Re: AT-TLS question , issue
Rob, Sorry for the late reply. The mismatch of ciphers was ADCD, this version of z/OS appears to give the customer a subset of ciphers. I am in the process of contacting IBM to find out more information. We have it working on the supplied ciphers. My concern of course is what the customer is using. Regards, Scott www.idmworks.com On Thursday, May 14, 2015, Rob Schramm rob.schr...@gmail.com wrote: Diagnosis Guide with a direct hit http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hald001/atprble.htm q0 - did you copy one of the GUI samples for the AT-TLS setup or build it from scratch? q1 - what ciphers did you select in Config Assistant or z/OSMF when you setup the connection? q2 - what ciphers are supported on the client side? sslv3/tlsv10/tlsv11 etc etc Rob Schramm Rob Schramm Senior Systems Consultant On Thu, May 14, 2015 at 8:11 AM, Donald J. dona...@4email.net javascript:; wrote: Correction: This is the server supported cipher list Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Client ciphers are in the client hello. 2nd packet in ATTLS trace below: (002F 0035 0005 etc) RECV CIPHER 160301005F RECV CIPHER 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81 0002F00350005000A00320038 ... -- Donald J. dona...@4email.net javascript:; On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote: If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net javascript:; On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu javascript:; with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
Correction: This is the server supported cipher list Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Client ciphers are in the client hello. 2nd packet in ATTLS trace below: (002F 0035 0005 etc) RECV CIPHER 160301005F RECV CIPHER 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81 0002F00350005000A00320038 ... -- Donald J. dona...@4email.net On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote: If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
Diagnosis Guide with a direct hit http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hald001/atprble.htm q0 - did you copy one of the GUI samples for the AT-TLS setup or build it from scratch? q1 - what ciphers did you select in Config Assistant or z/OSMF when you setup the connection? q2 - what ciphers are supported on the client side? sslv3/tlsv10/tlsv11 etc etc Rob Schramm Rob Schramm Senior Systems Consultant On Thu, May 14, 2015 at 8:11 AM, Donald J. dona...@4email.net wrote: Correction: This is the server supported cipher list Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Client ciphers are in the client hello. 2nd packet in ATTLS trace below: (002F 0035 0005 etc) RECV CIPHER 160301005F RECV CIPHER 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81 0002F00350005000A00320038 ... -- Donald J. dona...@4email.net On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote: If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get GSK_CONNECT_SEC_TYPE(208) - TLSV1 CONNID: DA17 RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) - 002F -- Donald J. dona...@4email.net On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote: All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - The way an email service should be -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- http://www.fastmail.com - A no graphics, no pop-ups email service -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSLTBW_1.13.0/com.ibm.zos.r13.hald001/comtls.htm AT-TLS return codes z/OS Communications Server: IP Diagnosis Guide GC31-8782-13 402 Connection Init A SSL cipher suite could not be agreed upon between the client and server. Check the following: * If V2Ciphers or V3Ciphers are coded, verify that the remote end supports at least one of the cipher suites coded. If configuring using the IBM Configuration Assistant for z/OS Communications Server, the ciphers are selected for each Security Level. * Verify that the certificate being used for the connection supports the cipher suites. For example, V3 Cipher suite TLS_DH_DSS_WITH_DES_CBC_SHA(0C) requires a certificate defined with a Diffie-Hellman key. * For ciphers defined as exportable, verify that the proper FMIDs to support the encryption level are installed. Mike Wawiorko Please consider the environment before printing this e-mail -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: 13 May 2015 23:20 To: IBM-MAIN@LISTSERV.UA.EDU Subject: AT-TLS question , issue All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edumailto:lists...@listserv.ua.edu with the message: INFO IBM-MAIN This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register No. 122702). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AT-TLS question , issue
Scott, I was looking at this document a little while ago: IBM z/OS V1R13 CS TCP/IP Implementation: Volume 4 Security and Policy-Based Networking on Chapter 16 'Telnet Security' it has some good information on this. Page 680 has a Table 16-1 that details the order of the ciphers. I think you can influence the order of this in the TCPIP parameters used. I believe this command would detail the ciphers in effect for the profile and port: D TCPIP,TN3270D,T,PROF,PORT=992,DET,MAX=* EZZ6080I TN3270D PROFILE DISPLAY 631 PERSIS FUNCTION DIA SECURITY TIMERS MISC (LMTGCAK)(OPATSKTQSSHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT) --- - --- - --- *** ***TSBTQ***RT EC* BB**D *P**STS *DD* *DEFAULT --- T --- - --- *TGLOBAL -M- S --F SSS-E*--- *---ST- S--- *TPARMS *M* ***TSBTQ***RT ECF SSS*E *P**STS SDD* CURR SECURITY SECUREPORT 992 1 CONNTYPE SECURE 2 KEYRING SAF TCPIP/SharedRing13 CRLLDAPSERVER NONE/TTLS/**N/A** ENCRYPTION DS,3S 4 CLIENTAUTH NONE 5 NOEXPRESSLOGON NONACUSERID NOSSLV2 TIMERS INACTIVE 0 (OFF) PROFILEINACTIVE 1800 KEEPINACTIVE 0 (OFF) PRTINACTIVE 0 (OFF) SCANINTERVAL 120 TIMEMARK 600 SSLTIMEOUT 5 KEYRING SAF TCPIP/SharedRing16 In this example, the numbers correspond to the following information: 1. Port 992 is used. 2. The port is for secure connection. 3. The name of the key ring in use. The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA). See Table 16-1 on page 680 for the complete list of supported ciphers. 5. The client authentication is not used. 6. The key ring used is SharedRing1, which is managed by an SAF product (RACF, in our case). 4. The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA). See Table 16-1 on page 680 for the complete list of supported Hope this helps out. Lynn Gilson ANTM,Inc. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Wednesday, May 13, 2015 15:20 To: IBM-MAIN@LISTSERV.UA.EDU Subject: AT-TLS question , issue All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or may otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
AT-TLS question , issue
All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN