Re: AT-TLS policy for NJE

https://www.ibm.com/docs/en/zos/2.5.0?topic=considerations-ssl-tls On Sat, Feb 17, 2024 at 8:34 AM Lennie Dymoke-Bradshaw < 032fff1be9b4-dmarc-requ...@listserv.ua.edu> wrote: > I am looking for a set of AT-TLS policy statement for NJE, but have been > unable to find them in the JES2

Re: AT-TLS and CSSMTP setup

Brian Westerman asked: >so you can use authsmtp.com to send directly from CSSMTP? It's just an SMTP server, so if you can get there from your network, sure. >When you send the email, does it come from where you say it should or >do you have to use a special email that they give you? You tell it

Re: AT-TLS and CSSMTP setup

so you can use authsmtp.com to send directly from CSSMTP? When you send the email, does it come from where you say it should or do you have to use a special email that they give you? That would be great. I assume they have an smtp server that you set up in the targetname field. Do you know

Re: AT-TLS and CSSMTP setup

Brian Westerman asked: >I think there are 3rd party sites that offer the use of SMTP for forwarding >that I might want to give a try. I've used authsmtp.com for ~20 years. Good folks and it Just Works. When I've had weird issues, they do the analysis and get right back to me, even though it's

Re: AT-TLS and CSSMTP setup

fastmail? From: IBM Mainframe Discussion List on behalf of Brian Westerman Sent: Monday, July 31, 2023 3:20 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS and CSSMTP setup Hi, Peters directions for setting up the trace were very simple and easy

Re: AT-TLS and CSSMTP setup

Hi, Peters directions for setting up the trace were very simple and easy to follow. It was discovered that I was missing a CA cert that was not called out by the host site. (which he sent me). Now I'm at a stopping place because the webhost site is requiring authentication on each email (as

Re: AT-TLS and CSSMTP setup

Classification: Confidential Have you updated the TCP/IP policy agent accordingly? -Original Message- From: IBM Mainframe Discussion List On Behalf Of Brian Westerman Sent: Saturday, July 29, 2023 9:12 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS and CSSMTP setup [CAUTION

Re: AT-TLS and CSSMTP setup

Since I know almost nothing about AT-TLS config, this might be dumb, but: Don't forget to try the *AUTH*/* key ring. That's a "virtual key ring" that represents all the trusted certs, and is a great shortcut for saying "Do I have the right cert in there somewhere but the key ring setup isn't

Re: AT-TLS and CSSMTP setup

Getting a GSK trace is non trivial. See here for instructions On Sun, 30 Jul 2023 at 05:36, Peter Vels wrote: > That is OK. But I need to see the output from the GSKSRVR trace to get to > the bottom of

Re: AT-TLS and CSSMTP setup

That is OK. But I need to see the output from the GSKSRVR trace to get to the bottom of the issue. I suspect that you are missing a CA somewhere, and the trace will tell us WHICH certificate that is. On Sun, 30 Jul 2023 at 14:23, Brian Westerman wrote: > This is what I get from your command:

Re: AT-TLS and CSSMTP setup

This is what I get from your command: racdcert id(CSSMTP) listr(CSSMTPRing) Digital ring information for user CSSMTP: Ring: >CSSMTPRing<

Re: AT-TLS and CSSMTP setup

"ADD" adds a certificate (contained in a data set) to RACF, but *not* to a keyring. For that you need "CONNECT". RC 8 means: An error is detected while validating a certificate, so a CA is missing from the keyring (even though you might've ADDed it to RACF). IBM says (edited for brevity): 1.

