subject:"AT\-TLS \?"

Re: ZOWE and AT-TLS (PAGENT)

2024-07-29 Thread Colin Paice

I see others have replied about ZOWE.   Yes should can use ICSF for your
private key (which may store it (encrypted) in the hardware)
Colin

On Mon, 29 Jul 2024 at 14:09, jgmauta...@yahoo.com.ar <
01f9499d67db-dmarc-requ...@listserv.ua.edu> wrote:

> Hi!
> Does ZOWE support AT-TLS for managing its TLS encryption?Can I store the
> (private) key of the server certificate in ICSF?
> We have z/OS 2.4 and ZOWE 2.16
>
> Thanks in advance for your help,
>
>
> Juan Mautalen
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ZOWE and AT-TLS (PAGENT)

2024-07-29 Thread Ronald Kristel

Looking at the release notes for ZOWE 2.17, it appears that they improved or 
added support specifically for AT-TLS.

https://docs.zowe.org/stable/whats-new/release-notes/v2_17_0/

Ronald Kristel



From: IBM Mainframe Discussion List  on behalf of 
Allan Staller <0632b4c7ca99-dmarc-requ...@listserv.ua.edu>
Sent: Monday, July 29, 2024 15:23
To: IBM-MAIN@LISTSERV.UA.EDU 
Subject: Re: ZOWE and AT-TLS (PAGENT)

Classification: Confidential

Yes, by definition.
AT-TLS stands for Application Transparent - Transport Layer Security



-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
jgmauta...@yahoo.com.ar
Sent: Monday, July 29, 2024 8:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: ZOWE and AT-TLS (PAGENT)

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Hi!
Does ZOWE support AT-TLS for managing its TLS encryption?Can I store the 
(private) key of the server certificate in ICSF?
We have z/OS 2.4 and ZOWE 2.16

Thanks in advance for your help,


Juan Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: ZOWE and AT-TLS (PAGENT)

2024-07-29 Thread Allan Staller

Classification: Confidential

Yes, by definition.
AT-TLS stands for Application Transparent - Transport Layer Security



-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
jgmauta...@yahoo.com.ar
Sent: Monday, July 29, 2024 8:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: ZOWE and AT-TLS (PAGENT)

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Hi!
Does ZOWE support AT-TLS for managing its TLS encryption?Can I store the 
(private) key of the server certificate in ICSF?
We have z/OS 2.4 and ZOWE 2.16

Thanks in advance for your help,


Juan Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

ZOWE and AT-TLS (PAGENT)

2024-07-29 Thread jgmauta...@yahoo.com.ar

Hi!
Does ZOWE support AT-TLS for managing its TLS encryption?Can I store the 
(private) key of the server certificate in ICSF?
We have z/OS 2.4 and ZOWE 2.16

Thanks in advance for your help,


Juan Mautalen

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Colin Paice

Please send the error messages to me offline

Colin

On Thu, Jun 6, 2024, 18:22 Lennie Bradshaw 
wrote:

> Colin,
>
> Yes, I have been editing manually too. Using manual settings I have
> covered AT-TLS for
> 1. 3270 connections,
> 2. CKNSERVE for zSecure connections between two z/OS systems.
>
> I am now trying to add JES NJE to the setup. I have found this sort of
> sample and found at least one error in it.
>
> https://ftpdocs.broadcom.com/cadocs/0/CA%20Spool%2012%200-ENU/Bookshelf_Files/HTML/Spool_Customization_ENU/2304043.html
>
> I have attempted a correction to that, but still it does not work and I am
> failing to understand the error messages. So I though maybe using the
> configurator would help.
>
> Do you have a sample for NJE connections?
> I will look at your blog. (I have used your blog previously for other
> stuff.)
>
> Lennie
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Colin Paice
> Sent: 06 June 2024 17:54
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS Configuration assistant
>
> I tried using the attls config tool on z/osmf.  It has quirks, and I gave
> up and copied a known config and extended it.
>
> I now edit the config file manually.  I blogged about it . search for
> colinpaice at-atls. If you contact me offline with what you want, i may be
> able to create a config file.  Colin
>
> On Thu, Jun 6, 2024, 17:14 Lennie Bradshaw 
> wrote:
>
> > Tom,
> > Thanks for your thoughts.
> > There is another issue for me. I use z/OS on a zPDT machine with the
> > z/OS system built from the ADCD system IBM supplies. As such I have no
> > z/OSMF nor any current need for one.
> > So I would like to be able to use some kind of configuration tool.
> > Lennie
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List  On
> > Behalf Of Tom Longfellow
> > Sent: 06 June 2024 16:10
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS Configuration assistant
> >
> > Just a note from old experiences.
> >
> > I too hated the move from the windows version to z/OSMF but you sort of
> > have to.   What forced me is:
> >
> > 1) IBM saying that using the windows client output is risky and may
> > product invalid configuration directives.
> > 2) Concerns that a future release of z/OS will thoroughly reject the
> "old"
> > way and be unable to implement "new" AT-TLS features
> >
> > The only counter argument is that you are on the unsupported z/OS 1.12
> > system and will never move forward.   Living without support comes with
> > these hurdles.
> >
> > I still dislike the complexity of the NCA component of z/OSMF - I have
> > managed to come to accept its non-intuitive quirks.  z/OSMF is
> > handling syntax complications that I hope to never have to learn for
> myself.
> >
> > It could be worse, you could be trying to maintain the raw Unix text
> > files along with its arcane syntax.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AW: [EXTERN] Re: AT-TLS Configuration assistant

2024-06-06 Thread Roland Schiradin

SET IBM-MAIN NOMAIL


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Lennie Bradshaw

Colin,

Yes, I have been editing manually too. Using manual settings I have covered 
AT-TLS for 
1. 3270 connections,
2. CKNSERVE for zSecure connections between two z/OS systems.

I am now trying to add JES NJE to the setup. I have found this sort of sample 
and found at least one error in it.
https://ftpdocs.broadcom.com/cadocs/0/CA%20Spool%2012%200-ENU/Bookshelf_Files/HTML/Spool_Customization_ENU/2304043.html

I have attempted a correction to that, but still it does not work and I am 
failing to understand the error messages. So I though maybe using the 
configurator would help.

Do you have a sample for NJE connections?
I will look at your blog. (I have used your blog previously for other stuff.)

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Colin Paice
Sent: 06 June 2024 17:54
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS Configuration assistant

I tried using the attls config tool on z/osmf.  It has quirks, and I gave up 
and copied a known config and extended it.

I now edit the config file manually.  I blogged about it . search for 
colinpaice at-atls. If you contact me offline with what you want, i may be able 
to create a config file.  Colin

On Thu, Jun 6, 2024, 17:14 Lennie Bradshaw 
wrote:

> Tom,
> Thanks for your thoughts.
> There is another issue for me. I use z/OS on a zPDT machine with the 
> z/OS system built from the ADCD system IBM supplies. As such I have no 
> z/OSMF nor any current need for one.
> So I would like to be able to use some kind of configuration tool.
> Lennie
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Longfellow
> Sent: 06 June 2024 16:10
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS Configuration assistant
>
> Just a note from old experiences.
>
> I too hated the move from the windows version to z/OSMF but you sort of
> have to.   What forced me is:
>
> 1) IBM saying that using the windows client output is risky and may 
> product invalid configuration directives.
> 2) Concerns that a future release of z/OS will thoroughly reject the "old"
> way and be unable to implement "new" AT-TLS features
>
> The only counter argument is that you are on the unsupported z/OS 1.12
> system and will never move forward.   Living without support comes with
> these hurdles.
>
> I still dislike the complexity of the NCA component of z/OSMF - I have 
> managed to come to accept its non-intuitive quirks.  z/OSMF is 
> handling syntax complications that I hope to never have to learn for myself.
>
> It could be worse, you could be trying to maintain the raw Unix text 
> files along with its arcane syntax.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Colin Paice

I tried using the attls config tool on z/osmf.  It has quirks, and I gave
up and copied a known config and extended it.

I now edit the config file manually.  I blogged about it . search for
colinpaice at-atls. If you contact me offline with what you want, i may be
able to create a config file.  Colin

On Thu, Jun 6, 2024, 17:14 Lennie Bradshaw 
wrote:

> Tom,
> Thanks for your thoughts.
> There is another issue for me. I use z/OS on a zPDT machine with the z/OS
> system built from the ADCD system IBM supplies. As such I have no z/OSMF
> nor any current need for one.
> So I would like to be able to use some kind of configuration tool.
> Lennie
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of Tom Longfellow
> Sent: 06 June 2024 16:10
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS Configuration assistant
>
> Just a note from old experiences.
>
> I too hated the move from the windows version to z/OSMF but you sort of
> have to.   What forced me is:
>
> 1) IBM saying that using the windows client output is risky and may
> product invalid configuration directives.
> 2) Concerns that a future release of z/OS will thoroughly reject the "old"
> way and be unable to implement "new" AT-TLS features
>
> The only counter argument is that you are on the unsupported z/OS 1.12
> system and will never move forward.   Living without support comes with
> these hurdles.
>
> I still dislike the complexity of the NCA component of z/OSMF - I have
> managed to come to accept its non-intuitive quirks.  z/OSMF is handling
> syntax complications that I hope to never have to learn for myself.
>
> It could be worse, you could be trying to maintain the raw Unix text files
> along with its arcane syntax.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread rpinion865

And from what I have heard, zOSMF does not perform well under zPDT.




Sent with Proton Mail secure email.

On Thursday, June 6th, 2024 at 12:13 PM, Lennie Bradshaw 
 wrote:

> Tom,
> Thanks for your thoughts.
> There is another issue for me. I use z/OS on a zPDT machine with the z/OS 
> system built from the ADCD system IBM supplies. As such I have no z/OSMF nor 
> any current need for one.
> So I would like to be able to use some kind of configuration tool.
> Lennie
> 
> -Original Message-
> From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of Tom 
> Longfellow
> 
> Sent: 06 June 2024 16:10
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS Configuration assistant
> 
> Just a note from old experiences.
> 
> I too hated the move from the windows version to z/OSMF but you sort of have 
> to. What forced me is:
> 
> 1) IBM saying that using the windows client output is risky and may product 
> invalid configuration directives.
> 2) Concerns that a future release of z/OS will thoroughly reject the "old" 
> way and be unable to implement "new" AT-TLS features
> 
> The only counter argument is that you are on the unsupported z/OS 1.12 system 
> and will never move forward. Living without support comes with these hurdles.
> 
> I still dislike the complexity of the NCA component of z/OSMF - I have 
> managed to come to accept its non-intuitive quirks. z/OSMF is handling syntax 
> complications that I hope to never have to learn for myself.
> 
> It could be worse, you could be trying to maintain the raw Unix text files 
> along with its arcane syntax.
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Lennie Bradshaw

Tom,
Thanks for your thoughts.
There is another issue for me. I use z/OS on a zPDT machine with the z/OS 
system built from the ADCD system IBM supplies. As such I have no z/OSMF nor 
any current need for one.
So I would like to be able to use some kind of configuration tool.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Longfellow
Sent: 06 June 2024 16:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS Configuration assistant

Just a note from old experiences.

I too hated the move from the windows version to z/OSMF but you sort of have 
to.   What forced me is:

1) IBM saying that using the windows client output is risky and may product 
invalid configuration directives.
2) Concerns that a future release of z/OS will thoroughly reject the "old" way 
and be unable to implement "new" AT-TLS features

The only counter argument is that you are on the unsupported z/OS 1.12 system 
and will never move forward.   Living without support comes with these hurdles.

I still dislike the complexity of the NCA component of z/OSMF - I have managed 
to come to accept its non-intuitive quirks.  z/OSMF is handling syntax 
complications that I hope to never have to learn for myself.

It could be worse, you could be trying to maintain the raw Unix text files 
along with its arcane syntax.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Tom Longfellow

Just a note from old experiences.

I too hated the move from the windows version to z/OSMF but you sort of have 
to.   What forced me is:

1) IBM saying that using the windows client output is risky and may product 
invalid configuration directives.
2) Concerns that a future release of z/OS will thoroughly reject the "old" way 
and be unable to implement "new" AT-TLS features

The only counter argument is that you are on the unsupported z/OS 1.12 system 
and will never move forward.   Living without support comes with these hurdles.

I still dislike the complexity of the NCA component of z/OSMF - I have managed 
to come to accept its non-intuitive quirks.  z/OSMF is handling syntax 
complications that I hope to never have to learn for myself.

It could be worse, you could be trying to maintain the raw Unix text files 
along with its arcane syntax.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-06 Thread Lennie Bradshaw

Kolusu,

I was wrong. In Chapter 4 of that book it tells me I can download the 
configuration assistant from here,
http://www.ibm.com/support/docview.wss?rs=852&context=SWF10&dc=D410&uid=swg24013160&loc=en_US&cs=utf-8&lang=en/
 

Sadly that link is no longer working.
I feel sure someone must have a copy of the Windows version of the 
Configuration Assistant.

Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Bradshaw
Sent: 06 June 2024 00:05
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS Configuration assistant

Kolusu,

That tells me how to use it, but I still have nowhere to download the software.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Sri 
Hari Kolusu
Sent: 05 June 2024 19:02
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS Configuration assistant

>> I think it is label for z/OS V1R12. Is it available anywhere for download?

Lennie,

May be chapter 12 in the red book

https://www.redbooks.ibm.com/redbooks/pdfs/sg247899.pdf

Thanks,
Kolusu

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-05 Thread Lennie Bradshaw

Kolusu,

That tells me how to use it, but I still have nowhere to download the software.
Lennie

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Sri 
Hari Kolusu
Sent: 05 June 2024 19:02
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS Configuration assistant

>> I think it is label for z/OS V1R12. Is it available anywhere for download?

Lennie,

May be chapter 12 in the red book

https://www.redbooks.ibm.com/redbooks/pdfs/sg247899.pdf

Thanks,
Kolusu

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Configuration assistant

2024-06-05 Thread Sri Hari Kolusu

>> I think it is label for z/OS V1R12. Is it available anywhere for download?

Lennie,

May be chapter 12 in the red book

https://www.redbooks.ibm.com/redbooks/pdfs/sg247899.pdf

Thanks,
Kolusu

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS Configuration assistant

2024-06-05 Thread Lennie Bradshaw

I am looking for a copy of the old AT-TLS Configuration assistant, not the one 
delivered with z/OSSMF.
I think it is label for z/OS V1R12. Is it available anywhere for download?

Lennie



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Redbook

2024-05-12 Thread Paul Gorlinsky

The target machine is a development system and a client requirement needs its 
implementation.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Redbook

2024-05-10 Thread Phil Smith III

I've said this here before, but it bears repeating: although I'd be the first 
to agree that this sounds stupid/basic, make sure they know NOT to turn it on 
Just Because. We've had two customers who decided it would increase security, 
so they enabled it--for a connection that was already using https. (To be 
precise, it wasn't the customer per se--it was their outsourcer.) The server 
(non-z/OS side) was not amused by the double TLS handshake. Fortunately by the 
second one, I recognized it quickly...

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Paul Gorlinsky
Sent: Thursday, May 9, 2024 6:43 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS Redbook

I have a client that in the early stages of planning an AT-TLS installation for 
TLS 1. Is there a Redbook that focuses on AT-TLS?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Redbook

2024-05-10 Thread Colin Paice

I've written many blog posts on AT-TLS - see here
<https://colinpaice.blog/category/tcpip/at-tls/>
They cover

   - Getting AT-TLS and PAGENT to work on z/OS – start here.
   
<https://colinpaice.blog/2022/05/31/getting-at-tls-and-pagent-to-work-on-z-os-start-here/>
   - configuring pagent
   - Using z/OSMF Network Configuration assistant for TCPIP, to define
   AT-TLS configuration (I found this more work than not using it)
   - programming with AT-TLS
   - secure x3270
   - tracing
   - debugging
   - netstat ((for at-tls)

Please feel free to contact me offline

Colin


On Thu, 9 May 2024 at 23:43, Paul Gorlinsky  wrote:

> I have a client that in the early stages of planning an AT-TLS
> installation for TLS 1. Is there a Redbook that focuses on AT-TLS?
>
> Thanks
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS Redbook

2024-05-09 Thread Timothy Sipples

As far as I’m aware there’s no IBM redbook that exclusively covers z/OS AT-TLS, 
but there are several redbooks that contain relevant chapters or sections. See 
this page for an index:

https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/flora-gui1/2023/01/03/attls-info-hub<https://community.ibm.com/community/user/ibmz-and-linuxone/blogs/flora-gui1/2023/01/03/attls-info-hub?communityKey=406e5630-08ab-45a7-8592-d1c960f86311>

—
Timothy Sipples
Senior Architect
Digital Assets, Industry Solutions, and Cybersecurity
IBM Z/LinuxONE, Asia-Pacific
sipp...@sg.ibm.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS Redbook

2024-05-09 Thread Paul Gorlinsky

I have a client that in the early stages of planning an AT-TLS installation for 
TLS 1. Is there a Redbook that focuses on AT-TLS?

Thanks

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS policy for NJE

2024-02-17 Thread Steve Horein

https://www.ibm.com/docs/en/zos/2.5.0?topic=considerations-ssl-tls

On Sat, Feb 17, 2024 at 8:34 AM Lennie Dymoke-Bradshaw <
032fff1be9b4-dmarc-requ...@listserv.ua.edu> wrote:

> I am looking for a set of AT-TLS policy statement for NJE, but have been
> unable to find them in the JES2 documentation.
>
> Am I looking in the wrong place? Can anyone point me to where these might
> be?
>
>
>
> Thanks
>
> Lennie
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS policy for NJE

2024-02-17 Thread Lennie Dymoke-Bradshaw

I am looking for a set of AT-TLS policy statement for NJE, but have been
unable to find them in the JES2 documentation.

Am I looking in the wrong place? Can anyone point me to where these might
be?

 

Thanks

Lennie


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-08-01 Thread Phil Smith III

Brian Westerman asked:
>so you can use authsmtp.com to send directly from CSSMTP?

It's just an SMTP server, so if you can get there from your network, sure.

>When you send the email, does it come from where you say it should or
>do you have to use a special email that they give you?

You tell it the valid sending domains. You need to set your SPF record 
correctly, of course.

>That would be great. I assume they have an smtp server that you set up
>in the targetname field. Do you know if they use port 25, 26 or 587?

2525. Avoids all those blocked-port hassles! See 
https://www.authsmtp.com/features.php for details.

>I think if it works, it would be a great solution.
>I tried sending them a question, but there contact form fails.

Ouch. I've emailed them, CCed you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-31 Thread Brian Westerman

so you can use authsmtp.com to send directly from CSSMTP?  

When you send the email, does it come from where you say it should or do you 
have to use a special email that they give you?

That would be great.  I assume they have an smtp server that you set up in the 
targetname field.  Do you know if they use port 25, 26 or 587?  

I think if it works, it would be a great solution.

I tried sending them a question, but there contact form fails.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-31 Thread Phil Smith III

Brian Westerman asked:
>I think there are 3rd party sites that offer the use of SMTP for forwarding 
>that I might want to give a try. 

I've used authsmtp.com for ~20 years. Good folks and it Just Works. When I've 
had weird issues, they do the analysis and get right back to me, even though 
it's never been their fault.

Another good ISP is EasyDNS out of Toronto. I switched to them for domain 
hosting when SPF started to matter and my previous provider didn't support SRS 
rewrites, causing replies to me to fail. Also good folks, same comment about 
jumping in on problems and proving cheerfully and clearly that it's not them.

HTH


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-31 Thread Seymour J Metz

fastmail?

From: IBM Mainframe Discussion List  on behalf of 
Brian Westerman 
Sent: Monday, July 31, 2023 3:20 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS and CSSMTP setup

Hi,

Peters directions for setting up the trace were very simple and easy to follow. 
 It was discovered that I was missing a CA cert that was not called out by the 
host site.  (which he sent me).  Now I'm at a stopping place because the 
webhost site is requiring authentication on each email (as if it's a client), 
instead of using the "POP before SMTP" setting which merely requires that the 
email address have authenticated within 60 minutes of the attempt to send via 
SMTP.  That setting was the default previously and when they upgraded the smtp 
server on their end it was changed to not use that option.

They are currently "thinking" on the request to turn it back on.  In the 
meantime, I think there are 3rd party sites that offer the use of SMTP for 
forwarding that I might want to give a try.  Does anyone on this list use one 
that they can recommend?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-31 Thread Brian Westerman

Hi,

Peters directions for setting up the trace were very simple and easy to follow. 
 It was discovered that I was missing a CA cert that was not called out by the 
host site.  (which he sent me).  Now I'm at a stopping place because the 
webhost site is requiring authentication on each email (as if it's a client), 
instead of using the "POP before SMTP" setting which merely requires that the 
email address have authenticated within 60 minutes of the attempt to send via 
SMTP.  That setting was the default previously and when they upgraded the smtp 
server on their end it was changed to not use that option.  

They are currently "thinking" on the request to turn it back on.  In the 
meantime, I think there are 3rd party sites that offer the use of SMTP for 
forwarding that I might want to give a try.  Does anyone on this list use one 
that they can recommend?

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-31 Thread Allan Staller

Classification: Confidential

Have you updated the TCP/IP policy agent accordingly?

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Brian Westerman
Sent: Saturday, July 29, 2023 9:12 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS and CSSMTP setup

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

I get
BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639 EZD1286I 
TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B
LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP
USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00
00 005187621CF0 

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-30 Thread Phil Smith III

Since I know almost nothing about AT-TLS config, this might be dumb, but: 
Don't forget to try the *AUTH*/* key ring. That's a "virtual key ring" that 
represents all the trusted certs, and is a great shortcut for saying "Do I have 
the right cert in there somewhere but the key ring setup isn't right yet?"

After getting badly burned by a customer problem that went on way too long, 
I'm also always chary of AT-TLS being turned on without necessarily 
understanding both ends well enough. To wit: our customer was using AT-TLS for 
various stuff, and turned it on for the connection from our product (outbound 
from z/OS) to our server. However, our product and server were both already 
using TLS. So we then had:

1.  Product asks gsk to start a connection
2.      gsk requests a handshake
3.  AT-TLS jumps in, wraps that connection, and starts its own handshake
4.  Our server gets that handshake, says "OK, sure" and they do the dance
5.  Once that's established, the handshake request from z/OS arrives, 
wrapped, at our server
6.  It unwraps it and then says "What the heck is THAT?!!" because it sure 
doesn't look like what it was expecting from an established connection and we 
get an incomprehensible error


Your problem probably isn't, but could be, sort of the invers: because AT-TLS 
is adding the handshake and the server isn't expecting it, it's also saying 
"What the heck is THAT?!"


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-30 Thread Colin Paice

Getting a GSK trace is non trivial.  See here

for instructions

On Sun, 30 Jul 2023 at 05:36, Peter Vels  wrote:

> That is OK.  But I need to see the output from the GSKSRVR trace to get to
> the bottom of the issue.  I suspect that you are missing a CA somewhere,
> and the trace will tell us WHICH certificate that is.
>
> On Sun, 30 Jul 2023 at 14:23, Brian Westerman <
> brian_wester...@syzygyinc.com>
> wrote:
>
> > This is what I get from your command:
> >
> > racdcert id(CSSMTP) listr(CSSMTPRing)
> > Digital ring information for user CSSMTP:
> >
> >Ring:
> > >CSSMTPRing<
> >Certificate Label Name Cert Owner USAGE  DEFAULT
> >         ---
> >CSSMTPCA   CERTAUTH   CERTAUTH NO
> >CSSMTPServer   ID(CSSMTP) PERSONAL YES
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Peter Vels

That is OK.  But I need to see the output from the GSKSRVR trace to get to
the bottom of the issue.  I suspect that you are missing a CA somewhere,
and the trace will tell us WHICH certificate that is.

On Sun, 30 Jul 2023 at 14:23, Brian Westerman 
wrote:

> This is what I get from your command:
>
> racdcert id(CSSMTP) listr(CSSMTPRing)
> Digital ring information for user CSSMTP:
>
>Ring:
> >CSSMTPRing<
>Certificate Label Name Cert Owner USAGE  DEFAULT
>         ---
>CSSMTPCA   CERTAUTH   CERTAUTH NO
>CSSMTPServer   ID(CSSMTP) PERSONAL YES
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Brian Westerman

This is what I get from your command: 

racdcert id(CSSMTP) listr(CSSMTPRing)
Digital ring information for user CSSMTP:  

   Ring:
>CSSMTPRing< 
   Certificate Label Name Cert Owner USAGE  DEFAULT  
            ---  
   CSSMTPCA   CERTAUTH   CERTAUTH NO 
   CSSMTPServer   ID(CSSMTP) PERSONAL YES
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Peter Vels

"ADD" adds a certificate (contained in a data set) to RACF, but *not* to a
keyring.  For that you need "CONNECT".

RC 8 means: An error is detected while validating a certificate, so a CA is
missing from the keyring (even though you might've ADDed it to RACF).

IBM says (edited for brevity):

1. Verify that the root CA certificate is in the SAF key ring and is marked
as trusted.

Does...

*racdcert id(CSSMTP) listr(CSSMTPRing)*

...now show that the CSSMTPRing has the mail server's certificate added as
a CERTAUTH?  If not then:

*RACDCERT CONNECT(CERTAUTH +  LABEL('Email server CA') +  RING(CSSMTPRing)
+USAGE(CERTAUTH) +  ) +  ID(CSSMTP)*

2. Check all certificates in the certification chain and verify that they
are trusted and are not expired:

*RACFCERT ID(CSSMTP) LISTCHAIN*

3. Issue the *SETROPTS RACLIST (DIGTCERT, DIGTRING) REFRESH* command to
refresh the profiles to ensure that the latest changes are available.

On Sun, 30 Jul 2023 at 12:12, Brian Westerman 
wrote:

> I get
> BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639
> EZD1286I TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B
> LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP
> USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00
> 00 005187621CF0 
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Brian Westerman

I get 
BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP  639   
EZD1286I TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B   
LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP   
USERID: CSSMTP RULE: CSSMTP  RC:8 Initial Handshake 00 
00 005187621CF0 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Phil Smith III

Gil asked about Hansen's Law. Different Hansen-this is a guy we worked with. 

We also had Weald's Corollary:
Even when it isn't a certificate issue, it's a certificate issue.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-29 Thread Colin Paice

Please paste the messages you get.
You can configure an ATTLS  traceI tend to use TRACE(2)
This can be configured in TTLSGroupAction TTLSEnvironmentAction and
TTLSConnectionAction


If syslogd is not running I get messages on the system log
EZD1286I TTLS Error GRPID: 0007 ENVID: 0002 CONNID: 0036
LOCAL: 10.1.1.2..1032 REMOTE: 10.1.0.2..25 JOBNAME: CSSMTP USERID:
START1 RULE: CSSMTPRule  RC:  417 Initial Handshake 
005011421D10 

If syslogd is running I get messages in ( for me) /var/log

My (badly configured ) syslog puts messages in
TCPIPinfo.2023.07.29
TCPIPerr.2023.07.29
TCPIPdebug.2023.07.29
TCPIP.2023.07.29

Please feel free to contact me offline

Colin

On Sat, 29 Jul 2023 at 02:56, Brian Westerman 
wrote:

> Hi,
>
> Has anyone got working directions for setting up AT-TLS with the CSSMTP
> server.  I found the IBM manual Steps for using Transport Layer Security
> for CSSMTP, and went through all of the steps, but I still get stuck when I
> change secure=Yes in CSSMTP on a RC=8 (initial handshake) error with the
> external smtp server.
>
> I get the messages to the point where the STARTTLS command happens, but
> then the RC=8 failure on initial handshake.
>
> Any detailed pointers on what could be missing.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-28 Thread Paul Gilmartin

On Sat, 29 Jul 2023 00:48:00 -0400, Phil Smith III wrote:

>No errors anywhere? Just RC=8?
>
>"It's a certificate error" -Hansen's Law
>
Or the firewall.

??? 

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-28 Thread kekronbekron

Hi Brian,

You may find useful bits of info here - 
https://colinpaice.blog/2023/02/21/sending-an-email-from-z-os/
Either in this post or generally in this blog.

- KB

--- Original Message ---
On Saturday, July 29th, 2023 at 10:18 AM, Phil Smith III  
wrote:


> No errors anywhere? Just RC=8?
> 
> 
> 
> "It's a certificate error" -Hansen's Law
> 
> 
> 
> https://bit.listserv.ibm-main.narkive.com/4Iu5ZeUA/setting-up-gmail-as-outbound-mail-server-on-z-os
>  might be a hint, especially the
> bit about enabling gsktrace, which is your friend.
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS and CSSMTP setup

2023-07-28 Thread Phil Smith III

No errors anywhere? Just RC=8?

 

"It's a certificate error" -Hansen's Law

 

https://bit.listserv.ibm-main.narkive.com/4Iu5ZeUA/setting-up-gmail-as-outbound-mail-server-on-z-os
 might be a hint, especially the
bit about enabling gsktrace, which is your friend. 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS and CSSMTP setup

2023-07-28 Thread Brian Westerman

Hi,

Has anyone got working directions for setting up AT-TLS with the CSSMTP server. 
 I found the IBM manual Steps for using Transport Layer Security for CSSMTP, 
and went through all of the steps, but I still get stuck when I change 
secure=Yes in CSSMTP on a RC=8 (initial handshake) error with the external smtp 
server.  

I get the messages to the point where the STARTTLS command happens, but then 
the RC=8 failure on initial handshake.

Any detailed pointers on what could be missing.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Seymour J Metz

That sounds like they are greylisting your provider.


--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3


From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Charles Mills [charl...@mcn.org]
Sent: Tuesday, March 21, 2023 3:47 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Exact AT-TLS parms for SMP/E Download

> Genuinely curious, why aren't you using HTTPS?

To be honest, I am not actually downloading PTFs. I am trying to figure how how 
to demo some concepts for a class.

> here's the general doc about configuring the FTP client to use AT-TLS

I'm on top of that. I have successfully configured AT-TLS and FTP in another 
situation. I'm on top of the FTP.DATA statements (which, FWIW, IBM documents 
perfectly relative to SMP/E).

(And apologies for kinda-quoting in this and other posts. For some reason 
IBM-MAIN has started rejecting mail from my ISP (not a blacklist thing in my 
reading; the HELO just times out about 80-90% of the time). So I am posting 
from the LISTSERV Web interface. Is there any way to quote there, other than 
cut-and-paste?)

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Charles Mills

>They need to use iconography to accommodate non-anglophones.  And I just 
>noticed it

For that extensive population that knows the words Reply, Advanced, Plain, 
Preferences, Search, Save Draft and Send Message ... but not Quote.

 

CM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Paul Gilmartin

On Tue, 21 Mar 2023 15:12:44 -0500, Charles Mills wrote:

>>At the top left of the text entry box there's a button with a graphic label, 
>>““”.  Is that what you need?
>
>Once you know it's there it's pretty darned obvious, isn't it? 
>
They need to use iconography to accommodate non-anglophones.  And I just 
noticed it
smartass-quoted my USASCII quotes.  Grrr!

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Charles Mills

>At the top left of the text entry box there's a button with a graphic label, 
>““”.  Is that what you need?

Once you know it's there it's pretty darned obvious, isn't it? 

CM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Paul Gilmartin

On Tue, 21 Mar 2023 14:47:45 -0500, Charles Mills wrote:

>> Genuinely curious, why aren't you using HTTPS?  
>
>To be honest, I am not actually downloading PTFs. I am trying to figure how 
>how to demo some concepts for a class.

>... So I am posting from the LISTSERV Web interface. Is there any way to 
> quote there, other than cut-and-paste?)
>
At the top left of the text entry box there's a button with a graphic label, 
““”.  Is that what you need?

Does anyone know hot to get a mono spaced font on that Web interface for 
composing code samples?

But the nice thing is that Web interface doesn't hard-wrap URLs.

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Charles Mills

> Genuinely curious, why aren't you using HTTPS?  

To be honest, I am not actually downloading PTFs. I am trying to figure how how 
to demo some concepts for a class.

> here's the general doc about configuring the FTP client to use AT-TLS 

I'm on top of that. I have successfully configured AT-TLS and FTP in another 
situation. I'm on top of the FTP.DATA statements (which, FWIW, IBM documents 
perfectly relative to SMP/E).

(And apologies for kinda-quoting in this and other posts. For some reason 
IBM-MAIN has started rejecting mail from my ISP (not a blacklist thing in my 
reading; the HELO just times out about 80-90% of the time). So I am posting 
from the LISTSERV Web interface. Is there any way to quote there, other than 
cut-and-paste?)

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Pommier, Rex

Charles, I can only speak for the couple sites I've worked at but when IBM gave 
us the choice of HTTPS or secure FTP, we jumped to HTTPS and never looked back. 
 I'm guessing most other sites did similar.

Rex

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Charles Mills
Sent: Tuesday, March 21, 2023 1:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: Exact AT-TLS parms for SMP/E Download

Really? IBM requires this but it's not documented anywhere?

It's not like AT-TLS is trivial and every sysprog ought to know how to 
configure it without a manual.

And no one on this list is doing this? You're all using HTTPS?

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
The information contained in this message is confidential, protected from 
disclosure and may be legally privileged. If the reader of this message is not 
the intended recipient or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any disclosure, 
distribution, copying, or any action taken or action omitted in reliance on it, 
is strictly prohibited and may be unlawful. If you have received this 
communication in error, please notify us immediately by replying to this 
message and destroy the material in its entirety, whether in electronic or hard 
copy format. Thank you.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Kurt J. Quackenbush

> Really? IBM requires this but it's not documented anywhere?

Not specific for the IBM software download servers, but here's the general doc 
about configuring the FTP client to use AT-TLS (but I admit it looks a little 
thin):
https://www.ibm.com/docs/en/zos/2.4.0?topic=security-steps-migrating-ftp-server-client-use-tls

And about the TLSMECHANSIM statement in FTP.DATA:
https://www.ibm.com/docs/en/zos/2.4.0?topic=protocol-tlsmechanism-ftp-client-server-statement

> And no one on this list is doing this? You're all using HTTPS?

Genuinely curious, why aren't you using HTTPS?  I'm certainly no network 
expert, but I've been told it requires much less firewall futzing.

Kurt Quackenbush
IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com

Chuck Norris never uses CHECK when he applies PTFs.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Charles Mills

Really? IBM requires this but it's not documented anywhere?

It's not like AT-TLS is trivial and every sysprog ought to know how to 
configure it without a manual.

And no one on this list is doing this? You're all using HTTPS?

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Paul Gilmartin

On Tue, 21 Mar 2023 10:15:13 -0500, Charles Mills wrote:

>I understand that SMP/E electronic delivery now requires FTP secured via 
>AT-TLS.
>
Have they discontinued support for HTTPS?  Isn't that easier?
<https://www.ibm.com/docs/en/zos/2.5.0?topic=guide-preparing-secure-internet-delivery>

>Does anyone have an exact example of the required AT-TLS parms -- or a pointer 
>to where IBM documents the exact requirements?
>
Why is this so hard on the z?  Better security than on my desktop where It Just 
Works?
<https://www.youtube.com/watch?v=_ve4M4UsJQo>

-- 
gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Exact AT-TLS parms for SMP/E Download

2023-03-21 Thread Charles Mills

I understand that SMP/E electronic delivery now requires FTP secured via AT-TLS.

Does anyone have an exact example of the required AT-TLS parms -- or a pointer 
to where IBM documents the exact requirements?

Not a statement that AT-TLS is required. I get that. Not general AT-TLS 
configuration documentation. I have that. But specifically what the IBM 
electronic delivery FTP site requires from AT-TLS?

Thanks,
Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS change prevents shopz download

2022-12-12 Thread Bill Giannelli

We had AT-TLS modified to use a secured port for DB2 connection.
But now my SMPe receive via HTTPS is failing with the following:
EDC8121I Connection reset. (connect failed)

What needs to be changed in order to allow HTTPS download from IBM?
thanks
Bill

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CICS client transaction and AT-TLS

2022-10-31 Thread Shelia Chalk

This is what I have for our cics attls policy. I have one inbound 

TTLSRule _Listener_MAL1  
{
LocalPortRange   # CICS listener port
DirectionInbound # Direction 
Priority 1   # Base Priority 
TTLSGroupActionRef   grp_StartUp 
TTLSEnvironmentActionRef _Listener_Env   
}

#  
TTLSEnvironmentAction_Listener_Env 
{  
  HandshakeRole  Server
  TTLSKeyringParms 
  {
Keyring  xxx_TEST_KEYRING  
  }
  TTLSCipherParmsRef Test_In_Cipher_list   
  TTLSEnvironmentAdvancedParms 
  {
#  ApplicationControlled  On  # <<<< 
   SSLv2 Off 
   SSLv3 Off 
   TLSv1 Off 
   TLSv1.1   On   # <<<< 
   TLSv1.2   On   # <<<< 
   HandshakeTimeout  5   
  }  


Hope this helps
Shelia Chalk
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
ITschak Mugzach
Sent: Monday, October 31, 2022 3:40 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: CICS client transaction and AT-TLS

When we start a transaction on port 9443 pageant (z/OS 2.2) immediately returns 
the following message:


15.57.58 STC02568  BPXF024I (TCPIP) Oct 18 13:57:58 TTLS›50397229®: 15:57:58 TC
846 EZD1283I TTLS Event GRPID: 0001 ENVID: 0001 CONNID:
846 RC: 5006 Initial Handshake  
846  Ö

Wireshark shows that a packet arrived at the target, but without response from 
the server. There is not inbound rule, only outbound. Should we have an inbound 
one? I also suspect that the problem is with the TLS level.

there is only one rule in pageant for port 9443:
###
#   x TCPIP Pagent Configuration File #
# #
# #
# Prepared by Itschak Mugzach, Securiteam Software Ltd, Israel#
# #
###
#
TTLSGroupAction grp_Production
{
   TTLSEnabled On # Enable HTTPS
   Trace 30   # Log Errors to syslogd
   }
#
# ---------- #


#   Enable AT-TLS for CICS Transaction on port 9443  #
#--- #


#
TTLSRule x_Api_Caller
{
  RemotePortRange   9443   # Server secure port
  Direction Outbound
  TTLSGroupActionRefgrp_Production
  TTLSEnvironmentActionRef  x_Api_Caller_Env
  }
#
# -- #


#  Set the keyring   #
#--- #


#
TTLSEnvironmentAction x_Api_Caller_Env {
  HandshakeRole Client
  TTLSEnvironmentAdvancedParmsRef Secure_API_Caller_Env
  TTLSKeyRingParms
  {
Keyring CICSR.CICSRKEYRING
}
  TTLSCipherParmsRefRequireEncryption
  }
#
# -- #


#Set of TLS Ciphers with Encryption  #
#--- # # 
TTLSCipherParms RequireEncryption {
   V3CipherSuites4Char   003500380039002F00320033003D003CC02FC030CCA8
   }
# -- #


# Set TLS supported levels   #
#--- # 
TTLSEnvironmentAdvancedParms Secure_API_Caller_Env {
   SSLv2   Off
   SSLv3   Off
   TLSv1   Off
   TLSV1.1 Off
   TLSV1.2 On
   TLSV1.3 Off
   ClientHandshakeSNI  Optional
   ClientHandshakeSNIMatch Optional
#  ClientHandshakeSNIList  x ?
   }




ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring for 
z/OS, x/Linux & IBM I **| z/VM coming soon  *




On Fri,

Re: CICS client transaction and AT-TLS

2022-10-31 Thread ITschak Mugzach

When we start a transaction on port 9443 pageant (z/OS 2.2) immediately
returns the following message:


15.57.58 STC02568  BPXF024I (TCPIP) Oct 18 13:57:58 TTLS›50397229®: 15:57:58 TC
846 EZD1283I TTLS Event GRPID: 0001 ENVID: 0001 CONNID:
846 RC: 5006 Initial Handshake  
846  Ö

Wireshark shows that a packet arrived at the target, but without response
from the server. There is not inbound rule, only outbound. Should we have
an inbound one? I also suspect that the problem is with the TLS level.

there is only one rule in pageant for port 9443:
###
#   x TCPIP Pagent Configuration File #
# #
# #
# Prepared by Itschak Mugzach, Securiteam Software Ltd, Israel#
# #
###
#
TTLSGroupAction grp_Production
{
   TTLSEnabled On # Enable HTTPS
   Trace 30   # Log Errors to syslogd
   }
#
# -- #


#   Enable AT-TLS for CICS Transaction on port 9443  #
#--- #


#
TTLSRule x_Api_Caller
{
  RemotePortRange   9443   # Server secure port
  Direction Outbound
  TTLSGroupActionRefgrp_Production
  TTLSEnvironmentActionRef  x_Api_Caller_Env
  }
#
# -- #


#  Set the keyring   #
#--- #


#
TTLSEnvironmentAction x_Api_Caller_Env
{
  HandshakeRole Client
  TTLSEnvironmentAdvancedParmsRef Secure_API_Caller_Env
  TTLSKeyRingParms
  {
Keyring CICSR.CICSRKEYRING
}
  TTLSCipherParmsRefRequireEncryption
  }
#
# -- #


#Set of TLS Ciphers with Encryption  #
#--- #
#
TTLSCipherParms RequireEncryption
{
   V3CipherSuites4Char   003500380039002F00320033003D003CC02FC030CCA8
   }
# -- #


# Set TLS supported levels   #
#--- #
TTLSEnvironmentAdvancedParms Secure_API_Caller_Env
{
   SSLv2   Off
   SSLv3   Off
   TLSv1   Off
   TLSV1.1 Off
   TLSV1.2 On
   TLSV1.3 Off
   ClientHandshakeSNI  Optional
   ClientHandshakeSNIMatch Optional
#  ClientHandshakeSNIList  x ?
   }




ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring
for z/OS, x/Linux & IBM I **| z/VM coming soon  *




On Fri, Oct 14, 2022 at 9:53 AM ITschak Mugzach  wrote:

> We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to
> an external server.
> We copied the default PAGENT configuration for AT-TLS and modified it as
> below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I
> TCPIP INSTALLED TTLS POLICY HAS NO RULES"
>
> We wanted 943 to be encrypted by the CICSR userid certificate placed on
> ring CICSRKEYRING.
>
> What is wrong with the below definitions (*and the others copied from the
> sample directory)?
>
>
> TTLSRule Our_Outbound_Application
> {
>  Userid   CICSR
>  RemotePortRange  9443
>  DirectionOutbound
>  TTLSGroupActionRef   grp_Production
>   TTLSKeyRingParms
>   {
> Keyring   CICSRKEYRING
>   }
>  TTLSConnectionActionRef  grp_Production
> #TTLSEnvironmentActionRef Generic_Client_App
> }
>
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous Monitoring
> for z/OS, x/Linux & IBM I **| z/VM coming soon  *
>
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CICS client transaction and AT-TLS

2022-10-14 Thread Colin Paice

My keyring definition is
 KeyringSTART1/TN3270
I do not know what the default userid is.

BTW I wrote SystemSSL (GSK) trace and TCPIP
<https://colinpaice.blog/2022/10/11/gsk-trace-and-tcpip/> which you might
need to track down problems once you have your configuration working.

On Fri, 14 Oct 2022 at 07:54, ITschak Mugzach  wrote:

> We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to
> an external server.
> We copied the default PAGENT configuration for AT-TLS and modified it as
> below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I TCPIP
> INSTALLED TTLS POLICY HAS NO RULES"
>
> We wanted 943 to be encrypted by the CICSR userid certificate placed on
> ring CICSRKEYRING.
>
> What is wrong with the below definitions (*and the others copied from the
> sample directory)?
>
>
> TTLSRule Our_Outbound_Application
> {
>  Userid   CICSR
>  RemotePortRange  9443
>  DirectionOutbound
>  TTLSGroupActionRef   grp_Production
>   TTLSKeyRingParms
>   {
> Keyring   CICSRKEYRING
>   }
>  TTLSConnectionActionRef  grp_Production
> #TTLSEnvironmentActionRef Generic_Client_App
> }
>
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous Monitoring
> for z/OS, x/Linux & IBM I **| z/VM coming soon  *
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: CICS client transaction and AT-TLS

2022-10-14 Thread Colin Paice

PAGENT does not always report problems with the configuration.
You might try going into USS and issuing
*pasearch -t -f  Our_Outbound_Application 1>a*
or just
*pasearch -t 1>a *

*oedit a*

and search for your rule.

If you have updated the configuration you need to do
f pagent,update

in my proc I have

//PAGENT   EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT,
//   PARM='&EN/  -l /var/log/pagent.log-d 32'

Look in the file and search for "WARNING" and OBJERR"  and see if there are
any errors

Colin




and see what definition you are actually using

On Fri, 14 Oct 2022 at 07:54, ITschak Mugzach  wrote:

> We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to
> an external server.
> We copied the default PAGENT configuration for AT-TLS and modified it as
> below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I TCPIP
> INSTALLED TTLS POLICY HAS NO RULES"
>
> We wanted 943 to be encrypted by the CICSR userid certificate placed on
> ring CICSRKEYRING.
>
> What is wrong with the below definitions (*and the others copied from the
> sample directory)?
>
>
> TTLSRule Our_Outbound_Application
> {
>  Userid   CICSR
>  RemotePortRange  9443
>  DirectionOutbound
>  TTLSGroupActionRef   grp_Production
>   TTLSKeyRingParms
>   {
> Keyring   CICSRKEYRING
>   }
>  TTLSConnectionActionRef  grp_Production
> #TTLSEnvironmentActionRef Generic_Client_App
> }
>
>
> ITschak Mugzach
> *|** IronSphere Platform* *|* *Information Security Continuous Monitoring
> for z/OS, x/Linux & IBM I **| z/VM coming soon  *
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

CICS client transaction and AT-TLS

2022-10-13 Thread ITschak Mugzach

We have a CICS transaction that opens a socket (EZASOCKET) on port 9443 to
an external server.
We copied the default PAGENT configuration for AT-TLS and modified it as
below. However, TCPIP (that starts that PAGENT task claims "EZZ4249I TCPIP
INSTALLED TTLS POLICY HAS NO RULES"

We wanted 943 to be encrypted by the CICSR userid certificate placed on
ring CICSRKEYRING.

What is wrong with the below definitions (*and the others copied from the
sample directory)?


TTLSRule Our_Outbound_Application
{
 Userid   CICSR
 RemotePortRange  9443
 DirectionOutbound
 TTLSGroupActionRef   grp_Production
  TTLSKeyRingParms
  {
Keyring   CICSRKEYRING
  }
 TTLSConnectionActionRef  grp_Production
#TTLSEnvironmentActionRef Generic_Client_App
}


ITschak Mugzach
*|** IronSphere Platform* *|* *Information Security Continuous Monitoring
for z/OS, x/Linux & IBM I **| z/VM coming soon  *

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-26 Thread Seymour J Metz

No, FILE TRANSFER PROTOCOL (FTP)is 
<https://datatracker.ietf.org/doc/html/rfc959> while SSH File Transfer Protocol 
(SFTP) is <https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02>; 
in principle, either could run under SSH, but they are not compatible with each 
other.

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3

From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of 
Dustin Hayes [dustin.ha...@go2vanguard.com]
Sent: Wednesday, May 25, 2022 11:30 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working

Vanguard Integrity Professionals - External - Public
What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
these are two very different protocols which have nothing to do with each other 
(think beta vs vhs).

sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
that functional is a conversation covered in the USS books, check out the SSH 
section.

FTPs is "plain old ftp, wrapped with digital certificates to make it secure" 
(think http vs https) and this is done via PAGENT.  Depending on how its 
configured (e.g. insecure, implicit, explicit, passive) this can run on the 
following ports; TCP20,TCP21,TCP990 and a range of user-specified ports.  FYI, 
this complexity is why PAGENT has the "ApplicationControlled" parm.

z/OS supports both sFTP and FTPs.  Though, in z/OS, there are feature 
differences between them...
Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on 
windows.

I would suggest picking one to work with (either sFTP or FTPs) and then ensure 
that z/OS and WinSCP to use the one you selected.  If your unclear on the 
differences you probably want FTPs due to it's greater functionality (on z/OS).
Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS) 
you must turn up trace and read the logs.  There really is no other (practical) 
way to troubleshoot ATTLS issues.

External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.05.25 08:30:10

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Wednesday, 2022 May-25 08:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> >

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Kirk Wolf

On Wed, May 25, 2022, at 10:30 AM, Dustin Hayes wrote:
> 
> What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
> these are two very different protocols which have nothing to do with each 
> other (think beta vs vhs).
> 
> sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
> that functional is a conversation covered in the USS books, check out the SSH 
> section.
> 

The first sentence is true, but the second is probably misleading.

"SFTP" / "sFTP"  aka "SSH/SFTP" is not the FTP protocol tunneled through an SSH 
interface.  Not even a little.   The SFTP packet layer that runs over an SSH 
channel is this:

https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-13

SFTP resembles "FTP" only as far as many SFTP clients have a command language 
that is somewhat similar to FTP.If you look at the SFTP protocol layer, it 
is semantically close to the the low level Unix file API.  Here are the SFTP 
protocol packet types (with some interesting twists):

   SSH_FXP_INIT1
   SSH_FXP_VERSION 2
   SSH_FXP_OPEN3
   SSH_FXP_CLOSE   4
   SSH_FXP_READ5
   SSH_FXP_WRITE   6
   SSH_FXP_LSTAT   7
   SSH_FXP_FSTAT   8
   SSH_FXP_SETSTAT 9
   SSH_FXP_FSETSTAT   10
   SSH_FXP_OPENDIR11
   SSH_FXP_READDIR12
   SSH_FXP_REMOVE 13
   SSH_FXP_MKDIR  14
   SSH_FXP_RMDIR  15
   SSH_FXP_REALPATH   16
   SSH_FXP_STAT   17
   SSH_FXP_RENAME 18
   SSH_FXP_READLINK   19
   SSH_FXP_LINK   21
   SSH_FXP_BLOCK  22
   SSH_FXP_UNBLOCK23

   SSH_FXP_STATUS101
   SSH_FXP_HANDLE102
   SSH_FXP_DATA  103
   SSH_FXP_NAME  104
   SSH_FXP_ATTRS 105

   SSH_FXP_EXTENDED  200
   SSH_FXP_EXTENDED_REPLY    201

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS>  z/OS OpenSSH doesn't use AT-TLS.It can directly use ICSF calls or 
direct CPACF instructions for Ciphers and Macs.  SSH (the SSH2 RFC) doesn't use 
TLS handshaking either.Maybe that's why the many SSL/TLS bugs haven't 
applied :-)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob

Lloyd/Dustin,
>
Thank you. Thank you. Thank you.  You are both right. I totally understand
the difference ... and I was still criss-crossing them.

What I am trying to do is FTPS - native ftp with AT-TLS involved to handle
the SSL/TLS security stuff.  And every one of my tests has been wrong
because I have been trying to do SFTP with WinSCP when what I really wanted
to do is what WinSCP calls ftp with encryption ... a completely different
animal.  And a perfect explanation for why absolutely nothing I was doing
was going to make it work.

Hopefully, now I can make some progress!

Thanks again!
Bob

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Dustin Hayes

Vanguard Integrity Professionals - External - Public
What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", 
these are two very different protocols which have nothing to do with each other 
(think beta vs vhs).

sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22.  Getting 
that functional is a conversation covered in the USS books, check out the SSH 
section.

FTPs is "plain old ftp, wrapped with digital certificates to make it secure" 
(think http vs https) and this is done via PAGENT.  Depending on how its 
configured (e.g. insecure, implicit, explicit, passive) this can run on the 
following ports; TCP20,TCP21,TCP990 and a range of user-specified ports.  FYI, 
this complexity is why PAGENT has the "ApplicationControlled" parm. 

z/OS supports both sFTP and FTPs.  Though, in z/OS, there are feature 
differences between them... 
Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on 
windows.

I would suggest picking one to work with (either sFTP or FTPs) and then ensure 
that z/OS and WinSCP to use the one you selected.  If your unclear on the 
differences you probably want FTPs due to it's greater functionality (on z/OS).
Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS) 
you must turn up trace and read the logs.  There really is no other (practical) 
way to troubleshoot ATTLS issues.

External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.05.25 08:30:10

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Michael Babcock
Sent: Wednesday, 2022 May-25 08:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working

WARNING: This email originated outside of Vanguard.

DO NOT CLICK links or attachments unless you recognize the sender and know the 
content is safe.

I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
>

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Lloyd Fuller

You are misusing things here.  SFTP does not equal FTPS.
SFTP is overlaid onshore which is using an encrypted interface itself.  FTPS is 
what the FTP server can support.
WinSCP can do both but not FTPS on port 22.
Lloyd

Sent from AT&T Yahoo Mail for iPad


On Wednesday, May 25, 2022, 11:20 AM, Michael Babcock  
wrote:

I don’t think you can use PAGENT for port 22 (not 100% sure on that).  If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?  You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN  fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.  Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel  511
> > >
> > > TcpImage  TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction      ftp_server_group
> > >
> > > {
> > >
> > >    TTLSEnabled On
> > >
> > >    Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >    HandshakeRole      Server
> > >
> > >    TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >    TTLSKeyringParms
> > >
> > >    {
> > >
> > >      Keyring mtskeyring
> > >
> > >    }
> > >
> > >    TTLSEnvironmentAdvancedParms
> > >
> > >    {
> > >
> > >      ApplicationControlled On
> > >
> > >      SecondaryMap          On
> > >
> > >      TLSv1.2              On
> > >
> > >      TLSv1.3              On
> > >
> > >    }
> > >
> > > }
> > >
> > > TTLSCipherParms      ftp_server_ciphers
> > >
> > > {
> >

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock

I don’t think you can use PAGENT for port 22 (not 100% sure on that).   If
using port 22 configure SSHD.

Did you set the trace parm in PAGENT to 255?   You will get much more info
in SYSLOG by doing that.

On Wed, May 25, 2022 at 10:05 AM Bob  wrote:

> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22.  The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success.  I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> > configure SSHD for that.   Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot.  Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel   511
> > >
> > > TcpImage   TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction   ftp_server_group
> > >
> > > {
> > >
> > >TTLSEnabled On
> > >
> > >Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >HandshakeRole  Server
> > >
> > >TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >TTLSKeyringParms
> > >
> > >{
> > >
> > >   Keyring mtskeyring
> > >
> > >}
> > >
> > >TTLSEnvironmentAdvancedParms
> > >
> > >{
> > >
> > >   ApplicationControlled On
> > >
> > >   SecondaryMap  On
> > >
> > >   TLSv1.2   On
> > >
> > >   TLSv1.3   On
> > >
> > >}
> > >
> > > }
> > >
> > > TTLSCipherParms   ftp_server_ciphers
> > >
> > > {
> > >
> > >V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> > >
> > >V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > >
> > >V3CipherSuites TLS_RSA_WITH_NULL_SHA
> > >
> > > }
> > >
> > > TTLSRule  ftp_server_rul

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob Lamerand

That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21 &22.  
The config I started with had 21 in it, but the WinSCP references 22 so I have 
been trying both ... without success.  I changed it back to 21 now. Still fails.

I just added an ftp configuration parameter of FTPLOGGING TRUE and received 
this message:

EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed

Now I'm trying to figure out what that is telling me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob

That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
&22.  The config I started with had 21 in it, but the WinSCP references 22
so I have been trying both ... without success.  I changed it back to 21
now. Still fails.

I just added an ftp configuration parameter of FTPLOGGING TRUE and received
this message:

EZYFS51I ID=FTPD10 CONN   fails  Reason=3 Text=getpeername failed

Now I'm trying to figure out what that is telling me.

On Wed, May 25, 2022 at 8:46 AM Michael Babcock 
wrote:

> I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> configure SSHD for that.   Remove port 22 from PAGENT.
>
> On Wed, May 25, 2022 at 8:46 AM Bob  wrote:
>
> > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> and
> > I don’t know why. I’m sure I am
> >
> > missing something very simple, but I have spent a lot of time over the
> last
> > few weeks trying to figure it out
> >
> > and I cannot.  Note that ftp without encryption does work and I have
> > nothing else using PAGENT or AT-TLS.
> >
> >
> >
> > I originally started with a configuration created by z/OSMF Network
> > Configuration Assistant, but after
> >
> > numerous attempts to get it working I have pared it down to the very
> > minimum configuration below.
> >
> >
> >
> > I’m not even sure what info to share.
> >
> >
> >
> > When I try to connect using WinSCP I just get this:
> >
> >
> >
> > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> > testmvs
> >
> > Searching for host...
> >
> > Network error: Connection to "testmvs" refused.
> >
> > The server rejected SFTP connection, but it listens for FTP connections.
> >
> > Did you want to use FTP protocol instead of SFTP? Prefer using
> encryption.
> >
> > winscp>
> >
> >
> >
> > And the WinSCP log doesn’t show much more:
> >
> >
> >
> > Looking up host "testmvs" for SSH connection
> >
> > Connecting to 10.80.63.94 port 22
> >
> > Failed to connect to 10.80.63.94: Network error: Connection refused
> >
> >
> >
> > And here are the related configuration files.
> >
> >
> >
> > Here’s the pagent.conf:
> >
> >
> >
> > LogLevel   511
> >
> > TcpImage   TCPIP FLUSH
> >
> > TTLSConfig /etc/TTLSConfig.conf FLUSH
> >
> >
> >
> > And here is the TTLSConfig.conf:
> >
> >
> >
> > TTLSGroupAction   ftp_server_group
> >
> > {
> >
> >TTLSEnabled On
> >
> >Trace 30
> >
> > }
> >
> > TTLSEnvironmentAction ftp_server_env
> >
> > {
> >
> >HandshakeRole  Server
> >
> >TTLSCipherParmsRef ftp_server_ciphers
> >
> >TTLSKeyringParms
> >
> >{
> >
> >   Keyring mtskeyring
> >
> >}
> >
> >TTLSEnvironmentAdvancedParms
> >
> >{
> >
> >   ApplicationControlled On
> >
> >   SecondaryMap  On
> >
> >   TLSv1.2   On
> >
> >   TLSv1.3   On
> >
> >}
> >
> > }
> >
> > TTLSCipherParms   ftp_server_ciphers
> >
> > {
> >
> >V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> >
> >V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> >
> >V3CipherSuites TLS_RSA_WITH_NULL_SHA
> >
> > }
> >
> > TTLSRule  ftp_server_rule
> >
> > {
> >
> >LocalPortRange   21-22
> >
> >DirectionInbound
> >
> >TTLSGroupActionRef   ftp_server_group
> >
> >TTLSEnvironmentActionRef ftp_server_env
> >
> > }
> >
> >
> >
> > Here is a ‘netstat ttls group’ command:
> >
> >
> >
> > MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
> >
> > TTLSGrpAction Group ID   Conns
> >
> >   -  -
> >
> > ftp_server_group  0003   0
> >
> >
> >
> > Does that Conns=0 mean anything?
> >
> >
> >
> > Let me know if there is some other info that might help.
> >
> >
> >
> > Thank you VERY MUCH for any  suggestions you can offer.
> >
> >
> >
> > Bob Lamerand
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock

I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
configure SSHD for that.   Remove port 22 from PAGENT.

On Wed, May 25, 2022 at 8:46 AM Bob  wrote:

> I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
> I don’t know why. I’m sure I am
>
> missing something very simple, but I have spent a lot of time over the last
> few weeks trying to figure it out
>
> and I cannot.  Note that ftp without encryption does work and I have
> nothing else using PAGENT or AT-TLS.
>
>
>
> I originally started with a configuration created by z/OSMF Network
> Configuration Assistant, but after
>
> numerous attempts to get it working I have pared it down to the very
> minimum configuration below.
>
>
>
> I’m not even sure what info to share.
>
>
>
> When I try to connect using WinSCP I just get this:
>
>
>
> d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> testmvs
>
> Searching for host...
>
> Network error: Connection to "testmvs" refused.
>
> The server rejected SFTP connection, but it listens for FTP connections.
>
> Did you want to use FTP protocol instead of SFTP? Prefer using encryption.
>
> winscp>
>
>
>
> And the WinSCP log doesn’t show much more:
>
>
>
> Looking up host "testmvs" for SSH connection
>
> Connecting to 10.80.63.94 port 22
>
> Failed to connect to 10.80.63.94: Network error: Connection refused
>
>
>
> And here are the related configuration files.
>
>
>
> Here’s the pagent.conf:
>
>
>
> LogLevel   511
>
> TcpImage   TCPIP FLUSH
>
> TTLSConfig /etc/TTLSConfig.conf FLUSH
>
>
>
> And here is the TTLSConfig.conf:
>
>
>
> TTLSGroupAction   ftp_server_group
>
> {
>
>TTLSEnabled On
>
>Trace 30
>
> }
>
> TTLSEnvironmentAction ftp_server_env
>
> {
>
>HandshakeRole  Server
>
>TTLSCipherParmsRef ftp_server_ciphers
>
>TTLSKeyringParms
>
>{
>
>   Keyring mtskeyring
>
>}
>
>TTLSEnvironmentAdvancedParms
>
>{
>
>   ApplicationControlled On
>
>   SecondaryMap  On
>
>   TLSv1.2   On
>
>   TLSv1.3   On
>
>}
>
> }
>
> TTLSCipherParms   ftp_server_ciphers
>
> {
>
>V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_NULL_SHA
>
> }
>
> TTLSRule  ftp_server_rule
>
> {
>
>LocalPortRange   21-22
>
>DirectionInbound
>
>TTLSGroupActionRef   ftp_server_group
>
>TTLSEnvironmentActionRef ftp_server_env
>
> }
>
>
>
> Here is a ‘netstat ttls group’ command:
>
>
>
> MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
>
> TTLSGrpAction Group ID   Conns
>
>   -  -
>
> ftp_server_group  0003   0
>
>
>
> Does that Conns=0 mean anything?
>
>
>
> Let me know if there is some other info that might help.
>
>
>
> Thank you VERY MUCH for any  suggestions you can offer.
>
>
>
> Bob Lamerand
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Michael Babcock

Set your trace to 255 in the policy, refresh PAGENT and check the Syslog.
I suspect a ciphersuite issue.

On Wed, May 25, 2022 at 8:46 AM Bob  wrote:

> I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
> I don’t know why. I’m sure I am
>
> missing something very simple, but I have spent a lot of time over the last
> few weeks trying to figure it out
>
> and I cannot.  Note that ftp without encryption does work and I have
> nothing else using PAGENT or AT-TLS.
>
>
>
> I originally started with a configuration created by z/OSMF Network
> Configuration Assistant, but after
>
> numerous attempts to get it working I have pared it down to the very
> minimum configuration below.
>
>
>
> I’m not even sure what info to share.
>
>
>
> When I try to connect using WinSCP I just get this:
>
>
>
> d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> testmvs
>
> Searching for host...
>
> Network error: Connection to "testmvs" refused.
>
> The server rejected SFTP connection, but it listens for FTP connections.
>
> Did you want to use FTP protocol instead of SFTP? Prefer using encryption.
>
> winscp>
>
>
>
> And the WinSCP log doesn’t show much more:
>
>
>
> Looking up host "testmvs" for SSH connection
>
> Connecting to 10.80.63.94 port 22
>
> Failed to connect to 10.80.63.94: Network error: Connection refused
>
>
>
> And here are the related configuration files.
>
>
>
> Here’s the pagent.conf:
>
>
>
> LogLevel   511
>
> TcpImage   TCPIP FLUSH
>
> TTLSConfig /etc/TTLSConfig.conf FLUSH
>
>
>
> And here is the TTLSConfig.conf:
>
>
>
> TTLSGroupAction   ftp_server_group
>
> {
>
>TTLSEnabled On
>
>Trace 30
>
> }
>
> TTLSEnvironmentAction ftp_server_env
>
> {
>
>HandshakeRole  Server
>
>TTLSCipherParmsRef ftp_server_ciphers
>
>TTLSKeyringParms
>
>{
>
>   Keyring mtskeyring
>
>}
>
>TTLSEnvironmentAdvancedParms
>
>{
>
>   ApplicationControlled On
>
>   SecondaryMap  On
>
>   TLSv1.2   On
>
>   TLSv1.3   On
>
>}
>
> }
>
> TTLSCipherParms   ftp_server_ciphers
>
> {
>
>V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
>
>V3CipherSuites TLS_RSA_WITH_NULL_SHA
>
> }
>
> TTLSRule  ftp_server_rule
>
> {
>
>LocalPortRange   21-22
>
>DirectionInbound
>
>TTLSGroupActionRef   ftp_server_group
>
>TTLSEnvironmentActionRef ftp_server_env
>
> }
>
>
>
> Here is a ‘netstat ttls group’ command:
>
>
>
> MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46
>
> TTLSGrpAction Group ID   Conns
>
>   -  -
>
> ftp_server_group  0003   0
>
>
>
> Does that Conns=0 mean anything?
>
>
>
> Let me know if there is some other info that might help.
>
>
>
> Thank you VERY MUCH for any  suggestions you can offer.
>
>
>
> Bob Lamerand
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Carmen Vitullo


would an SSL trace help here ?

not the same 'type' of connection, I had an issue with inbound 
connections to CICS and DB2 that was self inflicted, the AT-TLS add on 
required I failed to order and the connections were using some default, 
I was able to find this by performing an SSL trace and providing that 
INFO to IBM support.


Carmen 'grasping' :)


On 5/25/2022 8:46 AM, Bob wrote:

I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
I don’t know why. I’m sure I am

missing something very simple, but I have spent a lot of time over the last
few weeks trying to figure it out

and I cannot.  Note that ftp without encryption does work and I have
nothing else using PAGENT or AT-TLS.



I originally started with a configuration created by z/OSMF Network
Configuration Assistant, but after

numerous attempts to get it working I have pared it down to the very
minimum configuration below.



I’m not even sure what info to share.



When I try to connect using WinSCP I just get this:



d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
testmvs

Searching for host...

Network error: Connection to "testmvs" refused.

The server rejected SFTP connection, but it listens for FTP connections.

Did you want to use FTP protocol instead of SFTP? Prefer using encryption.

winscp>



And the WinSCP log doesn’t show much more:



Looking up host "testmvs" for SSH connection

Connecting to 10.80.63.94 port 22

Failed to connect to 10.80.63.94: Network error: Connection refused



And here are the related configuration files.



Here’s the pagent.conf:



LogLevel   511

TcpImage   TCPIP FLUSH

TTLSConfig /etc/TTLSConfig.conf FLUSH



And here is the TTLSConfig.conf:



TTLSGroupAction   ftp_server_group

{

TTLSEnabled On

Trace 30

}

TTLSEnvironmentAction ftp_server_env

{

HandshakeRole  Server

TTLSCipherParmsRef ftp_server_ciphers

TTLSKeyringParms

{

   Keyring mtskeyring

}

TTLSEnvironmentAdvancedParms

{

   ApplicationControlled On

   SecondaryMap  On

   TLSv1.2   On

   TLSv1.3   On

}

}

TTLSCipherParms   ftp_server_ciphers

{

V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA

V3CipherSuites TLS_RSA_WITH_NULL_SHA

}

TTLSRule  ftp_server_rule

{

LocalPortRange   21-22

DirectionInbound

TTLSGroupActionRef   ftp_server_group

TTLSEnvironmentActionRef ftp_server_env

}



Here is a ‘netstat ttls group’ command:



MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46

TTLSGrpAction Group ID   Conns

  -  -

ftp_server_group  0003   0



Does that Conns=0 mean anything?



Let me know if there is some other info that might help.



Thank you VERY MUCH for any  suggestions you can offer.



Bob Lamerand

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu  with the message: INFO IBM-MAIN



--
/I am not bound to win, but I am bound to be true. I am not bound to 
succeed, but I am bound to live by the light that I have. I must stand 
with anybody that stands right, and stand with him while he is right, 
and part with him when he goes wrong. *Abraham Lincoln*/


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS & FTP troubles - cannot get very simple setup working

2022-05-25 Thread Bob

I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
I don’t know why. I’m sure I am

missing something very simple, but I have spent a lot of time over the last
few weeks trying to figure it out

and I cannot.  Note that ftp without encryption does work and I have
nothing else using PAGENT or AT-TLS.



I originally started with a configuration created by z/OSMF Network
Configuration Assistant, but after

numerous attempts to get it working I have pared it down to the very
minimum configuration below.



I’m not even sure what info to share.



When I try to connect using WinSCP I just get this:



d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
testmvs

Searching for host...

Network error: Connection to "testmvs" refused.

The server rejected SFTP connection, but it listens for FTP connections.

Did you want to use FTP protocol instead of SFTP? Prefer using encryption.

winscp>



And the WinSCP log doesn’t show much more:



Looking up host "testmvs" for SSH connection

Connecting to 10.80.63.94 port 22

Failed to connect to 10.80.63.94: Network error: Connection refused



And here are the related configuration files.



Here’s the pagent.conf:



LogLevel   511

TcpImage   TCPIP FLUSH

TTLSConfig /etc/TTLSConfig.conf FLUSH



And here is the TTLSConfig.conf:



TTLSGroupAction   ftp_server_group

{

   TTLSEnabled On

   Trace 30

}

TTLSEnvironmentAction ftp_server_env

{

   HandshakeRole  Server

   TTLSCipherParmsRef ftp_server_ciphers

   TTLSKeyringParms

   {

  Keyring mtskeyring

   }

   TTLSEnvironmentAdvancedParms

   {

  ApplicationControlled On

  SecondaryMap  On

  TLSv1.2   On

  TLSv1.3   On

   }

}

TTLSCipherParms   ftp_server_ciphers

{

   V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA

   V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA

   V3CipherSuites TLS_RSA_WITH_NULL_SHA

}

TTLSRule  ftp_server_rule

{

   LocalPortRange   21-22

   DirectionInbound

   TTLSGroupActionRef   ftp_server_group

   TTLSEnvironmentActionRef ftp_server_env

}



Here is a ‘netstat ttls group’ command:



MVS TCP/IP NETSTAT CS V2R5   TCPIP Name: TCPIP   13:14:46

TTLSGrpAction Group ID   Conns

  -  -

ftp_server_group  0003   0



Does that Conns=0 mean anything?



Let me know if there is some other info that might help.



Thank you VERY MUCH for any  suggestions you can offer.



Bob Lamerand

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Phil Smith III

Anyone know the mechanism for saving session keys on z/OS? I've searched but
"session", "key"/"keys", and "session key"/"session keys" are terrible
search terms, find way too many noise hits.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Phil Smith III

Tony Harminc wrote:

>What you can do, regardless of whether you *think* you're using AT-TLS

>or not, is to get the socket status using ioctl() with one of the

>SIOCTTLSCTL requests. This can tell you all kinds of stuff, but most

>basically you can see if the connection is secured (or will be if all

>goes well) by AT-TLS. It doesn't hurt to inquire.

 

>There are three kinds of AT-TLS application: passive (i.e. know

>nothing of AT-TLS), aware, and controlling, with not a hard line

>between the latter two. We wrote code in one product that makes

>inquiries into the connection state, and *may* take on controlling

>aspects if it sees the need, and otherwise just reports on the state

>of affairs. It can certainly help debugging to log everything you can

>find to ask about early in your socket processing.

 

Verrry interesting, thanks! Will look into this. Probably better than my
plan, which was to blame every connection failure I couldn't attribute to a
certificate issue on AT-TLS :)


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Tony Harminc

On Thu, 27 Jan 2022 at 17:40, Phil Smith III  wrote:
[...]
> AT-TLS is cool, but not when you didn't ask for it. I had assumed that it
> was integrated into GSK and/or TCP/IP such that this scenario would be
> impossible. If it were, then presumably a gsk_environment_init() would keep
> AT-TLS from kicking in, or cause a meaningful error. Not blaming IBM-this is
> a user error, and I made an assumption that, while plausible, just isn't
> correct.

What you can do, regardless of whether you *think* you're using AT-TLS
or not, is to get the socket status using ioctl() with one of the
SIOCTTLSCTL requests. This can tell you all kinds of stuff, but most
basically you can see if the connection is secured (or will be if all
goes well) by AT-TLS. It doesn't hurt to inquire.

There are three kinds of AT-TLS application: passive (i.e. know
nothing of AT-TLS), aware, and controlling, with not a hard line
between the latter two. We wrote code in one product that makes
inquiries into the connection state, and *may* take on controlling
aspects if it sees the need, and otherwise just reports on the state
of affairs. It can certainly help debugging to log everything you can
find to ask about early in your socket processing.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Phil Smith III

Grant Taylor wrote:

>I would expect that steps #2 and / or #3 would have different values for

>nonces / ephemeral keys between on each end of the connection and that

>this would be visible if you got deep enough into the TLS debugging.

Yes, I would assume so. And we were headed that way: we were trying to
figure out if there's a way to get session keys out of z/OS, since we were
told the gateway cannot do that. Though I guess we wouldn't need them for
the Client Hello, since that's not encrypted yet. But at some point, we
would have hopefully noticed that difference, or noticed the double Client
Hello. Obviously depends exactly where in the circuit the tracing would be.
I guess with session keys we would have looked at the first encrypted packet
the gateway got and maybe at that point said, "Why is this a Client Hello
and why is it encrypted?" and maybe the penny would have dropped. Though if
nobody had ever said "AT-TLS" I'm not sure it would have then-it's just such
a bizarre thing. "Nobody EXPECTS the Spanish Inquisition."!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Grant Taylor


On 1/28/22 6:06 AM, Allan Staller wrote:
I have seen people running SFTP over an encrypted link. Talk about 
overkill! (and sl!).


I've talked about HTTPS / SSH (et al.) over IPsec over MACsec with 
people before.  }:-)


Bonus if either HTTPS or SSH are functioning as an encrypting transport 
for the other.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Grant Taylor


On 1/27/22 3:40 PM, Phil Smith III wrote:

1.  Mainframe starts handshake
2.  Server ... does its handshake thing
3.  Certificates, ciphers, keys exchanged
4.  Mainframe says 410 and drops connection


I would expect that steps #2 and / or #3 would have different values for 
nonces / ephemeral keys between on each end of the connection and that 
this would be visible if you got deep enough into the TLS debugging.


Admittedly this would probably require cranking client side debugging 
all the way to eleven to see it.


But once you have visibility of each end using different values, then 
it's a question of how / why / where is the something in the middle 
that's using the counterparts.


That would have probably suggested AT-TLS or some other sort of 
bump-in-the-wire active TLS proxy.




--
Grant. . . .
unix || die

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-28 Thread Allan Staller

Classification: Confidential


I had this vague notion that AT-TLS was smart enough not to do that.
I have seen customers running TLS over a VPN, and that works fine (albeit 
probably at somewhat reduced speed).


I have seen people running SFTP over an encrypted link. Talk about overkill! 
(and sl!).
::DISCLAIMER::

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only. E-mail transmission is not guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or may contain viruses in transmission. 
The e mail and its contents (with or without referred errors) shall therefore 
not attach any liability on the originator or HCL or its affiliates. Views or 
opinions, if any, presented in this email are solely those of the author and 
may not necessarily reflect the views or opinions of HCL or its affiliates. Any 
form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of this message without the prior written 
consent of authorized representative of HCL is strictly prohibited. If you have 
received this email in error please delete it and notify the sender 
immediately. Before opening any email and/or attachments, please check them for 
viruses and other defects.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: "Stacking" AT-TLS on HTTPS

2022-01-27 Thread Charles Mills

I had this vague notion that AT-TLS was smart enough not to do that.

I have seen customers running TLS over a VPN, and that works fine (albeit
probably at somewhat reduced speed).

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Phil Smith III
Sent: Thursday, January 27, 2022 2:40 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: "Stacking" AT-TLS on HTTPS

I recently spent a bunch of time with a customer who was having trouble
connecting to our appliance from z/OS. They were getting error 410, "SSL
message format is incorrect". curl was failing too, and it doesn't even use
System SSL.

 

After much tinkering, looking at PCAPs, tracing on z/OS, etc., someone said
something about AT-TLS. "Wait, what? There's no AT-TLS involved here." "Yes
there is, we have it on all connections."

 

Well, there's yer problem, Vern-our product on z/OS was setting up an https
connection using GSK (System SSL), or curl was using OpenSSL. Those requests
would start their way out to the network, and then AT-TLS would grab them
and start its own negotiation. So what we'd see in Wireshark was
approximately:

1.  Mainframe starts handshake
2.  Server (actually a gateway, but that doesn't matter) does its
handshake thing
3.  Certificates, ciphers, keys exchanged
4.  Mainframe says 410 and drops connection

 

Since this of course worked fine for us, we were baffled until we realized
AT-TLS was involved: z/OS sent out a Client Hello, and then AT-TLS got in
there and the response from the gateway was NOT the expected Server Hello!

 

In retrospect, the fact that curl was also failing MIGHT have been a clue,
but at the time we took it as evidence that the problem was outside of z/OS.
Instead, it appears the sequence was:

product<=>GSK<=>PAGENT<=>AT-TLS<=>TCP/IP<=>network<=>gateway

and

curl<=>OpenSSL<=>PAGENT<=>AT-TLS<=>TCP/IP<=>network<=>gateway

 

AT-TLS is cool, but not when you didn't ask for it. I had assumed that it
was integrated into GSK and/or TCP/IP such that this scenario would be
impossible. If it were, then presumably a gsk_environment_init() would keep
AT-TLS from kicking in, or cause a meaningful error. Not blaming IBM-this is
a user error, and I made an assumption that, while plausible, just isn't
correct.

 

The 410 "SSL message format is incorrect" was baffling; even IBM Level 2 was
stymied, since they didn't know about the stacked protocols. And apparently
whatever tracing they got from the customer didn't show it. This again makes
sense, since only one layer of TLS ever actually got established. I wonder
whether a sharp eye might find two gsk_environment_init() calls for one
connection, but can hardly blame them, since that isn't anywhere near where
the error was reported!

 

So why am I telling you this? In case it helps someone else save some
tsuris. Googling

410 "SSL message format is incorrect"

only gets 13 hits; add "AT-TLS" and that drops to 5, none of which are about
this "stacking" issue. So this is not a commonly encountered problem.

 

...phsiii


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

"Stacking" AT-TLS on HTTPS

2022-01-27 Thread Phil Smith III

I recently spent a bunch of time with a customer who was having trouble
connecting to our appliance from z/OS. They were getting error 410, "SSL
message format is incorrect". curl was failing too, and it doesn't even use
System SSL.

 

After much tinkering, looking at PCAPs, tracing on z/OS, etc., someone said
something about AT-TLS. "Wait, what? There's no AT-TLS involved here." "Yes
there is, we have it on all connections."

 

Well, there's yer problem, Vern-our product on z/OS was setting up an https
connection using GSK (System SSL), or curl was using OpenSSL. Those requests
would start their way out to the network, and then AT-TLS would grab them
and start its own negotiation. So what we'd see in Wireshark was
approximately:

1.  Mainframe starts handshake
2.  Server (actually a gateway, but that doesn't matter) does its
handshake thing
3.  Certificates, ciphers, keys exchanged
4.  Mainframe says 410 and drops connection

 

Since this of course worked fine for us, we were baffled until we realized
AT-TLS was involved: z/OS sent out a Client Hello, and then AT-TLS got in
there and the response from the gateway was NOT the expected Server Hello!

 

In retrospect, the fact that curl was also failing MIGHT have been a clue,
but at the time we took it as evidence that the problem was outside of z/OS.
Instead, it appears the sequence was:

product<=>GSK<=>PAGENT<=>AT-TLS<=>TCP/IP<=>network<=>gateway

and

curl<=>OpenSSL<=>PAGENT<=>AT-TLS<=>TCP/IP<=>network<=>gateway

 

AT-TLS is cool, but not when you didn't ask for it. I had assumed that it
was integrated into GSK and/or TCP/IP such that this scenario would be
impossible. If it were, then presumably a gsk_environment_init() would keep
AT-TLS from kicking in, or cause a meaningful error. Not blaming IBM-this is
a user error, and I made an assumption that, while plausible, just isn't
correct.

 

The 410 "SSL message format is incorrect" was baffling; even IBM Level 2 was
stymied, since they didn't know about the stacked protocols. And apparently
whatever tracing they got from the customer didn't show it. This again makes
sense, since only one layer of TLS ever actually got established. I wonder
whether a sharp eye might find two gsk_environment_init() calls for one
connection, but can hardly blame them, since that isn't anywhere near where
the error was reported!

 

So why am I telling you this? In case it helps someone else save some
tsuris. Googling

410 "SSL message format is incorrect"

only gets 13 hits; add "AT-TLS" and that drops to 5, none of which are about
this "stacking" issue. So this is not a commonly encountered problem.

 

...phsiii


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Getting started with Policy Agent and AT-TLS

2021-03-31 Thread Mike Hochee

Hi Charles, 

Almost 10 years old now, but I've always thought this was an xlnt 
presentation... 
https://www.ibm.com/support/pages/system/files/support/swg/swgdocs.nsf/0/2b7dd92c65e0defe85257a2b0057759b/$FILE/Leveraging_ATTLS.pdf
 

I posted the following about 6mos ago for a similar question. 

- Use z/OSMF for generation of your initial set of PA config files and inputs, 
then consider manually tailoring. I opted for this approach under z/OS 2.2, but 
z/OSMF has undoubtedly improved greatly since then, so maybe you can use z/OSMF 
exclusively now. 

- Configure the syslog daemon, and test it to ensure messages are being 
collected for whatever you're interested in (TCPIP is not a pre-req for 
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG 
statement

- Create the resource profile used to block access to the TCPIP stack during 
initialization, the name of the resource will be 
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or 
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to 
the keyring, and depending on what you're doing you may need to permit access 
so the keyring and cert can be listed (resources are IRR.DIGTCERT.LISTRING and 
IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running
Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the TCPIP AS 
and watch for msg EZZ4248E, after which you should start your PA daemon 
(eventually you'll want to automate this), the start will probably look 
something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c 
/etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log
Pagent log file
Output from the pasearch -t command

HTH, 
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Charles Mills
Sent: Wednesday, March 31, 2021 6:23 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Getting started with Policy Agent and AT-TLS

Caution! This message was sent from outside your organization.

Can anyone point me to a SHARE or other presentation or similar tutorial on how 
to get started with Policy Agent and AT-TLS?

I'm already aware, of course, of the material in the IP Configuration Guide.

Thanks,

Charles

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Getting started with Policy Agent and AT-TLS

2021-03-31 Thread Charles Mills

Can anyone point me to a SHARE or other presentation or similar tutorial on
how to get started with Policy Agent and AT-TLS?

I'm already aware, of course, of the material in the IP Configuration Guide.

Thanks,

Charles 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS issues with FTP and SSH

2020-09-27 Thread Rob Schramm

True..but if you do it wrong you can lock out pretty much everything for
TCP/IP...it's loads of fun!!

It's why I always set it up to OBEY for TCP IP after the stack is up and
running...just in case security does something weird.

Rob Schramm

On Tue, Sep 22, 2020, 17:02 Kirk Wolf  wrote:

> That will do it!
>
> BTW: AT-TLS has no relationship with IBM z/OS OpenSSH.
>
> On Tue, Sep 22, 2020 at 12:00 PM Lionel B Dyck  wrote:
>
> > Found issue with SSH - I had created (mkdir) the .ssh directory so it had
> > the default permissions.  Should have let ssh-keygen create it.
> >
> > Tried adding logging to pagent for ftp - overloaded with messages and
> > reading them now.
> >
> > Thank you
> >
> >
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List  On Behalf
> > Of
> > Mike Hochee
> > Sent: Tuesday, September 22, 2020 11:39 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS issues with FTP and SSH
> >
> > Regarding the AT-TLS issue, your pagent is likely encountering a problem
> in
> > the FTP section (of course!).  Look at the log it generates, and if you
> > don't have one, add the logging option to the pagent start command. If I
> > remember correctly, there's also a verbose setting. I found the logs to
> be
> > extremely useful.
> >
> > HTH,
> > Mike
> >
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> > Behalf Of Lionel B Dyck
> > Sent: Tuesday, September 22, 2020 11:08 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: AT-TLS issues with FTP and SSH
> >
> > Caution! This message was sent from outside your organization.
> >
> > We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into
> two
> > issues:
> >
> > 1. The FTP Client ceased to work (until we commented the FTP section in
> the
> > pagent_TTLS.conf file)
> > a. No issues doing an FTP into this LPAR.
> > 2. Git stopped working due to SSH.
> >
> > A simple test is:ssh mailto:g...@github.com
> >
> > And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
> > terminals
> >
> > If we stop PAGENT then everything works.
> >
> > Can anyone offer any pointers/tips/solutions to either of these problems?
> >
> > Thanks in advance.
> >
> >
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Kirk Wolf

That will do it!

BTW: AT-TLS has no relationship with IBM z/OS OpenSSH.

On Tue, Sep 22, 2020 at 12:00 PM Lionel B Dyck  wrote:

> Found issue with SSH - I had created (mkdir) the .ssh directory so it had
> the default permissions.  Should have let ssh-keygen create it.
>
> Tried adding logging to pagent for ftp - overloaded with messages and
> reading them now.
>
> Thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of
> Mike Hochee
> Sent: Tuesday, September 22, 2020 11:39 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS issues with FTP and SSH
>
> Regarding the AT-TLS issue, your pagent is likely encountering a problem in
> the FTP section (of course!).  Look at the log it generates, and if you
> don't have one, add the logging option to the pagent start command. If I
> remember correctly, there's also a verbose setting. I found the logs to be
> extremely useful.
>
> HTH,
> Mike
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Lionel B Dyck
> Sent: Tuesday, September 22, 2020 11:08 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS issues with FTP and SSH
>
> Caution! This message was sent from outside your organization.
>
> We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
> issues:
>
> 1. The FTP Client ceased to work (until we commented the FTP section in the
> pagent_TTLS.conf file)
> a. No issues doing an FTP into this LPAR.
> 2. Git stopped working due to SSH.
>
> A simple test is:ssh mailto:g...@github.com
>
> And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
> terminals
>
> If we stop PAGENT then everything works.
>
> Can anyone offer any pointers/tips/solutions to either of these problems?
>
> Thanks in advance.
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck

Found issue with SSH - I had created (mkdir) the .ssh directory so it had
the default permissions.  Should have let ssh-keygen create it.

Tried adding logging to pagent for ftp - overloaded with messages and
reading them now.

Thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Mike Hochee
Sent: Tuesday, September 22, 2020 11:39 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS issues with FTP and SSH

Regarding the AT-TLS issue, your pagent is likely encountering a problem in
the FTP section (of course!).  Look at the log it generates, and if you
don't have one, add the logging option to the pagent start command. If I
remember correctly, there's also a verbose setting. I found the logs to be
extremely useful.   

HTH,
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Lionel B Dyck
Sent: Tuesday, September 22, 2020 11:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS issues with FTP and SSH

Caution! This message was sent from outside your organization.

We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that I'm getting: FOTS3322 Passwords may not be entered from 3270
terminals

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Mike Hochee

Regarding the AT-TLS issue, your pagent is likely encountering a problem in the 
FTP section (of course!).  Look at the log it generates, and if you don't have 
one, add the logging option to the pagent start command. If I remember 
correctly, there's also a verbose setting. I found the logs to be extremely 
useful.   

HTH, 
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lionel B Dyck
Sent: Tuesday, September 22, 2020 11:08 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS issues with FTP and SSH

Caution! This message was sent from outside your organization.

We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the 
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that I'm getting: FOTS3322 Passwords may not be entered from 3270 
terminals

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS issues with FTP and SSH

2020-09-22 Thread Paul Gilmartin

On Tue, 22 Sep 2020 10:07:57 -0500, Lionel B Dyck wrote:
>
>And for that I�m getting: FOTS3322 Passwords may not be entered from 3270
>terminals  
> 
They're giving you a hint.  Eschew 3270; don't be a masochist.

Years ago, I discovered that if I start "script" under 3270 OMVS, then
I can enter passwords.  Evidently script masked the 3270-ness.  I don't
know whether IBM has declared that a weakness and reinforced it.

I did some tests.  In a script I issued "stty -echo"; prompted for a
string; "stty echo".  In a C program, I used tcsetattr([~ECHO]) to
disable echoing; read a string; and restored echoing.

In both cases, the password was hidden in an ssh session but displayed
momentarily in a 3270 session.

I went to SR with both problems.  I didn't mention my "script" hack lest 
they break it.  They fixed stty somehow but chose to leave fcntl() broken.
Go figger.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

AT-TLS issues with FTP and SSH

2020-09-22 Thread Lionel B Dyck

We just enabled AT-TLS (PAGENT) on a test LPAR and immediately ran into two
issues:

1. The FTP Client ceased to work (until we commented the FTP section in the
pagent_TTLS.conf file)
a. No issues doing an FTP into this LPAR.
2. Git stopped working due to SSH.

A simple test is:ssh mailto:g...@github.com

And for that Im getting: FOTS3322 Passwords may not be entered from 3270
terminals  

If we stop PAGENT then everything works.

Can anyone offer any pointers/tips/solutions to either of these problems?

Thanks in advance.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Tom Brennan

Thanks!  This conversation really helped me understand.  And Mike just 
pointed out that not only are things headed to AT-TLS, but it may be the 
ONLY way to encrypt in the near future.


On 7/1/2020 9:21 AM, Charles Mills wrote:

Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written 
programmatic "users" of TLS libraries. If you write a General Ledger program and the 
ledgers don't cross-foot, the CFO tells you. If you write an "encrypted" communication 
program and the encryption has a logical flaw, generally no one tells you. :-( Centralizing the use 
of TLS, not just the TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption.  In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS.  If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills

I think programs will be able to; IBM just does not intend to spend to maintain 
encryption in two places: AT-TLS *and* all of the listed applications.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mike Wawiorko
Sent: Wednesday, July 1, 2020 6:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html&request_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills

Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of 
poorly-written programmatic "users" of TLS libraries. If you write a General 
Ledger program and the ledgers don't cross-foot, the CFO tells you. If you 
write an "encrypted" communication program and the encryption has a logical 
flaw, generally no one tells you. :-( Centralizing the use of TLS, not just the 
TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf 

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Mike Wawiorko

Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html&request_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan

I tried "Let's Encrypt" https://letsencrypt.org/ once for some web site 
names I have on a Linux server under my desk.  I can't remember why I 
didn't like it, but I ended up making my own CA cert to sign my https 
certificates, and then got the few people using the sites to import my 
CA into their browser.  Cheating a bit but it works great for isolated use.


But yes, if things like certificates could be all piled into one 
application and handled by one person in a company, things would get 
easier.  The first time I dealt with a certificate on the mainframe was 
for IBM's ITIM system which (the developer mentioned) had just switched 
to use OpenSSL.  We had multiple meetings with project leaders and 
others just to get a paid-for certificate in place (2 year expiration), 
when we probably could have created something self-signed with a 30 year 
expiration if we knew better :)


On 6/30/2020 10:23 PM, kekronbekron wrote:

I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:


Thanks KB... I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption. In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS. If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:


Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

-   KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.
Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.
I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?
If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?
Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.
On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than y

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron

I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:

> Thanks KB... I think I got my basic question answered, which is that
> one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
> that weren't originally written with encryption. In addition, it sounds
> like even programs that can do their own encryption (i.e. TN3270) can
> also use AT-TLS. If so, that's a smart plan - putting encryption
> processing in one bucket with one set of controls, and one spot to
> update when TLS1.x comes along.
>
> But if I'm wrong with any of the general notes above, please correct me.
>
> On 6/30/2020 9:16 PM, kekronbekron wrote:
>
> > Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
> > I also got 200 hits for 'AT-TLS' after logging in to share.org; you might 
> > want to do the same to see which of those are the most useful to you.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
> > wrote:
> >
> > > I've tried to skim some of the AT-TLS doc, and even attended an IBM
> > > webinar last week, but I'm still missing what I imagine are important
> > > background points. Maybe someone here can explain things, but don't
> > > worry too much about it.
> > > Client and server programs like SSH/SSHD call programs such as OpenSSL
> > > to handle the encryption handshake and processing. So when you set
> > > those up, there is no AT-TLS needed for encryption. Same with the
> > > TN3270 server and client, as long as you set that up with keys and
> > > parameters on the host side, and settings on the client side.
> > > I'm thinking because of the name "Application Transparent" that AT-TLS
> > > was made for programs that DON'T have their own logic to call OpenSSL
> > > (or whatever) to do their own encryption. Let's use clear-text FTP as
> > > an example. So somehow, AT-TLS hooks into the processing and provides
> > > an encrypted "tunnel", kind of like VPN does, but only for that one
> > > application. Does that sound correct?
> > > If so, then the encryption is "transparent" to the FTP server code and
> > > FTP does not need to be changed, which I think is the whole idea here.
> > > Yet we now have an encrypted session. Does that sound correct?
> > > Then if so, what happens on the FTP client side? I certainly can't use
> > > the Windows FTP command, for example, because it's not setup for any
> > > kind of encryption. That's kind of my big question here.
> > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> > >
> > > > Sweet - thank you
> > > > Lionel B. Dyck <
> > > > Website: https://www.lbdsoftware.com
> > > > "Worry more about your character than your reputation. Character is 
> > > > what you are, reputation merely what others think you are." - John 
> > > > Wooden
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf 
> > > > Of kekronbekron
> > > > Sent: Tuesday, June 30, 2020 2:34 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: AT-TLS ?
> > > > Hi LBD!,
> > > > Check these out-
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> > > >
> > > > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > > > Lionel B. Dyck <
> > > > > Website: https://www.lbdsoftware.com https://www.lbdsoftw

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan

Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.


But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:

Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?

Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron

Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:

> I've tried to skim some of the AT-TLS doc, and even attended an IBM
> webinar last week, but I'm still missing what I imagine are important
> background points. Maybe someone here can explain things, but don't
> worry too much about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing. So when you set
> those up, there is no AT-TLS needed for encryption. Same with the
> TN3270 server and client, as long as you set that up with keys and
> parameters on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS
> was made for programs that DON'T have their own logic to call OpenSSL
> (or whatever) to do their own encryption. Let's use clear-text FTP as
> an example. So somehow, AT-TLS hooks into the processing and provides
> an encrypted "tunnel", kind of like VPN does, but only for that one
> application. Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and
> FTP does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session. Does that sound correct?
>
> Then if so, what happens on the FTP client side? I certainly can't use
> the Windows FTP command, for example, because it's not setup for any
> kind of encryption. That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>
> > Sweet - thank you
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> > "Worry more about your character than your reputation. Character is what 
> > you are, reputation merely what others think you are." - John Wooden
> > -----Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > kekronbekron
> > Sent: Tuesday, June 30, 2020 2:34 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS ?
> > Hi LBD!,
> > Check these out-
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> >
> > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > Lionel B. Dyck <
> > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > "Worry more about your character than your reputation. Character is
> > > what you are, reputation merely what others think you are." - John
> > > Wooden
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller

AT-TLS Operates at the transport layer of the OSI model.
SFTP (open SSH,...) operates at the session layer of the OSI model.

BTW, TLS has been supported "forever" by FTP, etc. The problem is, with TLS, 
the application needs to be modified to make TLS calls in the session layer. 
With AT-TLS, session layer TLS calls are moved to the transport layer and 
eliminated from the session layer. 
No application changes are needed.

HTH,

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 4:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C functions for 
clear-text communication.  So I think that would be called the "logical layer".

And I'm assuming the "physical layer" would be at the point where software is 
talking to an OSA card.  In this case that would be the TCPIP address space, 
since my program doesn't talk directly to hardware.

That would mean AT-TLS comes into play via the TCPIP task, doing the encryption 
at that point, while my clear-text program has no idea and doesn't care.  
Certificates and other encryption parameters would be handled by AT-TLS at that 
point.

That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() or 
SSL_read(), then encryption would be done at the logical layer, and my own 
program would then be responsible for certificates.  AT-TLS would not be 
needed, well, unless an auditor doesn't trust my SSL code.  That actually could 
be a consideration even for things like SFTP I guess - there's your first flame 
:)

On 6/30/2020 1:42 PM, Allan Staller wrote:
> Hopefully this will provide the clarity needed.
>
> AT-TLS works at the physical layer.
> FTPS and SFTP work at the logical layer
>
> Although not mutually exclusive, If you are doing one, the other is 
> unnecessary.
>
> Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:19 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> [CAUTION: This Email is from outside the Organization. Unless you 
> trust the sender, Don’t click links or open attachments as it may be a 
> Phishing email, which can steal your Information and compromise your 
> Computer.]
>
> Do you know if either of those require AT-TLS?  When I installed and 
> configured SSHD last (a couple of years ago) it did its own encryption.
> I never worked with anything called FTPS.
>
> On 6/30/2020 10:12 AM, Marshall Stone wrote:
>> There are 2 types of FTP in use today on most mainframes.
>>
>> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
>> and the encryption/authentication is generally provided by the use of 
>> RSA/DSA public/private key pairs. The public keys are exchanged and 
>> stored in known_hosts files (if acting as client) or authorized_keys 
>> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>>
>> FTPS - completely different mechanism the AT/TLS functions are 
>> provided by ICSF and policy agent (PAGENT) - You must configure an 
>> FTPS TLS rule to allow the connection and the partner side also will 
>> require a similar rule. The encryption/authentication come from the 
>> PAGENT rule and the use of x.509 certificates.  These are exchanged 
>> between partners and loaded onto the RACF keyring. The PAGNET rule 
>> points back to the keyring. - Uses Server PORT 990 by an old implicit 
>> default most sites use a different port and connect clients with 
>> ephemeral port ranges. FTPS handles MVS datasets better if possible 
>> use FTPS for MF to MF and use SFTP for MF to Other
>> platforms(MS,UNIX,etc)
>>
>> MS
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On 
>> Behalf Of Tom Brennan
>> Sent: Tuesday, June 30, 2020 12:58 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>>
>> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
>> last week, but I'm still missing what I imagine are important background 
>> points.  Maybe someone here can explain things, but don't w

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan

Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C 
functions for clear-text communication.  So I think that would be called 
the "logical layer".


And I'm assuming the "physical layer" would be at the point where 
software is talking to an OSA card.  In this case that would be the 
TCPIP address space, since my program doesn't talk directly to hardware.


That would mean AT-TLS comes into play via the TCPIP task, doing the 
encryption at that point, while my clear-text program has no idea and 
doesn't care.  Certificates and other encryption parameters would be 
handled by AT-TLS at that point.


That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() 
or SSL_read(), then encryption would be done at the logical layer, and 
my own program would then be responsible for certificates.  AT-TLS would 
not be needed, well, unless an auditor doesn't trust my SSL code.  That 
actually could be a consideration even for things like SFTP I guess - 
there's your first flame :)


On 6/30/2020 1:42 PM, Allan Staller wrote:

Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:

There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
and the encryption/authentication is generally provided by the use of
RSA/DSA public/private key pairs. The public keys are exchanged and
stored in known_hosts files (if acting as client) or authorized_keys
file (if acting as server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are
provided by ICSF and policy agent (PAGENT) - You must configure an
FTPS TLS rule to allow the connection and the partner side also will
require a similar rule. The encryption/authentication come from the
PAGENT rule and the use of x.509 certificates.  These are exchanged
between partners and loaded onto the RACF keyring. The PAGNET rule
points back to the keyring. - Uses Server PORT 990 by an old implicit
default most sites use a different port and connect clients with
ephemeral port ranges. FTPS handles MVS datasets better if possible
use FTPS for MF to MF and use SFTP for MF to Other
platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of Tom Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing.  So when you set
those up, there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B.

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller

Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
>
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
> and the encryption/authentication is generally provided by the use of
> RSA/DSA public/private key pairs. The public keys are exchanged and
> stored in known_hosts files (if acting as client) or authorized_keys
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>
> FTPS - completely different mechanism the AT/TLS functions are
> provided by ICSF and policy agent (PAGENT) - You must configure an
> FTPS TLS rule to allow the connection and the partner side also will
> require a similar rule. The encryption/authentication come from the
> PAGENT rule and the use of x.509 certificates.  These are exchanged
> between partners and loaded onto the RACF keyring. The PAGNET rule
> points back to the keyring. - Uses Server PORT 990 by an old implicit
> default most sites use a different port and connect clients with
> ephemeral port ranges. FTPS handles MVS datasets better if possible
> use FTPS for MF to MF and use SFTP for MF to Other
> platforms(MS,UNIX,etc)
>
> MS
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing.  So when you set
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
>
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <
>> Website:
>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .lbdsoftware.com%2F&data=02%7C01%7Callan.staller%40HCL.COM%7Cd879
>> db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7
>> C0%7C637291343650296855&sdata=rYCeChKI6R6cKaQRyHKEfhk3QR%2Fya0rHS
>> %2FSvJedIZJo%3D&reserved=0
>>
>> "Worry more about your character than your reputation.  Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> https://apc01.saf

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller

 AT-TLS is required for TN3270 (and others 

The above is incorrect. AT-TLS is *NEVER* a requirement.
It is up to the installation to determine whether or not AT-TLS will be used.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: Tuesday, June 30, 2020 12:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> lbdsoftware.com%2F&data=02%7C01%7Callan.staller%40HCL.COM%7C99280d
> f69a7f440f7b7808d81d18718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%
> 7C637291338121879218&sdata=5nqFVRanvSo1qssQhIXSYEfVhYkVYkyBEbm9E4%
> 2BTfqA%3D&reserved=0
>
> "Worry more about your character than your reputation.  Character is
> what you are, reputation merely what others think you are." - John
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5416&
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a
> mp;sdata=L6mKfTNfEkpFoIuP81EHxeZ09JTFc5kHH%2F8uZwYQGHw%3D&reserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5415&
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a
> mp;sdata=ccHKGe0thy6RCiB8j%2BWb2Adx3E9GiAtOyKB2p0O1K4s%3D&reserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5414&
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218&a
> mp;sdata=xnkVymfVN8Xm0q4fsppLRRxZgQvNvmwII9jeUv6lrOs%3D&reserved=0
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Steve Beaver

AT-TLS has been around for a while.  What is causing problems for tools like 
CL/Supersession, CA-TPX
And such is PAGENT.

Once PAGENT is turned on all bets are off

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 11:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM 
webinar last week, but I'm still missing what I imagine are important 
background points.  Maybe someone here can explain things, but don't 
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL 
to handle the encryption handshake and processing.  So when you set 
those up, there is no AT-TLS needed for encryption.  Same with the 
TN3270 server and client, as long as you set that up with keys and 
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS 
was made for programs that DON'T have their own logic to call OpenSSL 
(or whatever) to do their own encryption.  Let's use clear-text FTP as 
an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one 
application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and 
FTP does not need to be changed, which I think is the whole idea here. 
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use 
the Windows FTP command, for example, because it's not setup for any 
kind of encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
> 
> 
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
> 
> "Worry more about your character than your reputation.  Character is what you 
> are, reputation merely what others think you are." - John Wooden
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
> 
> Hi LBD!,
> 
> Check these out-
> 
> 
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> 
> - KB
> 
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
> 
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>>
>> --
>> --
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Mike Hochee

Some years ago this publication helped me come to a basic understanding of 
AT-TLS (apologies if already shared)...   
https://www.ibm.com/support/pages/leveraging-zos-communications-server-application-transparent-transport-layer-security-tls-lower-cost-and-more-rapid-tls-deployment
 
HTH
Mike 
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Tuesday, June 30, 2020 1:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Caution! This message was sent from outside your organization.

On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote:
>...
>Then if so, what happens on the FTP client side?  I certainly can't use 
>the Windows FTP command, for example, because it's not setup for any 
>kind of encryption.  That's kind of my big question here.
>
I believe that (sometimes) there's a proxy involved.  Beyond that, only GIYF:
    https://www.google.com/search?q=at-tls+proxy+ftp
which links to:
ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

1 2 >

1 - 100 of 159 matches

Mail list logo