Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Tom Brennan
Thanks!  This conversation really helped me understand.  And Mike just 
pointed out that not only are things headed to AT-TLS, but it may be the 
ONLY way to encrypt in the near future.


On 7/1/2020 9:21 AM, Charles Mills wrote:

Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of poorly-written 
programmatic "users" of TLS libraries. If you write a General Ledger program and the 
ledgers don't cross-foot, the CFO tells you. If you write an "encrypted" communication 
program and the encryption has a logical flaw, generally no one tells you. :-( Centralizing the use 
of TLS, not just the TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption.  In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS.  If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
I think programs will be able to; IBM just does not intend to spend to maintain 
encryption in two places: AT-TLS *and* all of the listed applications.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mike Wawiorko
Sent: Wednesday, July 1, 2020 6:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Charles Mills
Tom, I believe you have nailed it exactly. Those are the two main drivers IMHO.

In addition, there is a *huge* problem (in general, not Z specifically) of 
poorly-written programmatic "users" of TLS libraries. If you write a General 
Ledger program and the ledgers don't cross-foot, the CFO tells you. If you 
write an "encrypted" communication program and the encryption has a logical 
flaw, generally no one tells you. :-( Centralizing the use of TLS, not just the 
TLS APIs, is a step toward addressing that problem.

https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf 

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 9:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-07-01 Thread Mike Wawiorko
Some programs will soon no longer be able to do their own TLS encryption. 

https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/0/877/ENUSZP19-0410/index.html_locale=en#sodx

Statements of direction

Removal of native TLS/SSL support from TN3270E Telnet server, FTP server, and 
DCAS

z/OS V2.4 is planned to be the last release in which the z/OS TN3270E Telnet 
server, FTP server, and Digital Certificate Access Server (DCAS) will support 
direct invocation of System SSL APIs for TLS/SSL protection. In the future, the 
only TLS/SSL protection option for these servers will be Application 
Transparent Transport Layer Security (AT-TLS). The direct System SSL support in 
each of these components is functionally outdated and only supports TLS 
protocols up through TLSv1.1. IBM recommends converting your TN3270E Telnet, 
FTP server, and DCAS configurations to use AT-TLS, which supports the latest 
System SSL features, including the TLSv1.2 and TLSv1.3 protocols and related 
cipher suites. Note that while native TLS/SSL support for z/OS FTP client is 
not being withdrawn at this time, no future enhancements are planned for that 
support. IBM recommends using AT-TLS to secure FTP client traffic.

Mike Wawiorko  

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: 01 July 2020 05:46
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions


This mail originated from outside our organisation - t...@tombrennansoftware.com

Thanks KB...  I think I got my basic question answered, which is that one thing 
AT-TLS was designed for is to encrypt data for TCP/IP programs that weren't 
originally written with encryption.  In addition, it sounds like even programs 
that can do their own encryption (i.e. TN3270) can also use AT-TLS.  If so, 
that's a smart plan - putting encryption processing in one bucket with one set 
of controls, and one spot to update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.


This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.
Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.
Barclays Execution Services Limited provides support and administrative 
services across Barclays group. Barclays Execution Services Limited is an 
appointed representative of Barclays Bank UK plc, Barclays Bank plc and 
Clydesdale Financial Services Limited. Barclays Bank UK plc and Barclays Bank 
plc are authorised by the Prudential Regulation Authority and regulated by the 
Financial Conduct Authority and the Prudential Regulation Authority. Clydesdale 
Financial Services Limited is authorised and regulated by the Financial Conduct 
Authority.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
I tried "Let's Encrypt" https://letsencrypt.org/ once for some web site 
names I have on a Linux server under my desk.  I can't remember why I 
didn't like it, but I ended up making my own CA cert to sign my https 
certificates, and then got the few people using the sites to import my 
CA into their browser.  Cheating a bit but it works great for isolated use.


But yes, if things like certificates could be all piled into one 
application and handled by one person in a company, things would get 
easier.  The first time I dealt with a certificate on the mainframe was 
for IBM's ITIM system which (the developer mentioned) had just switched 
to use OpenSSL.  We had multiple meetings with project leaders and 
others just to get a paid-for certificate in place (2 year expiration), 
when we probably could have created something self-signed with a 30 year 
expiration if we knew better :)


On 6/30/2020 10:23 PM, kekronbekron wrote:

I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:


Thanks KB... I think I got my basic question answered, which is that
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
that weren't originally written with encryption. In addition, it sounds
like even programs that can do their own encryption (i.e. TN3270) can
also use AT-TLS. If so, that's a smart plan - putting encryption
processing in one bucket with one set of controls, and one spot to
update when TLS1.x comes along.

But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:


Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

-   KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.
Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.
I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?
If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?
Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.
On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden
For IBM

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
I believe that's the idea.
Now with zERT being available, more encrypted workload types will get surfaced; 
will probably lead to adding more application/transport types being added under 
AT-TLS's capability.
Just speculation anyway..

What'll be interesting is if AT-TLS evolves to support mTLS (and the dynamic 
cert generation, renewal involved in it) for all the east-west traffic in 
new-age workload.
Starting with a "port" of Let's Encrypt for Z.
Don't know if any of these make sense, just a wild wishlist.

- KB

‐‐‐ Original Message ‐‐‐
On Wednesday, July 1, 2020 10:16 AM, Tom Brennan  
wrote:

> Thanks KB... I think I got my basic question answered, which is that
> one thing AT-TLS was designed for is to encrypt data for TCP/IP programs
> that weren't originally written with encryption. In addition, it sounds
> like even programs that can do their own encryption (i.e. TN3270) can
> also use AT-TLS. If so, that's a smart plan - putting encryption
> processing in one bucket with one set of controls, and one spot to
> update when TLS1.x comes along.
>
> But if I'm wrong with any of the general notes above, please correct me.
>
> On 6/30/2020 9:16 PM, kekronbekron wrote:
>
> > Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ
> > I also got 200 hits for 'AT-TLS' after logging in to share.org; you might 
> > want to do the same to see which of those are the most useful to you.
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Tuesday, June 30, 2020 10:27 PM, Tom Brennan t...@tombrennansoftware.com 
> > wrote:
> >
> > > I've tried to skim some of the AT-TLS doc, and even attended an IBM
> > > webinar last week, but I'm still missing what I imagine are important
> > > background points. Maybe someone here can explain things, but don't
> > > worry too much about it.
> > > Client and server programs like SSH/SSHD call programs such as OpenSSL
> > > to handle the encryption handshake and processing. So when you set
> > > those up, there is no AT-TLS needed for encryption. Same with the
> > > TN3270 server and client, as long as you set that up with keys and
> > > parameters on the host side, and settings on the client side.
> > > I'm thinking because of the name "Application Transparent" that AT-TLS
> > > was made for programs that DON'T have their own logic to call OpenSSL
> > > (or whatever) to do their own encryption. Let's use clear-text FTP as
> > > an example. So somehow, AT-TLS hooks into the processing and provides
> > > an encrypted "tunnel", kind of like VPN does, but only for that one
> > > application. Does that sound correct?
> > > If so, then the encryption is "transparent" to the FTP server code and
> > > FTP does not need to be changed, which I think is the whole idea here.
> > > Yet we now have an encrypted session. Does that sound correct?
> > > Then if so, what happens on the FTP client side? I certainly can't use
> > > the Windows FTP command, for example, because it's not setup for any
> > > kind of encryption. That's kind of my big question here.
> > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> > >
> > > > Sweet - thank you
> > > > Lionel B. Dyck <
> > > > Website: https://www.lbdsoftware.com
> > > > "Worry more about your character than your reputation. Character is 
> > > > what you are, reputation merely what others think you are." - John 
> > > > Wooden
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf 
> > > > Of kekronbekron
> > > > Sent: Tuesday, June 30, 2020 2:34 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: AT-TLS ?
> > > > Hi LBD!,
> > > > Check these out-
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > > > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> > > >
> > > > -   KB
> > > >
> > > > ‐‐‐ Original Message ‐‐‐
> > > > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> > > >
> > > > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > > > Lionel B. Dyck <
> > > > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > > > "Worry more about your character than your reputation. Ch

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Thanks KB...  I think I got my basic question answered, which is that 
one thing AT-TLS was designed for is to encrypt data for TCP/IP programs 
that weren't originally written with encryption.  In addition, it sounds 
like even programs that can do their own encryption (i.e. TN3270) can 
also use AT-TLS.  If so, that's a smart plan - putting encryption 
processing in one bucket with one set of controls, and one spot to 
update when TLS1.x comes along.


But if I'm wrong with any of the general notes above, please correct me.

On 6/30/2020 9:16 PM, kekronbekron wrote:

Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:


I've tried to skim some of the AT-TLS doc, and even attended an IBM
webinar last week, but I'm still missing what I imagine are important
background points. Maybe someone here can explain things, but don't
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing. So when you set
those up, there is no AT-TLS needed for encryption. Same with the
TN3270 server and client, as long as you set that up with keys and
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS
was made for programs that DON'T have their own logic to call OpenSSL
(or whatever) to do their own encryption. Let's use clear-text FTP as
an example. So somehow, AT-TLS hooks into the processing and provides
an encrypted "tunnel", kind of like VPN does, but only for that one
application. Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and
FTP does not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session. Does that sound correct?

Then if so, what happens on the FTP client side? I certainly can't use
the Windows FTP command, for example, because it's not setup for any
kind of encryption. That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:


Sweet - thank you
Lionel B. Dyck <
Website: https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is what you are, 
reputation merely what others think you are." - John Wooden
-Original Message-
From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?
Hi LBD!,
Check these out-
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

-   KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?
Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--

For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread kekronbekron
Tom, check this out - https://www.youtube.com/watch?v=YKEzX70moOQ

I also got 200 hits for 'AT-TLS' after logging in to share.org; you might want 
to do the same to see which of those are the most useful to you.

- KB

‐‐‐ Original Message ‐‐‐
On Tuesday, June 30, 2020 10:27 PM, Tom Brennan  
wrote:

> I've tried to skim some of the AT-TLS doc, and even attended an IBM
> webinar last week, but I'm still missing what I imagine are important
> background points. Maybe someone here can explain things, but don't
> worry too much about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing. So when you set
> those up, there is no AT-TLS needed for encryption. Same with the
> TN3270 server and client, as long as you set that up with keys and
> parameters on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS
> was made for programs that DON'T have their own logic to call OpenSSL
> (or whatever) to do their own encryption. Let's use clear-text FTP as
> an example. So somehow, AT-TLS hooks into the processing and provides
> an encrypted "tunnel", kind of like VPN does, but only for that one
> application. Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and
> FTP does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session. Does that sound correct?
>
> Then if so, what happens on the FTP client side? I certainly can't use
> the Windows FTP command, for example, because it's not setup for any
> kind of encryption. That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>
> > Sweet - thank you
> > Lionel B. Dyck <
> > Website: https://www.lbdsoftware.com
> > "Worry more about your character than your reputation. Character is what 
> > you are, reputation merely what others think you are." - John Wooden
> > -Original Message-
> > From: IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU On Behalf Of 
> > kekronbekron
> > Sent: Tuesday, June 30, 2020 2:34 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: AT-TLS ?
> > Hi LBD!,
> > Check these out-
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> > http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> >
> > -   KB
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Monday, June 29, 2020 3:56 AM, Lionel B Dyck lbd...@gmail.com wrote:
> >
> > > Anyone have any pointers for configuring AT-TLS on z/OS?
> > > Lionel B. Dyck <
> > > Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
> > > "Worry more about your character than your reputation. Character is
> > > what you are, reputation merely what others think you are." - John
> > > Wooden
> > >
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email 
> > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
AT-TLS Operates at the transport layer of the OSI model.
SFTP (open SSH,...) operates at the session layer of the OSI model.

BTW, TLS has been supported "forever" by FTP, etc. The problem is, with TLS, 
the application needs to be modified to make TLS calls in the session layer. 
With AT-TLS, session layer TLS calls are moved to the transport layer and 
eliminated from the session layer. 
No application changes are needed.

HTH,

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 4:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C functions for 
clear-text communication.  So I think that would be called the "logical layer".

And I'm assuming the "physical layer" would be at the point where software is 
talking to an OSA card.  In this case that would be the TCPIP address space, 
since my program doesn't talk directly to hardware.

That would mean AT-TLS comes into play via the TCPIP task, doing the encryption 
at that point, while my clear-text program has no idea and doesn't care.  
Certificates and other encryption parameters would be handled by AT-TLS at that 
point.

That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() or 
SSL_read(), then encryption would be done at the logical layer, and my own 
program would then be responsible for certificates.  AT-TLS would not be 
needed, well, unless an auditor doesn't trust my SSL code.  That actually could 
be a consideration even for things like SFTP I guess - there's your first flame 
:)

On 6/30/2020 1:42 PM, Allan Staller wrote:
> Hopefully this will provide the clarity needed.
>
> AT-TLS works at the physical layer.
> FTPS and SFTP work at the logical layer
>
> Although not mutually exclusive, If you are doing one, the other is 
> unnecessary.
>
> Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:19 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> [CAUTION: This Email is from outside the Organization. Unless you 
> trust the sender, Don’t click links or open attachments as it may be a 
> Phishing email, which can steal your Information and compromise your 
> Computer.]
>
> Do you know if either of those require AT-TLS?  When I installed and 
> configured SSHD last (a couple of years ago) it did its own encryption.
> I never worked with anything called FTPS.
>
> On 6/30/2020 10:12 AM, Marshall Stone wrote:
>> There are 2 types of FTP in use today on most mainframes.
>>
>> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
>> and the encryption/authentication is generally provided by the use of 
>> RSA/DSA public/private key pairs. The public keys are exchanged and 
>> stored in known_hosts files (if acting as client) or authorized_keys 
>> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>>
>> FTPS - completely different mechanism the AT/TLS functions are 
>> provided by ICSF and policy agent (PAGENT) - You must configure an 
>> FTPS TLS rule to allow the connection and the partner side also will 
>> require a similar rule. The encryption/authentication come from the 
>> PAGENT rule and the use of x.509 certificates.  These are exchanged 
>> between partners and loaded onto the RACF keyring. The PAGNET rule 
>> points back to the keyring. - Uses Server PORT 990 by an old implicit 
>> default most sites use a different port and connect clients with 
>> ephemeral port ranges. FTPS handles MVS datasets better if possible 
>> use FTPS for MF to MF and use SFTP for MF to Other
>> platforms(MS,UNIX,etc)
>>
>> MS
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On 
>> Behalf Of Tom Brennan
>> Sent: Tuesday, June 30, 2020 12:58 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>>
>> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
>> last week, but I'm still missing what I imagine are important background 
>> points.  Maybe someone here can explain things, but don't worry too much 
>> about it.
>>
>>

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Thanks Allan.  In TCP/IP programs I've written in C (both mainframe and 
non-mainframe), I've used connect(), send(), recv() and similar C 
functions for clear-text communication.  So I think that would be called 
the "logical layer".


And I'm assuming the "physical layer" would be at the point where 
software is talking to an OSA card.  In this case that would be the 
TCPIP address space, since my program doesn't talk directly to hardware.


That would mean AT-TLS comes into play via the TCPIP task, doing the 
encryption at that point, while my clear-text program has no idea and 
doesn't care.  Certificates and other encryption parameters would be 
handled by AT-TLS at that point.


That's the picture I have so far.

Now in my own program if I called OpenSSL functions like SSL_connect() 
or SSL_read(), then encryption would be done at the logical layer, and 
my own program would then be responsible for certificates.  AT-TLS would 
not be needed, well, unless an auditor doesn't trust my SSL code.  That 
actually could be a consideration even for things like SFTP I guess - 
there's your first flame :)


On 6/30/2020 1:42 PM, Allan Staller wrote:

Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:

There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
and the encryption/authentication is generally provided by the use of
RSA/DSA public/private key pairs. The public keys are exchanged and
stored in known_hosts files (if acting as client) or authorized_keys
file (if acting as server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are
provided by ICSF and policy agent (PAGENT) - You must configure an
FTPS TLS rule to allow the connection and the partner side also will
require a similar rule. The encryption/authentication come from the
PAGENT rule and the use of x.509 certificates.  These are exchanged
between partners and loaded onto the RACF keyring. The PAGNET rule
points back to the keyring. - Uses Server PORT 990 by an old implicit
default most sites use a different port and connect clients with
ephemeral port ranges. FTPS handles MVS datasets better if possible
use FTPS for MF to MF and use SFTP for MF to Other
platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of Tom Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL
to handle the encryption handshake and processing.  So when you set
those up, there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website:
https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
Hopefully this will provide the clarity needed.

AT-TLS works at the physical layer.
FTPS and SFTP work at the logical layer

Although not mutually exclusive, If you are doing one, the other is unnecessary.

Start the flame wars! Shields up. Condition Red! AT-TLS vs. SFTP!

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption.
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
>
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server)
> and the encryption/authentication is generally provided by the use of
> RSA/DSA public/private key pairs. The public keys are exchanged and
> stored in known_hosts files (if acting as client) or authorized_keys
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
>
> FTPS - completely different mechanism the AT/TLS functions are
> provided by ICSF and policy agent (PAGENT) - You must configure an
> FTPS TLS rule to allow the connection and the partner side also will
> require a similar rule. The encryption/authentication come from the
> PAGENT rule and the use of x.509 certificates.  These are exchanged
> between partners and loaded onto the RACF keyring. The PAGNET rule
> points back to the keyring. - Uses Server PORT 990 by an old implicit
> default most sites use a different port and connect clients with
> ephemeral port ranges. FTPS handles MVS datasets better if possible
> use FTPS for MF to MF and use SFTP for MF to Other
> platforms(MS,UNIX,etc)
>
> MS
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
>
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
>
> Client and server programs like SSH/SSHD call programs such as OpenSSL
> to handle the encryption handshake and processing.  So when you set
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
>
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
>
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
>
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
>
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <
>> Website:
>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .lbdsoftware.com%2Fdata=02%7C01%7Callan.staller%40HCL.COM%7Cd879
>> db1f36854d47ffc308d81d19bac1%7C189de737c93a4f5a8b686f4ca9941912%7C0%7
>> C0%7C637291343650296855sdata=rYCeChKI6R6cKaQRyHKEfhk3QR%2Fya0rHS
>> %2FSvJedIZJo%3Dreserved=0
>>
>> "Worry more about your character than your reputation.  Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-
>> 0

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Allan Staller
 AT-TLS is required for TN3270 (and others 

The above is incorrect. AT-TLS is *NEVER* a requirement.
It is up to the installation to determine whether or not AT-TLS will be used.

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: Tuesday, June 30, 2020 12:10 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[CAUTION: This Email is from outside the Organization. Unless you trust the 
sender, Don’t click links or open attachments as it may be a Phishing email, 
which can steal your Information and compromise your Computer.]

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website:
> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> lbdsoftware.com%2Fdata=02%7C01%7Callan.staller%40HCL.COM%7C99280d
> f69a7f440f7b7808d81d18718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%
> 7C637291338121879218sdata=5nqFVRanvSo1qssQhIXSYEfVhYkVYkyBEbm9E4%
> 2BTfqA%3Dreserved=0
>
> "Worry more about your character than your reputation.  Character is
> what you are, reputation merely what others think you are." - John
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5416
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=L6mKfTNfEkpFoIuP81EHxeZ09JTFc5kHH%2F8uZwYQGHw%3Dreserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5415
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=ccHKGe0thy6RCiB8j%2BWb2Adx3E9GiAtOyKB2p0O1K4s%3Dreserved
> =0
> https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww-0
> 3.ibm.com%2Fsupport%2Ftechdocs%2Fatsmastr.nsf%2FWebIndex%2FPRS5414
> ;data=02%7C01%7Callan.staller%40HCL.COM%7C99280df69a7f440f7b7808d81d18
> 718e%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C637291338121879218
> mp;sdata=xnkVymfVN8Xm0q4fsppLRRxZgQvNvmwII9jeUv6lrOs%3Dreserved=0
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website:
>> https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .lbdsoftware.com%

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Steve Beaver
AT-TLS has been around for a while.  What is causing problems for tools like 
CL/Supersession, CA-TPX
And such is PAGENT.

Once PAGENT is turned on all bets are off

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Tom Brennan
Sent: Tuesday, June 30, 2020 11:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM 
webinar last week, but I'm still missing what I imagine are important 
background points.  Maybe someone here can explain things, but don't 
worry too much about it.

Client and server programs like SSH/SSHD call programs such as OpenSSL 
to handle the encryption handshake and processing.  So when you set 
those up, there is no AT-TLS needed for encryption.  Same with the 
TN3270 server and client, as long as you set that up with keys and 
parameters on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS 
was made for programs that DON'T have their own logic to call OpenSSL 
(or whatever) to do their own encryption.  Let's use clear-text FTP as 
an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one 
application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and 
FTP does not need to be changed, which I think is the whole idea here. 
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use 
the Windows FTP command, for example, because it's not setup for any 
kind of encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
> 
> 
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
> 
> "Worry more about your character than your reputation.  Character is what you 
> are, reputation merely what others think you are." - John Wooden
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf Of 
> kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
> 
> Hi LBD!,
> 
> Check these out-
> 
> 
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
> 
> - KB
> 
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
> 
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>>
>> --
>> --
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Mike Hochee
Some years ago this publication helped me come to a basic understanding of 
AT-TLS (apologies if already shared)...   
https://www.ibm.com/support/pages/leveraging-zos-communications-server-application-transparent-transport-layer-security-tls-lower-cost-and-more-rapid-tls-deployment
 
HTH
Mike 
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Tuesday, June 30, 2020 1:34 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

Caution! This message was sent from outside your organization.

On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote:
>...
>Then if so, what happens on the FTP client side?  I certainly can't use 
>the Windows FTP command, for example, because it's not setup for any 
>kind of encryption.  That's kind of my big question here.
>
I believe that (sometimes) there's a proxy involved.  Beyond that, only GIYF:
https://www.google.com/search?q=at-tls+proxy+ftp
which links to:
ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Don Poitras
In article  you 
wrote:
> I've tried to skim some of the AT-TLS doc, and even attended an IBM 
> webinar last week, but I'm still missing what I imagine are important 
> background points.  Maybe someone here can explain things, but don't 
> worry too much about it.

> Client and server programs like SSH/SSHD call programs such as OpenSSL 
> to handle the encryption handshake and processing.  So when you set 
> those up, there is no AT-TLS needed for encryption.  Same with the 
> TN3270 server and client, as long as you set that up with keys and 
> parameters on the host side, and settings on the client side.

> I'm thinking because of the name "Application Transparent" that AT-TLS 
> was made for programs that DON'T have their own logic to call OpenSSL 
> (or whatever) to do their own encryption.  Let's use clear-text FTP as 
> an example.  So somehow, AT-TLS hooks into the processing and provides 
> an encrypted "tunnel", kind of like VPN does, but only for that one 
> application.  Does that sound correct?

> If so, then the encryption is "transparent" to the FTP server code and 
> FTP does not need to be changed, which I think is the whole idea here. 
> Yet we now have an encrypted session.  Does that sound correct?

> Then if so, what happens on the FTP client side?  I certainly can't use 
> the Windows FTP command, for example, because it's not setup for any 
> kind of encryption.  That's kind of my big question here.

I can't see that anyone answered your last question. Yes, the default Windows
FTP doesn't support encryption. There are third-party FTPS client programs you 
can purchase that do so. Or your could run lftp on the Windows Ubuntu shell.

-- 
Don Poitras - SAS Development  -  SAS Institute Inc. - SAS Campus Drive
sas...@sas.com   (919) 531-5637Cary, NC 27513

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
Ah, maybe he was going on this or something similar, and it got garbled in 
translation:

https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: Tuesday, June 30, 2020 1:31 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [Originated Externally]Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

My turn to say interesting!  I didn't look it up; just going on what the Comm 
guy assured me.  We're still on 2.2 (shortly on to 2.4), so maybe that makes a 
difference.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Tuesday, June 30, 2020 1:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Paul Gilmartin
On Tue, 30 Jun 2020 09:57:48 -0700, Tom Brennan wrote:
>...
>Then if so, what happens on the FTP client side?  I certainly can't use
>the Windows FTP command, for example, because it's not setup for any
>kind of encryption.  That's kind of my big question here.
>
I believe that (sometimes) there's a proxy involved.  Beyond that, only GIYF:
https://www.google.com/search?q=at-tls+proxy+ftp
which links to:
ftp://ftp.www.ibm.com/s390/zos/racf/pdf/secure_zos_ftp.pdf

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
My turn to say interesting!  I didn't look it up; just going on what the Comm 
guy assured me.  We're still on 2.2 (shortly on to 2.4), so maybe that makes a 
difference.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Lennie Dymoke-Bradshaw
Sent: Tuesday, June 30, 2020 1:18 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MA

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
Anything SFTP on Open/SSH will never use AT-TLS

FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, 
setup to force authentication and use AT/TLS for encryption

MS
-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 1:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption. 
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
> 
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
> and the encryption/authentication is generally provided by the use of 
> RSA/DSA public/private key pairs. The public keys are exchanged and 
> stored in known_hosts files (if acting as client) or authorized_keys 
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
> 
> FTPS - completely different mechanism the AT/TLS functions are 
> provided by ICSF and policy agent (PAGENT) - You must configure an 
> FTPS TLS rule to allow the connection and the partner side also will 
> require a similar rule. The encryption/authentication come from the 
> PAGENT rule and the use of x.509 certificates.  These are exchanged 
> between partners and loaded onto the RACF keyring. The PAGNET rule 
> points back to the keyring. - Uses Server PORT 990 by an old implicit 
> default most sites use a different port and connect clients with 
> ephemeral port ranges. FTPS handles MVS datasets better if possible 
> use FTPS for MF to MF and use SFTP for MF to Other 
> platforms(MS,UNIX,etc)
> 
> MS
> 
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
> 
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
> 
> Client and server programs like SSH/SSHD call programs such as OpenSSL 
> to handle the encryption handshake and processing.  So when you set 
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
> 
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
> 
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
> 
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
> 
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation.  Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>> -Original Message-
>> From: IBM Mainframe Discussion List  On 
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>>
>> - KB
>>
>> ‐‐‐ Original Message ‐‐‐
>> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>>
>>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>>
>>> Lionel B. Dyck <
>>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>>
>>> "Worry more about your chara

Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Do you know if either of those require AT-TLS?  When I installed and 
configured SSHD last (a couple of years ago) it did its own encryption. 
I never worked with anything called FTPS.


On 6/30/2020 10:12 AM, Marshall Stone wrote:

There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the 
encryption/authentication is generally provided by the use of RSA/DSA 
public/private key pairs. The public keys are exchanged and stored in 
known_hosts files (if acting as client) or authorized_keys file (if acting as 
server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are provided by ICSF 
and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the 
connection and the partner side also will require a similar rule. The 
encryption/authentication come from the PAGENT rule and the use of x.509 
certificates.  These are exchanged between partners and loaded onto the RACF 
keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by 
an old implicit default most sites use a different port and connect clients 
with ephemeral port ranges. FTPS handles MVS datasets better if possible use 
FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is
what you are, reputation merely what others think you are." - John
Wooden

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


-
-
-
-
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This message (including any attachments) i

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Lennie Dymoke-Bradshaw
I have TLS 1.2 working in my TN3270 server without AT-TLS.
This is on z/OS 2.3

Lennie Dymoke-Bradshaw
Consultant working on contract for
BMC Mainframe Services by RSM Partners
‘Dance like no one is watching. Encrypt like everyone is.’

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Jackson, Rob
Sent: 30 June 2020 18:10
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [IBM-MAIN] AT-TLS ? Very Basic Questions

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN Confidentiality 
notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intend

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
Interesting!  I've set up the TN3270 parms on the mainframe for SSL/TLS 
but that was before TLS1.2


On 6/30/2020 10:09 AM, Jackson, Rob wrote:

A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made for 
programs that DON'T have their own logic to call OpenSSL (or whatever) to do their own encryption.  
Let's use clear-text FTP as an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one application.  Does 
that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is
what you are, reputation merely what others think you are." - John
Wooden

-Original Message-
From: IBM Mainframe Discussion List  On
Behalf Of kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


-
-
-
-
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Marshall Stone
There are 2 types of FTP in use today on most mainframes.

SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) and the 
encryption/authentication is generally provided by the use of RSA/DSA 
public/private key pairs. The public keys are exchanged and stored in 
known_hosts files (if acting as client) or authorized_keys file (if acting as 
server) - Uses Server PORT 22 and ephemeral ports

FTPS - completely different mechanism the AT/TLS functions are provided by ICSF 
and policy agent (PAGENT) - You must configure an FTPS TLS rule to allow the 
connection and the partner side also will require a similar rule. The 
encryption/authentication come from the PAGENT rule and the use of x.509 
certificates.  These are exchanged between partners and loaded onto the RACF 
keyring. The PAGNET rule points back to the keyring. - Uses Server PORT 990 by 
an old implicit default most sites use a different port and connect clients 
with ephemeral port ranges. FTPS handles MVS datasets better if possible use 
FTPS for MF to MF and use SFTP for MF to Other platforms(MS,UNIX,etc)

MS

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is
> what you are, reputation merely what others think you are." - John
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is
>> what you are, reputation merely what others think you are." - John
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructio

Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Jackson, Rob
A note, without addressing your entire post (certainly not my area of 
expertise):  AT-TLS is required for TN3270 (and others) if you want to use TLS 
1.2 and higher.  In your TELNETPARMS for the port, instead of using SECUREPORT, 
you use TTLSPORT, referencing a port specified in a TTLSRule in AT-TLS.

First Horizon Bank
Mainframe Technical Support

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 12:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ? Very Basic Questions

[External Email. Exercise caution when clicking links or opening attachments.]

I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
last week, but I'm still missing what I imagine are important background 
points.  Maybe someone here can explain things, but don't worry too much about 
it.

Client and server programs like SSH/SSHD call programs such as OpenSSL to 
handle the encryption handshake and processing.  So when you set those up, 
there is no AT-TLS needed for encryption.  Same with the
TN3270 server and client, as long as you set that up with keys and parameters 
on the host side, and settings on the client side.

I'm thinking because of the name "Application Transparent" that AT-TLS was made 
for programs that DON'T have their own logic to call OpenSSL (or whatever) to 
do their own encryption.  Let's use clear-text FTP as an example.  So somehow, 
AT-TLS hooks into the processing and provides an encrypted "tunnel", kind of 
like VPN does, but only for that one application.  Does that sound correct?

If so, then the encryption is "transparent" to the FTP server code and FTP does 
not need to be changed, which I think is the whole idea here.
Yet we now have an encrypted session.  Does that sound correct?

Then if so, what happens on the FTP client side?  I certainly can't use the 
Windows FTP command, for example, because it's not setup for any kind of 
encryption.  That's kind of my big question here.

On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
> Sweet - thank you
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On 
> Behalf Of kekronbekron
> Sent: Tuesday, June 30, 2020 2:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi LBD!,
>
> Check these out-
>
>
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>
> - KB
>
> ‐‐‐ Original Message ‐‐‐
> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:
>
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>
>> Lionel B. Dyck <
>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation. Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>>
>> -
>> -
>> -
>> -
>> -
>>
>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Confidentiality notice: 
This e-mail message, including any attachments, may contain legally privileged 
and/or confidential information. If you are not the intended recipient(s), or 
the employee or agent responsible for delivery of this message to the intended 
recipient(s), you are hereby notified that any dissemination, distribution, or 
copying of this e-mail message is strictly prohibited. If you have received 
this message in error, please immediately notify the sender and delete this 
e-mail message from your computer.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ? Very Basic Questions

2020-06-30 Thread Tom Brennan
I've tried to skim some of the AT-TLS doc, and even attended an IBM 
webinar last week, but I'm still missing what I imagine are important 
background points.  Maybe someone here can explain things, but don't 
worry too much about it.


Client and server programs like SSH/SSHD call programs such as OpenSSL 
to handle the encryption handshake and processing.  So when you set 
those up, there is no AT-TLS needed for encryption.  Same with the 
TN3270 server and client, as long as you set that up with keys and 
parameters on the host side, and settings on the client side.


I'm thinking because of the name "Application Transparent" that AT-TLS 
was made for programs that DON'T have their own logic to call OpenSSL 
(or whatever) to do their own encryption.  Let's use clear-text FTP as 
an example.  So somehow, AT-TLS hooks into the processing and provides 
an encrypted "tunnel", kind of like VPN does, but only for that one 
application.  Does that sound correct?


If so, then the encryption is "transparent" to the FTP server code and 
FTP does not need to be changed, which I think is the whole idea here. 
Yet we now have an encrypted session.  Does that sound correct?


Then if so, what happens on the FTP client side?  I certainly can't use 
the Windows FTP command, for example, because it's not setup for any 
kind of encryption.  That's kind of my big question here.


On 6/30/2020 1:44 AM, Lionel B Dyck wrote:

Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you are, 
reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:


Anyone have any pointers for configuring AT-TLS on z/OS?

Lionel B. Dyck <
Website: https://www.lbdsoftware.com https://www.lbdsoftware.com

"Worry more about your character than your reputation. Character is
what you are, reputation merely what others think you are." - John
Wooden


--
--
-

For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-30 Thread Lionel B Dyck
Sweet - thank you


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
kekronbekron
Sent: Tuesday, June 30, 2020 2:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is 
> what you are, reputation merely what others think you are." - John 
> Wooden
>
>
> --
> --
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-30 Thread kekronbekron
Hi LBD!,

Check these out-


http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414

- KB

‐‐‐ Original Message ‐‐‐
On Monday, June 29, 2020 3:56 AM, Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation. Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
> -
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Rob Schramm
Redbooks are both helpful and not.
There was an old presentation on it (share) that I found really helpful and
insightful.

Do you have zosmf setup?  If not it is possible to use the samples to set
it up.



On Sun, Jun 28, 2020, 18:26 Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:   https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Roberto Halais
GSK trace was very helpful!

On Mon, Jun 29, 2020 at 6:14 AM Lionel B Dyck  wrote:

> Thank you everyone for your advice - this morning will be time deep in the
> doc.
>
>
> Lionel B. Dyck <
> Website: https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
> -Original Message-
> From: IBM Mainframe Discussion List  On Behalf
> Of
> Mike Hochee
> Sent: Sunday, June 28, 2020 7:08 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: AT-TLS ?
>
> Hi Lionel,
>
> I did this a few years back and utilized it for a product. Below are a few
> items from the product doc and a few more that remain in accessible memory
> areas...
>
> - Read the relevant sections of Comm Server IP Configuration Ref,
> specifically in the chapter on Policy Agent (PA) and Policy Applications.
> Also in the IP Configuration Guide, there is a chapter on AT-TLS Security
> Data Protection, topic TCPIP Stack Initialization.
>
> - Use z/OSMF for generation of your initial set of PA config files and
> inputs, then consider manually tailoring. I opted for this approach under
> z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe
> you can use z/OSMF exclusively w/out too much pain these days.
>
> - Configure the syslog daemon, and test it to ensure messages are being
> collected for whatever you're interested in (TCPIP is not a pre-req for
> syslogd)
>
> - Configure PROFILE.TCPIP, you will need to add a TTLS parm to the
> TCPCONFIG
> statement
>
> - Create the resource profile used to block access to the TCPIP stack
> during
> initialization, the name of the resource will be
> EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or
> TSS)
>
> - Create a server keyring and x509 certificate, and then connect the cert
> to
> the keyring, and depending on what you're doing you may need to permit
> access so the keyring and cert can be listed (resources are
> IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST)
>
> - Once you have done the above and are ready to test:
> Ensure syslogd running
> Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the
> TCPIP
> AS and watch for msg EZZ4248E, after which you should start your PA daemon
> (eventually, you'll want to automate this), the start will probably look
> something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c
> /etc/pagent.conf &
>
> - Once started, check out the following for messages...
> MVS system log
> Pagent log file
> Output from the pasearch -t command
>
> If you need additional detail, please feel free to email me directly.
>
> HTH,
> Mike
>
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Lionel B Dyck
> Sent: Sunday, June 28, 2020 6:26 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS ?
>
> Caution! This message was sent from outside your organization.
>
> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 
Politics: Poli (many) - tics (blood sucking parasites)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
The goal is to enable RRSF which requires AT-TLS and then enable secure FTP TLS 
 and TN3270 with it.  Installing CoZ:SFTP for improved sftp capabilities as 
well.

