Re: setting up CSSMTP to use TLS-SSL
Yup. In the TLS protocol that is referred to as a "server certificate." It tells the client about the authenticity of the server. It "certifies" the server (for the client). Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Brian Westerman Sent: Wednesday, September 2, 2020 10:17 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL It's from the server box, but they have it marked "client side to use our cert". Brian On Wed, 2 Sep 2020 08:22:19 -0700, Charles Mills wrote: >*Client* certificate? I think you mean Server Certificate. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
It's from the server box, but they have it marked "client side to use our cert". Brian On Wed, 2 Sep 2020 08:22:19 -0700, Charles Mills wrote: >*Client* certificate? I think you mean Server Certificate. > >Charles > > >-Original Message- >From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On >Behalf Of Brian Westerman >Sent: Tuesday, September 1, 2020 9:34 PM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: Re: setting up CSSMTP to use TLS-SSL > >Okay, I see now. The client cert is available from our email server, i twas >just a matter of downloading it and adding to RACF. > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
*Client* certificate? I think you mean Server Certificate. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Brian Westerman Sent: Tuesday, September 1, 2020 9:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL Okay, I see now. The client cert is available from our email server, i twas just a matter of downloading it and adding to RACF. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Brian Westerman asked: >So does this all mean that (currently) no one on the list >uses TLS-SSL to forward their mail from CSSMTP to the >target mail server? I see "Yes, we use TLS" replies have overtaken this question. That said, I assume you wouldn't want and don't expect anyone in an open forum to confess to having an open, potential security exposure...that they're quickly closing right now. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Okay, I see now. The client cert is available from our email server, i twas just a matter of downloading it and adding to RACF. Thanks, Brian On Tue, 1 Sep 2020 08:21:13 -0500, Peter Vander Woude wrote: >Brian, > >I do use AT-TLS with CSSMTP to our internal e-mail relay. For the keyring, >you need to add the CA's that have signed the ssl cert for the server. > >If the e-mail server is using a self-signed certificate, you need them to send >a copy of it (only the public portion) and it has to be added as a certificate >authority. > >Peter > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Brian, I do use AT-TLS with CSSMTP to our internal e-mail relay. For the keyring, you need to add the CA's that have signed the ssl cert for the server. If the e-mail server is using a self-signed certificate, you need them to send a copy of it (only the public portion) and it has to be added as a certificate authority. Peter -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
We have ours setup to use TLS from CSSMTP to an internal Proofpoint mail server. We have Secure set to Yes in the CSSMTP config and then use Policy Agent (AT-TLS) to handle the handshake. David -Original Message- From: IBM Mainframe Discussion List On Behalf Of Brian Westerman Sent: Monday, August 31, 2020 11:33 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL So does this all mean that (currently) no one on the list uses TLS-SSL to forward their mail from CSSMTP to the target mail server? Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
I think the most common approach is to have CSSMTP send the mail to an enterprise (internal) mail server and let it take care of security going out to the internet. On 8/31/20 11:33 PM, Brian Westerman wrote: So does this all mean that (currently) no one on the list uses TLS-SSL to forward their mail from CSSMTP to the target mail server? Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
So does this all mean that (currently) no one on the list uses TLS-SSL to forward their mail from CSSMTP to the target mail server? Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Thanks, easier said than done, but does answer that part. On Mon, 31 Aug 2020 07:12:07 +, Gibney, Dave wrote: >If the certificate they present is signed by a recognized CA, you should be >able to get root and any required intermediates from the signing CA's site. > >> -Original Message- >> From: IBM Mainframe Discussion List On >> Behalf Of Brian Westerman >> Sent: Sunday, August 30, 2020 11:55 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: setting up CSSMTP to use TLS-SSL >> >> Hi, >> >> Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward >> the email to a target email server that only supports TLS-SSL? >> >> I see the steps in the CSSMTP configuration "Steps for using Transport Layer >> Security for CSSMTP", but it's unclear to me where I get the certificate. >> >> Step 2(a) says: >> >> a. Create the key ring. >> The client key ring needs the root certification used to sign the server >> certificates. For a TLS/SSL primer and some step-by-step examples, see >> TLS/SSL security. For more information about managing key rings and >> certificates with RACF® and the RACDCERT command, see z/OS Security >> Server RACF Security Administrator's Guide. For more information about >> managing key rings and certificates with gskkyman, see z/OS >> Cryptographic Services System SSL Programming. >> >> How do I get the root certification used to sign the server certificates? >> Is that >> something that the people that take care of the server are supposed to >> supply to me? >> >> then 2(c) is 5 steps and says: >> c. Configure the client system to use TLS with AT-TLS policies as follows: >> >> 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for >> the client stack. For information about the TCPCONFIG statement, see >> z/OS Communications Server: IP Configuration Reference. >>(I understand this one) >> >> 2) Block the ability of applications to open a socket before AT-TLS policy is >> loaded into the TCP/IP stack by setting up >> EZB.INITSTACK.sysname.tcpname for the client stack. >> (this seems like a optional step) >> >> 3) Create a main Policy Agent configuration file containing a TcpImage >> statement for the client stack, and create a TcpImage policy file for the >> client stack. >> (this seems pretty simple, but where does it go?) >> >> 4) Add a TTLSConfig statement to each TcpImage policy file to identify the >> TTLSConfig policy file location: >> TTLSConfig clientPath >> (I am assuming that the clientPath is some USS file I create that >> indicates >> the information to find the keyring from 2(a) above, is that correct?) >> (Where >> does the TcpImage policy file go? i.e. how do I define it?) >> >> 5) Add the AT-TLS policy statements to the clientPath file >> (they have an example for this step right in the manual so that's pretty >> easy to follow) >> >> Thanks for your help, any examples of a working configuration would be >> really helpful. >> >> Brian >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
On 8/31/20 11:02 AM, Charles Mills wrote: - The more critical task IMHO is proving to the user that she is actually talking to the URL she intended to talk to: that her session is really, truly with Bank of America and not with some man-in-the-middle pretending to be Bank of America. Conceptually, I agree. But this is where the trustworthiness of a CA comes into play and may be called into question. Each and every single trusted Root CA can issue completely independent certificates for the same subject (CN / SAN). This starts to be germane when someone / something with recognized authority or unauthorized access directs a CA to issue a certificate for someone else, things get ... dicey. E.g. questionable political regime directs an in country CA to issue them a certificate for a specific web site that they want to surreptitiously access encrypted content via an undetected man-in-the-middle attack. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
On 8/31/20 10:29 AM, Charles Mills wrote: Also! Let me nitpick myself before someone else does it for me: When I wrote "the CA vouches that the*subject name* in the certificate belongs to Charles Mills" -- that should be "the subject names" (plural) belong to Charles Mills. Ya. The mandatory Common Name (CN) field vs the optional Subject Alternate Name (SAN) field can get entertaining. Especially when you consider how some contemporary web browsers require the CN to be listed in the SAN as well. So much so that they are starting to ignore the CN. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Forgive me for droning on about this. I just did that certificate class for NewEra and this stuff is on my brain. > the CA vouches that your public key belongs to the > entity that once called itself "Charles Mills" As I said, not exactly. One of the reasons certificates can be so confusing is that they accomplish two largely unrelated tasks (I am speaking of end entity certificates, "server certificates" here): - The one that gets much of the attention is really the less interesting part: setting up the data encryption for the session. The public key in the certificate is the first step in that process. That is what it is used for. It does not "prove" anything to the user. - The more critical task IMHO is proving to the user that she is actually talking to the URL she intended to talk to: that her session is really, truly with Bank of America and not with some man-in-the-middle pretending to be Bank of America. That's why the CA's validation that the folks they are issuing the certificate to are really who they claim to be is so critically important. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Monday, August 31, 2020 7:47 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms are >essentially synonymous (although they are used with different implications). >If the SMTP server is presenting a self-signed certificate then it effectively >is its own CA certificate, and you will have to install it in RACF. > What does "self-signed certificate" mean? Who should trust one? I'm imagining, in the extreme, a certificate self-signed by Guccifer 2.0. What is the trail of authentication? I understand you have a cert. What did you need to do to authenticate yourself to the CA? Is it merely that the CA vouches that your public key belongs to the entity that once called itself "Charles Mills" and paid with a credit card? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Interesting. Certainly does show that "who do you trust?" is a significant decision. Marking a certificate in RACF as trusted is not just housekeeping; it is a significant security decision. You are not just saying "I need RACF to be able to use this as a CA certificate"; you are saying "this organization is willing to bet its security on the trustworthiness of this certificate." I think that is why IBM stopped shipping a RACF database with pre-installed CA certificates. IBM does not want to be in the business of making those decisions for you. Also! Let me nitpick myself before someone else does it for me: When I wrote "the CA vouches that the *subject name* in the certificate belongs to Charles Mills" -- that should be "the subject names" (plural) belong to Charles Mills. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Grant Taylor Sent: Monday, August 31, 2020 8:50 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On 8/31/20 9:34 AM, Charles Mills wrote: > Are CA's perfect? I don't*know* of a CA hack but I do know of (I > should probably say "alleged") CA sloppiness: DigiNotar was compromised: "...it had become clear that a security breach had resulted in the fraudulent issuing of certificates..." Link - DigiNotar - https://en.wikipedia.org/wiki/DigiNotar I believe there have been others in the past. But DigiNotar was one of the most prominent breaches that I remember. I think part of their problem was how they failed to handle the situation. I think Comodo has had problems too. I don't know the circumstances around them. I don't know how much of a problem (if that's the correct term) it is on the mainframe world, but Windows used to trust hundreds of CAs. that means hundreds of entities that could sign certificates for any given subject. A common scapegoat for a popular podcast is that the Hongkong Post can sign certificates for ibm.com or listserv.ua.edu. Any of the multiple hundred Root CAs can do it. CAA records offer some protection for this, but that is no guarantee. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
On 8/31/20 9:34 AM, Charles Mills wrote: Are CA's perfect? I don't*know* of a CA hack but I do know of (I should probably say "alleged") CA sloppiness: DigiNotar was compromised: "...it had become clear that a security breach had resulted in the fraudulent issuing of certificates..." Link - DigiNotar - https://en.wikipedia.org/wiki/DigiNotar I believe there have been others in the past. But DigiNotar was one of the most prominent breaches that I remember. I think part of their problem was how they failed to handle the situation. I think Comodo has had problems too. I don't know the circumstances around them. I don't know how much of a problem (if that's the correct term) it is on the mainframe world, but Windows used to trust hundreds of CAs. that means hundreds of entities that could sign certificates for any given subject. A common scapegoat for a popular podcast is that the Hongkong Post can sign certificates for ibm.com or listserv.ua.edu. Any of the multiple hundred Root CAs can do it. CAA records offer some protection for this, but that is no guarantee. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
"Self-signed certificate" means a certificate that is at the bottom of the chain: there is no higher (mixing my tops and bottoms here) authority that vouches for it. Every CA root certificate is self-signed. (Who else would sign it? The Pope? Bill Gates? Stephen Hawking?) For a normal endpoint certificate you accept it because the CA certificate that is at the head of its authentication chain is pre-installed. For a self-signed certificate, that is the certificate itself. Every time you install a root certificate as trusted you are saying "I trust this certificate. We trust this certificate." That is equally true for a DigiCert certificate or a Foobar the CA certificate. There is nothing inherently wrong with self-signed certificates. Just like every other certificate -- if you are going to trust it you have to know what you are doing. Why should a particular CA be trusted? That is up to the trustor to decide. There is never any higher authority. (See above.) > What is the trail of authentication? ... Is it > merely that the CA vouches that your public key belongs to the > entity that once called itself "Charles Mills" and paid with a credit > card? Basically, yes. I would say "the CA vouches that the *subject name* in the certificate belongs to Charles Mills." (The certificate *has* a public key -- that key is part of the certificate and does not "belong to" anyone else. The owner of the certificate presumably has under safekeeping the corresponding private key.) Are CA's perfect? I don't *know* of a CA hack but I do know of (I should probably say "alleged") CA sloppiness: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Monday, August 31, 2020 7:47 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms are >essentially synonymous (although they are used with different implications). >If the SMTP server is presenting a self-signed certificate then it effectively >is its own CA certificate, and you will have to install it in RACF. > What does "self-signed certificate" mean? Who should trust one? I'm imagining, in the extreme, a certificate self-signed by Guccifer 2.0. What is the trail of authentication? I understand you have a cert. What did you need to do to authenticate yourself to the CA? Is it merely that the CA vouches that your public key belongs to the entity that once called itself "Charles Mills" and paid with a credit card? And quis custodiet ipsos custodes? Why should a particular CA be trusted other than the authority of a higher CA? I understand there have been compromised CAs, by hacks rather than intrinsic fraud. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
On Mon, 31 Aug 2020 06:31:12 -0700, Charles Mills wrote: >A self-signed certificate *is* a root certificate -- the two terms are >essentially synonymous (although they are used with different implications). >If the SMTP server is presenting a self-signed certificate then it effectively >is its own CA certificate, and you will have to install it in RACF. > What does "self-signed certificate" mean? Who should trust one? I'm imagining, in the extreme, a certificate self-signed by Guccifer 2.0. What is the trail of authentication? I understand you have a cert. What did you need to do to authenticate yourself to the CA? Is it merely that the CA vouches that your public key belongs to the entity that once called itself "Charles Mills" and paid with a credit card? And quis custodiet ipsos custodes? Why should a particular CA be trusted other than the authority of a higher CA? I understand there have been compromised CAs, by hacks rather than intrinsic fraud. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
A self-signed certificate *is* a root certificate -- the two terms are essentially synonymous (although they are used with different implications). If the SMTP server is presenting a self-signed certificate then it effectively is its own CA certificate, and you will have to install it in RACF. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Roberto Halais Sent: Monday, August 31, 2020 1:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL Do you get a root if it’s a self signed certificate? On Mon, Aug 31, 2020 at 3:12 AM Gibney, Dave wrote: > If the certificate they present is signed by a recognized CA, you should > be able to get root and any required intermediates from the signing CA's > site. > > > > > -Original Message- > > > From: IBM Mainframe Discussion List On > > > Behalf Of Brian Westerman > > > Sent: Sunday, August 30, 2020 11:55 PM > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > Subject: setting up CSSMTP to use TLS-SSL > > > > > > Hi, > > > > > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to > forward > > > the email to a target email server that only supports TLS-SSL? > > > > > > I see the steps in the CSSMTP configuration "Steps for using Transport > Layer > > > Security for CSSMTP", but it's unclear to me where I get the certificate. > > > > > > Step 2(a) says: > > > > > > a. Create the key ring. > > > The client key ring needs the root certification used to sign the server > > > certificates. For a TLS/SSL primer and some step-by-step examples, see > > > TLS/SSL security. For more information about managing key rings and > > > certificates with RACF® and the RACDCERT command, see z/OS Security > > > Server RACF Security Administrator's Guide. For more information about > > > managing key rings and certificates with gskkyman, see z/OS > > > Cryptographic Services System SSL Programming. > > > > > > How do I get the root certification used to sign the server > certificates? Is that > > > something that the people that take care of the server are supposed to > > > supply to me? > > > > > > then 2(c) is 5 steps and says: > > > c. Configure the client system to use TLS with AT-TLS policies as > follows: > > > > > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > > > the client stack. For information about the TCPCONFIG statement, see > > > z/OS Communications Server: IP Configuration Reference. > > >(I understand this one) > > > > > > 2) Block the ability of applications to open a socket before AT-TLS > policy is > > > loaded into the TCP/IP stack by setting up > > > EZB.INITSTACK.sysname.tcpname for the client stack. > > > (this seems like a optional step) > > > > > > 3) Create a main Policy Agent configuration file containing a TcpImage > > > statement for the client stack, and create a TcpImage policy file for the > > > client stack. > > > (this seems pretty simple, but where does it go?) > > > > > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify > the > > > TTLSConfig policy file location: > > > TTLSConfig clientPath > > > (I am assuming that the clientPath is some USS file I create that > indicates > > > the information to find the keyring from 2(a) above, is that correct?) > (Where > > > does the TcpImage policy file go? i.e. how do I define it?) > > > > > > 5) Add the AT-TLS policy statements to the clientPath file > > > (they have an example for this step right in the manual so that's > pretty > > > easy to follow) > > > > > > Thanks for your help, any examples of a working configuration would be > > > really helpful. > > > > > > Brian > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- Politics: Poli (many) - tics (blood sucking parasites) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Or it may already be installed, or they may be willing to supply it to you. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gibney, Dave Sent: Monday, August 31, 2020 12:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: setting up CSSMTP to use TLS-SSL If the certificate they present is signed by a recognized CA, you should be able to get root and any required intermediates from the signing CA's site. > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Brian Westerman > Sent: Sunday, August 30, 2020 11:55 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: setting up CSSMTP to use TLS-SSL > > Hi, > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward > the email to a target email server that only supports TLS-SSL? > > I see the steps in the CSSMTP configuration "Steps for using Transport Layer > Security for CSSMTP", but it's unclear to me where I get the certificate. > > Step 2(a) says: > > a. Create the key ring. > The client key ring needs the root certification used to sign the server > certificates. For a TLS/SSL primer and some step-by-step examples, see > TLS/SSL security. For more information about managing key rings and > certificates with RACF® and the RACDCERT command, see z/OS Security > Server RACF Security Administrator's Guide. For more information about > managing key rings and certificates with gskkyman, see z/OS > Cryptographic Services System SSL Programming. > > How do I get the root certification used to sign the server certificates? Is > that > something that the people that take care of the server are supposed to > supply to me? > > then 2(c) is 5 steps and says: > c. Configure the client system to use TLS with AT-TLS policies as follows: > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > the client stack. For information about the TCPCONFIG statement, see > z/OS Communications Server: IP Configuration Reference. >(I understand this one) > > 2) Block the ability of applications to open a socket before AT-TLS policy is > loaded into the TCP/IP stack by setting up > EZB.INITSTACK.sysname.tcpname for the client stack. > (this seems like a optional step) > > 3) Create a main Policy Agent configuration file containing a TcpImage > statement for the client stack, and create a TcpImage policy file for the > client stack. > (this seems pretty simple, but where does it go?) > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify the > TTLSConfig policy file location: > TTLSConfig clientPath > (I am assuming that the clientPath is some USS file I create that > indicates > the information to find the keyring from 2(a) above, is that correct?) (Where > does the TcpImage policy file go? i.e. how do I define it?) > > 5) Add the AT-TLS policy statements to the clientPath file > (they have an example for this step right in the manual so that's pretty > easy to follow) > > Thanks for your help, any examples of a working configuration would be > really helpful. > > Brian > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
Do you get a root if it’s a self signed certificate? On Mon, Aug 31, 2020 at 3:12 AM Gibney, Dave wrote: > If the certificate they present is signed by a recognized CA, you should > be able to get root and any required intermediates from the signing CA's > site. > > > > > -Original Message- > > > From: IBM Mainframe Discussion List On > > > Behalf Of Brian Westerman > > > Sent: Sunday, August 30, 2020 11:55 PM > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > Subject: setting up CSSMTP to use TLS-SSL > > > > > > Hi, > > > > > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to > forward > > > the email to a target email server that only supports TLS-SSL? > > > > > > I see the steps in the CSSMTP configuration "Steps for using Transport > Layer > > > Security for CSSMTP", but it's unclear to me where I get the certificate. > > > > > > Step 2(a) says: > > > > > > a. Create the key ring. > > > The client key ring needs the root certification used to sign the server > > > certificates. For a TLS/SSL primer and some step-by-step examples, see > > > TLS/SSL security. For more information about managing key rings and > > > certificates with RACF® and the RACDCERT command, see z/OS Security > > > Server RACF Security Administrator's Guide. For more information about > > > managing key rings and certificates with gskkyman, see z/OS > > > Cryptographic Services System SSL Programming. > > > > > > How do I get the root certification used to sign the server > certificates? Is that > > > something that the people that take care of the server are supposed to > > > supply to me? > > > > > > then 2(c) is 5 steps and says: > > > c. Configure the client system to use TLS with AT-TLS policies as > follows: > > > > > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > > > the client stack. For information about the TCPCONFIG statement, see > > > z/OS Communications Server: IP Configuration Reference. > > >(I understand this one) > > > > > > 2) Block the ability of applications to open a socket before AT-TLS > policy is > > > loaded into the TCP/IP stack by setting up > > > EZB.INITSTACK.sysname.tcpname for the client stack. > > > (this seems like a optional step) > > > > > > 3) Create a main Policy Agent configuration file containing a TcpImage > > > statement for the client stack, and create a TcpImage policy file for the > > > client stack. > > > (this seems pretty simple, but where does it go?) > > > > > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify > the > > > TTLSConfig policy file location: > > > TTLSConfig clientPath > > > (I am assuming that the clientPath is some USS file I create that > indicates > > > the information to find the keyring from 2(a) above, is that correct?) > (Where > > > does the TcpImage policy file go? i.e. how do I define it?) > > > > > > 5) Add the AT-TLS policy statements to the clientPath file > > > (they have an example for this step right in the manual so that's > pretty > > > easy to follow) > > > > > > Thanks for your help, any examples of a working configuration would be > > > really helpful. > > > > > > Brian > > > > > > -- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- Politics: Poli (many) - tics (blood sucking parasites) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: setting up CSSMTP to use TLS-SSL
If the certificate they present is signed by a recognized CA, you should be able to get root and any required intermediates from the signing CA's site. > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Brian Westerman > Sent: Sunday, August 30, 2020 11:55 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: setting up CSSMTP to use TLS-SSL > > Hi, > > Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward > the email to a target email server that only supports TLS-SSL? > > I see the steps in the CSSMTP configuration "Steps for using Transport Layer > Security for CSSMTP", but it's unclear to me where I get the certificate. > > Step 2(a) says: > > a. Create the key ring. > The client key ring needs the root certification used to sign the server > certificates. For a TLS/SSL primer and some step-by-step examples, see > TLS/SSL security. For more information about managing key rings and > certificates with RACF® and the RACDCERT command, see z/OS Security > Server RACF Security Administrator's Guide. For more information about > managing key rings and certificates with gskkyman, see z/OS > Cryptographic Services System SSL Programming. > > How do I get the root certification used to sign the server certificates? Is > that > something that the people that take care of the server are supposed to > supply to me? > > then 2(c) is 5 steps and says: > c. Configure the client system to use TLS with AT-TLS policies as follows: > > 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for > the client stack. For information about the TCPCONFIG statement, see > z/OS Communications Server: IP Configuration Reference. >(I understand this one) > > 2) Block the ability of applications to open a socket before AT-TLS policy is > loaded into the TCP/IP stack by setting up > EZB.INITSTACK.sysname.tcpname for the client stack. > (this seems like a optional step) > > 3) Create a main Policy Agent configuration file containing a TcpImage > statement for the client stack, and create a TcpImage policy file for the > client stack. > (this seems pretty simple, but where does it go?) > > 4) Add a TTLSConfig statement to each TcpImage policy file to identify the > TTLSConfig policy file location: > TTLSConfig clientPath > (I am assuming that the clientPath is some USS file I create that > indicates > the information to find the keyring from 2(a) above, is that correct?) (Where > does the TcpImage policy file go? i.e. how do I define it?) > > 5) Add the AT-TLS policy statements to the clientPath file > (they have an example for this step right in the manual so that's pretty > easy to follow) > > Thanks for your help, any examples of a working configuration would be > really helpful. > > Brian > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
setting up CSSMTP to use TLS-SSL
Hi, Has anyone on the list set up their CSSMTP client to use TLS-SSL to forward the email to a target email server that only supports TLS-SSL? I see the steps in the CSSMTP configuration "Steps for using Transport Layer Security for CSSMTP", but it's unclear to me where I get the certificate. Step 2(a) says: a. Create the key ring. The client key ring needs the root certification used to sign the server certificates. For a TLS/SSL primer and some step-by-step examples, see TLS/SSL security. For more information about managing key rings and certificates with RACF® and the RACDCERT command, see z/OS Security Server RACF Security Administrator's Guide. For more information about managing key rings and certificates with gskkyman, see z/OS Cryptographic Services System SSL Programming. How do I get the root certification used to sign the server certificates? Is that something that the people that take care of the server are supposed to supply to me? then 2(c) is 5 steps and says: c. Configure the client system to use TLS with AT-TLS policies as follows: 1) Specify TTLS on the TCPCONFIG statement in the TCP/IP profile for the client stack. For information about the TCPCONFIG statement, see z/OS Communications Server: IP Configuration Reference. (I understand this one) 2) Block the ability of applications to open a socket before AT-TLS policy is loaded into the TCP/IP stack by setting up EZB.INITSTACK.sysname.tcpname for the client stack. (this seems like a optional step) 3) Create a main Policy Agent configuration file containing a TcpImage statement for the client stack, and create a TcpImage policy file for the client stack. (this seems pretty simple, but where does it go?) 4) Add a TTLSConfig statement to each TcpImage policy file to identify the TTLSConfig policy file location: TTLSConfig clientPath (I am assuming that the clientPath is some USS file I create that indicates the information to find the keyring from 2(a) above, is that correct?) (Where does the TcpImage policy file go? i.e. how do I define it?) 5) Add the AT-TLS policy statements to the clientPath file (they have an example for this step right in the manual so that's pretty easy to follow) Thanks for your help, any examples of a working configuration would be really helpful. Brian -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN