or the employee or agent responsible for delivery of this
> message to the intended recipient(s), you are hereby notified that any
> dissemination, distribution, or copying of this e-mail message is strictly
> prohibited. If you have received this message in error, please immediately
> notify the sender and delete this e-mail message from your computer.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Kirk Wolf
How about after throwing firewalls in to the mix?   FTP's dual port
architecture is simply a nightmare.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com


On Fri, Jun 12, 2020 at 1:01 PM Charles Mills  wrote:

> X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both
> urgent for us and perhaps a little obscure.
>
> With Passive FTP, the server uses a PORT command to say to the client "open
> the data connection on this IP address." Unfortunately with NAT that is an
> internal address that is meaningless at the client. Many firewalls or
> routers that support NAT are apparently smart enough to translate that PORT
> command from an internal to an external address, and everything works
> wonderfully.
>
> The wrinkle comes with TLS: the control connection is encrypted and
> inaccessible to the firewall or router.
>
> Enter CCC:
>
> https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha
> lz001/ftpcastlsrfclevel.htm
> <https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.halz001/ftpcastlsrfclevel.htm>
> https://tools.ietf.org/html/rfc4217#page-19
>
> CCC says "stop encrypting the control connection (so the router or firewall
> can see and translate it).
>
> Apparently -- and this is where my knowledge gets fuzzy -- the RFC now
> requires that the partners close the control connection at that point, but
> z/OS FTP perhaps does not support that (?).
>
> CCC has security red flags all over it, which is understandable, and it
> looks like we may be encountering a firewall or router that does not
> support
> it, or perhaps does not support the non-RFC version of it.
>
> I am asking here "what is the 'right' answer?" How is passive FTP supposed
> to work over a TLS session with NAT in effect?
>
> Charles
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Jackson, Rob
Well, your point is made und understood, but active mode is the one using PORT; 
passive mode uses PASV.  They both have their FW/load balancer issues.

We tend to use a variety of "fixes" for the various issues, given our 
convoluted (typical?) environment.  EPSV can help.  Some clients have the 
option to ignore PASV IP returned.  Our load balancers host our server certs in 
some cases so they can decrypt and modify the IP.  Our MFT proxy cluster has 
multiple nodes of FTP server adapter pairs, and each can be defined to return 
the same IP in the PASV response (they are session-break proxies, so they don't 
use the MFT servers' certs for encryption; they use their own); this IP would 
be the exposed forwarding VIP on the internet.

There are other things, I'm sure I'm forgetting.  Switch to SFTP, and life gets 
much easier--most of the time. 

First Horizon Bank
Mainframe Technical Support


-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: Friday, June 12, 2020 2:01 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: How is Passive FTP with TLS and NAT supposed to work?

[External Email. Exercise caution when clicking links or opening attachments.]

X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both urgent 
for us and perhaps a little obscure.

With Passive FTP, the server uses a PORT command to say to the client "open the 
data connection on this IP address." Unfortunately with NAT that is an internal 
address that is meaningless at the client. Many firewalls or routers that 
support NAT are apparently smart enough to translate that PORT command from an 
internal to an external address, and everything works wonderfully.

The wrinkle comes with TLS: the control connection is encrypted and 
inaccessible to the firewall or router.

Enter CCC:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha
lz001/ftpcastlsrfclevel.htm
https://tools.ietf.org/html/rfc4217#page-19

CCC says "stop encrypting the control connection (so the router or firewall can 
see and translate it).

Apparently -- and this is where my knowledge gets fuzzy -- the RFC now requires 
that the partners close the control connection at that point, but z/OS FTP 
perhaps does not support that (?).

CCC has security red flags all over it, which is understandable, and it looks 
like we may be encountering a firewall or router that does not support it, or 
perhaps does not support the non-RFC version of it.

I am asking here "what is the 'right' answer?" How is passive FTP supposed to 
work over a TLS session with NAT in effect?