Re: AT-TLS and CSSMTP setup

I get BPXF024I (TCPIP) Jul 30 01:12:45 TTLS[16777256]: 18:12:45 TCPIP 639 EZD1286I TTLS Error GRPID: 0007 ENVID: 0009 CONNID: 009B LOCAL: 192.168.1.66..1122 REMOTE: 99.198.97.250..587 JOBNAME: CSSMTP USERID: CSSMTP RULE: CSSMTP RC:8 Initial Handshake 00 00

Re: AT-TLS and CSSMTP setup

Gil asked about Hansen's Law. Different Hansen-this is a guy we worked with. We also had Weald's Corollary: Even when it isn't a certificate issue, it's a certificate issue. -- For IBM-MAIN subscribe / signoff / archive access

Re: AT-TLS and CSSMTP setup

Please paste the messages you get. You can configure an ATTLS traceI tend to use TRACE(2) This can be configured in TTLSGroupAction TTLSEnvironmentAction and TTLSConnectionAction If syslogd is not running I get messages on the system log EZD1286I TTLS Error GRPID: 0007 ENVID: 0002

Re: AT-TLS and CSSMTP setup

On Sat, 29 Jul 2023 00:48:00 -0400, Phil Smith III wrote: >No errors anywhere? Just RC=8? > >"It's a certificate error" -Hansen's Law > Or the firewall. ??? -- gil

Re: AT-TLS and CSSMTP setup

Hi Brian, You may find useful bits of info here - https://colinpaice.blog/2023/02/21/sending-an-email-from-z-os/ Either in this post or generally in this blog. - KB --- Original Message --- On Saturday, July 29th, 2023 at 10:18 AM, Phil Smith III wrote: > No errors anywhere? Just

Re: AT-TLS and CSSMTP setup

No errors anywhere? Just RC=8? "It's a certificate error" -Hansen's Law https://bit.listserv.ibm-main.narkive.com/4Iu5ZeUA/setting-up-gmail-as-outbound-mail-server-on-z-os might be a hint, especially the bit about enabling gsktrace, which is your friend.

Re: AT-TLS & FTP troubles - cannot get very simple setup working

-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dustin Hayes [dustin.ha...@go2vanguard.com] Sent: Wednesday, May 25, 2022 11:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject

Re: AT-TLS & FTP troubles - cannot get very simple setup working

On Wed, May 25, 2022, at 10:30 AM, Dustin Hayes wrote: > > What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", > these are two very different protocols which have nothing to do with each > other (think beta vs vhs). > > sFTP is "ftp tunneled though the SSH interface"

Re: AT-TLS & FTP troubles - cannot get very simple setup working

Lloyd/Dustin, > Thank you. Thank you. Thank you. You are both right. I totally understand the difference ... and I was still criss-crossing them. What I am trying to do is FTPS - native ftp with AT-TLS involved to handle the SSL/TLS security stuff. And every one of my tests has been wrong

Re: AT-TLS & FTP troubles - cannot get very simple setup working

vanguard.com on 2022.05.25 08:30:10 -Original Message- From: IBM Mainframe Discussion List On Behalf Of Michael Babcock Sent: Wednesday, 2022 May-25 08:19 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working WARNING: This ema

Re: AT-TLS & FTP troubles - cannot get very simple setup working

You are misusing things here.  SFTP does not equal FTPS. SFTP is overlaid onshore which is using an encrypted interface itself.  FTPS is what the FTP server can support. WinSCP can do both but not FTPS on port 22. Lloyd Sent from AT Yahoo Mail for iPad On Wednesday, May 25, 2022, 11:20 AM,

Re: AT-TLS & FTP troubles - cannot get very simple setup working

I don’t think you can use PAGENT for port 22 (not 100% sure on that). If using port 22 configure SSHD. Did you set the trace parm in PAGENT to 255? You will get much more info in SYSLOG by doing that. On Wed, May 25, 2022 at 10:05 AM Bob wrote: > That's one I have changed back and forth 21

Re: AT-TLS & FTP troubles - cannot get very simple setup working

That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21 &22. The config I started with had 21 in it, but the WinSCP references 22 so I have been trying both ... without success. I changed it back to 21 now. Still fails. I just added an ftp configuration parameter of FTPLOGGING

Re: AT-TLS & FTP troubles - cannot get very simple setup working

That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21 &22. The config I started with had 21 in it, but the WinSCP references 22 so I have been trying both ... without success. I changed it back to 21 now. Still fails. I just added an ftp configuration parameter of FTPLOGGING

Re: AT-TLS & FTP troubles - cannot get very simple setup working

I can SSH into z/OS USS but I don’t use pagent for port 22. You should configure SSHD for that. Remove port 22 from PAGENT. On Wed, May 25, 2022 at 8:46 AM Bob wrote: > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and > I don’t know why. I’m sure I am > > missing

Re: AT-TLS & FTP troubles - cannot get very simple setup working

Set your trace to 255 in the policy, refresh PAGENT and check the Syslog. I suspect a ciphersuite issue. On Wed, May 25, 2022 at 8:46 AM Bob wrote: > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and > I don’t know why. I’m sure I am > > missing something very simple,

Re: AT-TLS & FTP troubles - cannot get very simple setup working

would an SSL trace help here ? not the same 'type' of connection, I had an issue with inbound connections to CICS and DB2 that was self inflicted, the AT-TLS add on required I failed to order and the connections were using some default, I was able to find this by performing an SSL trace and

Re: AT-TLS issues with FTP and SSH

character than your reputation. Character is what > > you are, reputation merely what others think you are." - John Wooden > > > > -Original Message- > > From: IBM Mainframe Discussion List On Behalf > > Of > > Mike Hochee > > Sent: Tuesday

Re: AT-TLS issues with FTP and SSH

n merely what others think you are." - John Wooden > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of > Mike Hochee > Sent: Tuesday, September 22, 2020 11:39 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: AT-TLS issues with FTP and S

Re: AT-TLS issues with FTP and SSH

To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS issues with FTP and SSH Regarding the AT-TLS issue, your pagent is likely encountering a problem in the FTP section (of course!). Look at the log it generates, and if you don't have one, add the logging option to the pagent start command. If I remember correctly,

Re: AT-TLS issues with FTP and SSH

Regarding the AT-TLS issue, your pagent is likely encountering a problem in the FTP section (of course!). Look at the log it generates, and if you don't have one, add the logging option to the pagent start command. If I remember correctly, there's also a verbose setting. I found the logs to be

Re: AT-TLS issues with FTP and SSH

On Tue, 22 Sep 2020 10:07:57 -0500, Lionel B Dyck wrote: > >And for that I�m getting: FOTS3322 Passwords may not be entered from 3270 >terminals > They're giving you a hint. Eschew 3270; don't be a masochist. Years ago, I discovered that if I start "script" under 3270 OMVS, then I can

Re: AT-TLS ? Very Basic Questions

ist [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 9:46 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Thanks KB... I think I got my basic question answered, which is that one thing AT-TLS was designed for is to encrypt data

Re: AT-TLS ? Very Basic Questions

: Wednesday, July 1, 2020 6:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Some programs will soon no longer be able to do their own TLS encryption. https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx

Re: AT-TLS ? Very Basic Questions

rles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 9:46 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Thanks KB... I think I got my basic question answered, whic

Re: AT-TLS ? Very Basic Questions

to secure FTP client traffic. Mike Wawiorko   -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: 01 July 2020 05:46 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions This mail originated from outside our organisation - t

Re: AT-TLS ? Very Basic Questions

n List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIn

Re: AT-TLS ? Very Basic Questions

gt; > > "Worry more about your character than your reputation. Character is > > > > what you are, reputation merely what others think you are." - John > > > > Wooden > > > > -Original Message- > > > > From: IBM Mainframe Discussi

Re: AT-TLS ? Very Basic Questions

"Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34

Re: AT-TLS ? Very Basic Questions

utation merely what others think you are." - John Wooden > > -Original Message- > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of > > kekronbekron > > Sent: Tuesday, June 30, 2020 2:34 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > >

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

DU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Thanks Allan.

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open a

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links

Re: AT-TLS ? Very Basic Questions

, 2020 12:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your

Re: AT-TLS ? Very Basic Questions

: Tuesday, June 30, 2020 11:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things

Re: AT-TLS ? Very Basic Questions

-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Paul Gilmartin Sent: Tuesday, June 30, 2020 1:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions Caution! This message was sent from outside your organization

Re: AT-TLS ? Very Basic Questions

In article you wrote: > I've tried to skim some of the AT-TLS doc, and even attended an IBM > webinar last week, but I'm still missing what I imagine are important > background points. Maybe someone here can explain things, but don't > worry too much about it. > Client and server programs

Re: AT-TLS ? Very Basic Questions

On Behalf Of Jackson, Rob Sent: Tuesday, June 30, 2020 1:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [Originated Externally]Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] My turn to say interesting! I didn't look it up; just going

Re: AT-TLS ? Very Basic Questions

On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote: >... >Then if so, what happens on the FTP client side? I certainly can't use >the Windows FTP command, for example, because it's not setup for any >kind of encryption. That's kind of my big question here. > I believe that (sometimes)

Re: AT-TLS ? Very Basic Questions

Of Lennie Dymoke-Bradshaw Sent: Tuesday, June 30, 2020 1:18 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I have TLS 1.2 working in my TN3270 server without AT-TLS. This is on z/OS 2.3 Lennie

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

30, 2020 1:19 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

: [EXTERNAL] Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can explain things, but don't worry too much about it. Client

Re: AT-TLS ? Very Basic Questions

, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine

Re: AT-TLS ? Very Basic Questions

: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when clicking links or opening attachments.] I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar last week, but I'm still missing what I imagine are important background points. Maybe someone here can

Re: AT-TLS ? Very Basic Questions

in AT-TLS. First Horizon Bank Mainframe Technical Support -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 12:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Very Basic Questions [External Email. Exercise caution when

Re: AT-TLS ? Very Basic Questions

Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.n

Re: AT-TLS ?

st On Behalf Of kekronbekron Sent: Tuesday, June 30, 2020 2:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ib

Re: AT-TLS ?

Hi LBD!, Check these out- http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 - KB ‐‐‐ Original Message ‐‐‐ On Monday, June 29,

Re: AT-TLS ?

Redbooks are both helpful and not. There was an old presentation on it (share) that I found really helpful and insightful. Do you have zosmf setup? If not it is possible to use the samples to set it up. On Sun, Jun 28, 2020, 18:26 Lionel B Dyck wrote: > Anyone have any pointers for

Re: AT-TLS ?

r character than your reputation. Character is what > you are, reputation merely what others think you are." - John Wooden > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of > Mike Hochee > Sent: Sunday, June 28, 2020 7:08 PM > To: IBM-MAIN@LIS

Re: AT-TLS ?

haracter is what you are, reputation merely what others think you are." - John Wooden -Original Message- From: IBM Mainframe Discussion List On Behalf Of Wendell Lovewell Sent: Monday, June 29, 2020 8:38 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Lionel, what type of endp

Re: AT-TLS ?

Lionel, what type of endpoints are you wanting to use AT-TLS to secure? I might have some notes that would help. Here is some general information about diagnosing AT-TLS errors: If there is a problem making the connection, AT-TLS will display error on the console. Here are a few examples.

Re: AT-TLS ?

Well that does take digital certs and pagant. Now there are currently no vendors that support AT-ALS if you are looking for something like TPX or CL/SS the answer is no Sent from my iPhone I promise you I can’t type or Spell on any smartphone > On Jun 28, 2020, at 22:04, Gibney, Dave wrote:

Re: AT-TLS ?

-Original Message- From: IBM Mainframe Discussion List On Behalf Of Mike Hochee Sent: Sunday, June 28, 2020 7:08 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: AT-TLS ? Hi Lionel, I did this a few years back and utilized it for a product. Below are a few items from the product doc a

Re: AT-TLS ?

The Redbook : http://www.redbooks.ibm.com/redbooks/pdfs/sg248041.pdf On Mon, Jun 29, 2020 at 3:30 PM Wayne Bickerdike wrote: > The IBM Redbook for RACF RRSF has most of the information needed to > configure AT-TLS. > > We're in the process of rolling out RRSF for RACF password sync. It's >

Re: AT-TLS ?

The IBM Redbook for RACF RRSF has most of the information needed to configure AT-TLS. We're in the process of rolling out RRSF for RACF password sync. It's working between two of our plexes, I followed the book, used SYS1.SAMPLIB examples rather than attempting via zOSMF. On Mon, Jun 29, 2020 at

Re: AT-TLS ?

A simpler way is to write the protocol yourself. It requires zero configuration other than a set of certificates. Have a look at z/os web enablement toolkit (Http/https protocol enabler portion). Works great and fully supports Rexx. ITschak *| **Itschak Mugzach | Director | SecuriTeam Software

Re: AT-TLS ?

The details in the documentation is a bit scattered. Including separate sections for FTPS and tn3270 > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Lionel B Dyck > Sent: Sunday, June 28, 2020 3:26 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: AT-TLS ? > >

Re: AT-TLS ?

Hi Lionel, I did this a few years back and utilized it for a product. Below are a few items from the product doc and a few more that remain in accessible memory areas... - Read the relevant sections of Comm Server IP Configuration Ref, specifically in the chapter on Policy Agent (PA) and

Re: SSL/TLS MSU usage

Mounif, I am unable to comment on any 'increase' of the CP utilization. CPACF has been around for a very long time. Both the systems you mention have the CPACF function. You will need a no charge feature (not available for embargoed countries) for microcode to enable CPACF. The other key point

Re: SSL/TLS MSU usage

The z13 (and I think b|ec12s) have CPACF built into each physical CPU, the older machines had CPACF but it was shared between multiple processors. There is some extra CPU involved when you don't have a cryptoexpress (CEX), but you have to remember that not everything is or can be offloaded to

Re: AT-TLS for HTTP

It is probably just my own FUD that is making me doubt it. Rob Schramm On Thu, Jul 5, 2018, 1:59 PM Mike Hochee wrote: > I have not used it for that specifically, but I don't see why not. The > policy based rules allow for job/task names and support wildcards, and you > might not even need

Re: AT-TLS for HTTP

I have not used it for that specifically, but I don't see why not. The policy based rules allow for job/task names and support wildcards, and you might not even need those if you can filter based on a unique port range. I've been impressed with AT-TLS, as it offers a lot of customization

Re: AT-TLS replace ICF processor ?

I believe AT-TLS generally utilizes ICSF which in turn may utilize your crypto hardware. Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of R.S. Sent: Tuesday, May 2, 2017 11:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re

Re: AT-TLS replace ICF processor ?

W dniu 2017-04-25 o 18:42, Nathan Astle pisze: Hi Cross posted Not trying to.resolve anything. Recently had a discussion with a TCPIP/SNA person and he feels that most of the task offloaded to ICF processor can be handled by AT-TLS. I was not.able to make any sense out of it. Aren't ICF

Re: FTP TLS options

Frank, Good find! I'm saving this one! BobL -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Frank Swarbrick Sent: Tuesday, April 11, 2017 3:05 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options [ EXTERNAL ] So one

Re: FTP TLS options

frank.swarbr...@outlook.com> Sent: Tuesday, April 11, 2017 9:24 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options I'll pass that along to those in charge of such things. :-) Thanks. From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU>

Re: FTP TLS options

I'll pass that along to those in charge of such things. :-) Thanks. From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom Conley <pinnc...@rochester.rr.com> Sent: Monday, April 10, 2017 9:38 PM To: IBM-MAIN@LISTSERV.UA.EDU

Re: FTP TLS options

TLS level, but this appears to be what is occurring. From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Gibney, Dave <gib...@wsu.edu> Sent: Monday, April 10, 2017 8:03 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options I a

Re: AT-TLS setup question

On 4/11/2017 9:17 AM, Ernest Nachtigall wrote: I have two clients, one running SSLv3, the other AT-TLSv1.2 These are ATM machines in my test environment. The SSLv3 support uses a user module, the other is using AT-TLS already. I need to temporarily support the SSLv3 client to ease migration

Re: FTP TLS options

On 4/10/2017 7:04 PM, Frank Swarbrick wrote: I'm guessing there's a bit more to it than that, yes? Such as actually configuring Policy Agent? Frank, Sorry, thought you already configured PAGENT, but missed the PROFILE member, like I did the first time I tried it. If you run z/OSMF, you

Re: FTP TLS options

LISTSERV.UA.EDU > Subject: Re: FTP TLS options > > Yes. But policy agent is not actually that hard...But on zOS GT 1.13 you need > zOSMF as well. > > Rob Schramm > > On Mon, Apr 10, 2017, 7:05 PM Frank Swarbrick > <frank.swarbr...@outlook.com> > wrote: > &g

Re: FTP TLS options

Policy Agent? > > > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf > of Tom Conley <pinnc...@rochester.rr.com> > Sent: Monday, April 10, 2017 3:46 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: FTP TLS options &g

Re: FTP TLS options

To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options On 4/10/2017 3:15 PM, Frank Swarbrick wrote: > Hi Mike. > > I assume you mean: > TLSMECHANISM ATTLS > where the default (which we use) is > TLSMECHANISM FTP > > Unfortunately we don't currently have AT

Re: FTP TLS options

On 4/10/2017 3:15 PM, Frank Swarbrick wrote: Hi Mike. I assume you mean: TLSMECHANISM ATTLS where the default (which we use) is TLSMECHANISM FTP Unfortunately we don't currently have AT-TLS set up. When I try to use it I get the following: AT-TLS not enabled on TCPCONFIG Does z/OS

Re: FTP TLS options

Sent: Monday, April 10, 2017 4:10 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options Frank, You should change to AT-TLS SECURE_MECHANISM ATTLS That will get TLSv1.2 support but just as important will allow you to use newer cipher suites. Many of the older cipher suites supported by th

Re: FTP TLS options

@LISTSERV.UA.EDU Subject: Re: FTP TLS options Does z/OS 2.2 support TLS v1.2 for FTP clients without the use of AT-TLS? This new server we have is (currently) configured to support only TLS v1.2, and nothing earlier. We're trying to get approval to "back down" to TLS v1.0, but I figur

Re: FTP TLS options

Does z/OS 2.2 support TLS v1.2 for FTP clients without the use of AT-TLS? This new server we have is (currently) configured to support only TLS v1.2, and nothing earlier. We're trying to get approval to "back down" to TLS v1.0, but I figured I'd ask this anyway. Frank

Re: AT-TLS config help

Andrew: I know I missed something..so I appreciate the help SyslogD: //* //CONFPDS EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT, //PARM='POSIX(ON) ALL31(ON)/' Comments //SYSPRINT DD SYSOUT=* //SYSINDD DUMMY

Re: AT-TLS config help

If Pioneer is the server then I think you should code HandShakeRole Server. As for tracing, how have you configured your syslogd? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to

Re: AT-TLS config help

after the Trace 15, add something like this: { SyslogFacility auth } -- Donald J. dona...@4email.net On Wed, Jun 10, 2015, at 12:16 PM, Scott Ford wrote: Guys/Gals: We have a Cobol CICS Sockets STC

Re: AT-TLS question , issue

Rob, Sorry for the late reply. The mismatch of ciphers was ADCD, this version of z/OS appears to give the customer a subset of ciphers. I am in the process of contacting IBM to find out more information. We have it working on the supplied ciphers. My concern of course is what the customer is

Re: AT-TLS question , issue

Correction: This is the server supported cipher list Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Client ciphers are in the client hello. 2nd packet in ATTLS trace below: (002F 0035 0005 etc) RECV CIPHER 160301005F

Re: AT-TLS question , issue

If you use trace level: Trace 127 you will get debugging info on ciphers and other things. Cipher list presented by client: CONNID: DA17 RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) - C02FC030009E009F009C009D002F0035000A Cipher chosen by server: CONNID: DA17 RC:0 Get

Re: AT-TLS question , issue

Diagnosis Guide with a direct hit http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hald001/atprble.htm q0 - did you copy one of the GUI samples for the AT-TLS setup or build it from scratch? q1 - what ciphers did you select in Config Assistant or z/OSMF when you setup

Re: AT-TLS question , issue

http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSLTBW_1.13.0/com.ibm.zos.r13.hald001/comtls.htm AT-TLS return codes z/OS Communications Server: IP Diagnosis Guide GC31-8782-13 402 Connection Init A SSL cipher suite could not be agreed upon between the client and server.

Re: AT-TLS question , issue

Scott, I was looking at this document a little while ago: IBM z/OS V1R13 CS TCP/IP Implementation: Volume 4 Security and Policy-Based Networking on Chapter 16 'Telnet Security' it has some good information on this. Page 680 has a Table 16-1 that details the order of the ciphers. I think you

  1   2   >