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


How is Passive FTP with TLS and NAT supposed to work?

2020-06-12 Thread Charles Mills
X-Posted IBMMAIN and IBMTCP. Apologies. This is a question that is both
urgent for us and perhaps a little obscure.

With Passive FTP, the server uses a PORT command to say to the client "open
the data connection on this IP address." Unfortunately with NAT that is an
internal address that is meaningless at the client. Many firewalls or
routers that support NAT are apparently smart enough to translate that PORT
command from an internal to an external address, and everything works
wonderfully.

The wrinkle comes with TLS: the control connection is encrypted and
inaccessible to the firewall or router.

Enter CCC:
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.ha
lz001/ftpcastlsrfclevel.htm
https://tools.ietf.org/html/rfc4217#page-19

CCC says "stop encrypting the control connection (so the router or firewall
can see and translate it).

Apparently -- and this is where my knowledge gets fuzzy -- the RFC now
requires that the partners close the control connection at that point, but
z/OS FTP perhaps does not support that (?).

CCC has security red flags all over it, which is understandable, and it
looks like we may be encountering a firewall or router that does not support
it, or perhaps does not support the non-RFC version of it.

I am asking here "what is the 'right' answer?" How is passive FTP supposed
to work over a TLS session with NAT in effect?

Charles 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: TELNET under TLS - Performance impact?

2018-12-10 Thread Wolfgang Fritz

check this product on mainframe and your problem will be solved
https://dovetail.com/products/sftp.html
regards

Wolfgang Fritz

Am 10.12.2018 um 16:07 schrieb Juan Mautalen:
  
Hi!


We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we 
haveconfigured PAGENT, that installs its AT-TLS policies to the TCPIP stack). 
Wealso have ICSF up and running, and digital certificates private keys are 
stored inICSF. Also CPACF coprocessors are available.


TLSinvolves both asymmetric and symmetric encryption. The former 
(basicallyinvolving just the initial handshake process), as far as I know, is 
performedby the Crypto Express adapters, so it should not have a noticeable 
impact ongeneral GCPU (general purpose processor CPU) consumption. However, 
after theinitial handshake, all the traffic is symmetrically 
encrypted/decrypted, and Iassume it is performed by GCPU (using CPACF 
extension). Is this right?

If that isthe case, what Address Spaces (AS) should I monitor closely to 
reassure theimpact of TLS TELNET encrypting on GCPU?TELNET?TCPIP?Other?
In anycase, do you expect a noticeable impact on GCPU usage by requiring TELNET 
under TLS?

  


Thanks inadvance for your help,

  


JUAN MAUTALEN

   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


TELNET under TLS - Performance impact?

2018-12-10 Thread Juan Mautalen
 
Hi!

We haveimplemented SECURE TELNET. Our implementation is using AT-TLS (we 
haveconfigured PAGENT, that installs its AT-TLS policies to the TCPIP stack). 
Wealso have ICSF up and running, and digital certificates private keys are 
stored inICSF. Also CPACF coprocessors are available.


TLSinvolves both asymmetric and symmetric encryption. The former 
(basicallyinvolving just the initial handshake process), as far as I know, is 
performedby the Crypto Express adapters, so it should not have a noticeable 
impact ongeneral GCPU (general purpose processor CPU) consumption. However, 
after theinitial handshake, all the traffic is symmetrically 
encrypted/decrypted, and Iassume it is performed by GCPU (using CPACF 
extension). Is this right?

If that isthe case, what Address Spaces (AS) should I monitor closely to 
reassure theimpact of TLS TELNET encrypting on GCPU?TELNET?TCPIP?Other?
In anycase, do you expect a noticeable impact on GCPU usage by requiring TELNET 
under TLS?

 

Thanks inadvance for your help,

 

JUAN MAUTALEN

  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SSL/TLS MSU usage

2018-08-14 Thread Parwez Hamid
Mounif,

I am unable to comment on any 'increase' of the CP utilization. CPACF has been 
around for a very long time. Both the systems you mention have the CPACF 
function. You will need a no charge feature (not available for embargoed 
countries) for microcode to enable CPACF. The other key point to note is to 
check if CPACF will support all the en/decryption algorithms you want to use. 
If not supported by CPACF then you might need the Crypto Express feature for 
which there is a charge.

Parwez

BTW: I have just Googled for CPACF and Crypto Express performance etc. There 
are lots of hits (I haven't browsed the websites) on this subject including 
some SHARE presentations.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SSL/TLS MSU usage

2018-08-13 Thread Brian Westerman
The z13 (and I think b|ec12s) have CPACF built into each physical CPU, the 
older machines had CPACF but it was shared between multiple processors.

There is some extra CPU involved when you don't have a cryptoexpress (CEX), but 
you have to remember that not everything is or can be offloaded to the CEX 
either.  I think the cryptoexpress has 8 processors, but depending on what you 
are doing SSL-wise you may not  see any real measurable improvement over CPACF.

If you are going to use CPACF with System SSL or MQ, you have to turn on a 
feature code, (feature #3863).

In reality, some part of the key negotiation will be performed on the General 
Processor (and CPACF) regardless of CEX availability.  Also certain SSLCIPH 
specs are not supported by the CEX cards (as per 
https://www.ibm.com/developerworks/community/blogs/c4142f9d-6cf1-44ef-a44a-b09428ad96d1/entry/is_my_ssl_channel_using_hardware_assist?lang=en
 ).

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


SSL/TLS MSU usage

2018-08-13 Thread Munif Sadek
Hello All

We have zBC12 and z13s but no crypto cards. As we are moving all our IP 
communications to SSL/TLS, Is there a way to  estimate additional MSU used in 
this encryption/decryption and key negotiations. IP traffic is CICS socket, 
HTTPS , FTPS, TN3270S, DB2 DDF , SSH etc..Its all over the place.

Is there a way we can simulate our MSU savings by having additional crypto 
Hardware.

regards
Munif

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS for HTTP

2018-07-05 Thread Rob Schramm
It is probably just my own FUD that is making me doubt it.

Rob Schramm

On Thu, Jul 5, 2018, 1:59 PM Mike Hochee  wrote:

> I have not used it for that specifically, but I don't see why not.  The
> policy based rules allow for job/task names and support wildcards, and you
> might not even need those if you can filter based on a unique port range.
> I've been impressed with AT-TLS, as it offers a lot of customization
> options, as well as quite a few OOB use cases. An underrated feature of
> comm server IMO.
>
> HTH,
> Mike
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Rob Schramm
> Sent: Thursday, July 5, 2018 12:45 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS for HTTP
>
> This might be a weird one.  I have used Policy Agent AT-TLS in the past to
> secure JDBC communication with a UDB data base.  Can I use Policy agent to
> secure an existing HTTP GET process (assembler program), by doing a similar
> process?  Has anyone else done this?
>
> Thanks,
> Rob Schramm
>
> --
>
> Rob Schramm
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS for HTTP

2018-07-05 Thread Mike Hochee
I have not used it for that specifically, but I don't see why not.  The policy 
based rules allow for job/task names and support wildcards, and you might not 
even need those if you can filter based on a unique port range.  I've been 
impressed with AT-TLS, as it offers a lot of customization options, as well as 
quite a few OOB use cases. An underrated feature of comm server IMO. 

HTH, 
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Rob Schramm
Sent: Thursday, July 5, 2018 12:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS for HTTP

This might be a weird one.  I have used Policy Agent AT-TLS in the past to 
secure JDBC communication with a UDB data base.  Can I use Policy agent to 
secure an existing HTTP GET process (assembler program), by doing a similar 
process?  Has anyone else done this?

Thanks,
Rob Schramm

-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


  1   2   >