Thanks

Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Wendell Lovewell
Sent: Monday, June 29, 2020 8:38 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Lionel, what type of endpoints are you wanting to use AT-TLS to secure?  I 
might have some notes that would help.  

Here is some general information about diagnosing AT-TLS errors:

If there is a problem making the connection, AT-TLS will display error on the 
console.  Here are a few examples.  The endpoints were a started task (XYZSTC) 
and a CICS region (CICSA):

EZD1287I TTLS Error RC:  417 Initial Handshake 560
  LOCAL: 10.1.1.1..1213
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0013 CONNID: 06DE EZD1287I 
TTLS Error RC:  435 Initial Handshake 561
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1213
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0014 CONNID: 06DF

EZD1287I TTLS Error RC:  508 Initial Handshake 462
  LOCAL: 10.1.1.1..1206
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0010 CONNID: 06B9 EZD1287I 
TTLS Error RC:  438 Initial Handshake 463
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1206
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0011 CONNID: 06BA

EZD1287I TTLS Error RC: 5006 Initial Handshake 476
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1173
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 000E CONNID: 05A4 EZD1287I TTLS 
Error RC:  406 Initial Handshake 477
  LOCAL: 10.1.1.1..1173
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule


The RC values are most helpful.  Since there is a policy used for both inbound 
(XYZ_CICS_Rule) and outbound (XYZ_STC_Rule—note the rules in play are also 
displayed on the console), there will likely be two EZD1287I messages displayed 
if there is a problem.  (Both sides will experience a problem.)  You can find 
an explanation for these in the SC14-7495-30 Cryptographic Services System 
Secure Sockets Layer Programming manual, currently in chapter 13.

SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS 
policy (/etc/pagent_TTLS.conf).

GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors.

SA23-2292-30 Security Server RACF Command Language Reference contains the 
syntax for the RACDCERT instructions.

If you need to see the GKY messages, set the Trace value in the TTLSGroupAction 
parms for both the XYZ_CICS_Rule and XYZ_STC_Rule to Trace 255.  When you 
upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy.

If you make RACF changes to the keyrings, you need to tell the policy agent to 
refresh it’s settings for them.  You can do this by changing the 
EnvironmentAction value & reloading the pagent_TTLS.conf file.

Hth,
Wendell

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Wendell Lovewell
Lionel, what type of endpoints are you wanting to use AT-TLS to secure?  I 
might have some notes that would help.  

Here is some general information about diagnosing AT-TLS errors:

If there is a problem making the connection, AT-TLS will display error on the 
console.  Here are a few examples.  The endpoints were a started task (XYZSTC) 
and a CICS region (CICSA):

EZD1287I TTLS Error RC:  417 Initial Handshake 560
  LOCAL: 10.1.1.1..1213
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0013 CONNID: 06DE
EZD1287I TTLS Error RC:  435 Initial Handshake 561
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1213
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0014 CONNID: 06DF

EZD1287I TTLS Error RC:  508 Initial Handshake 462
  LOCAL: 10.1.1.1..1206
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule
  USERID: STCOPER GRPID: 000F ENVID: 0010 CONNID: 06B9
EZD1287I TTLS Error RC:  438 Initial Handshake 463
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1206
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 0011 CONNID: 06BA

EZD1287I TTLS Error RC: 5006 Initial Handshake 476
  LOCAL: 10.1.1.1..5401
  REMOTE: 10.1.1.1..1173
  JOBNAME: CICSA RULE: XYZ_CICS_Rule
  USERID: CICSA GRPID: 000E ENVID: 000E CONNID: 05A4
EZD1287I TTLS Error RC:  406 Initial Handshake 477
  LOCAL: 10.1.1.1..1173
  REMOTE: 10.1.1.1..5401
  JOBNAME: XYZSTC RULE: XYZ_STC_Rule


The RC values are most helpful.  Since there is a policy used for both inbound 
(XYZ_CICS_Rule) and outbound (XYZ_STC_Rule—note the rules in play are also 
displayed on the console), there will likely be two EZD1287I messages displayed 
if there is a problem.  (Both sides will experience a problem.)  You can find 
an explanation for these in the SC14-7495-30 Cryptographic Services System 
Secure Sockets Layer Programming manual, currently in chapter 13.

SC27-3651-30 IP Configuration Reference contains the syntax for the AT-TLS 
policy (/etc/pagent_TTLS.conf).

GC27-3652-30 IP Diagnosis Guide may be useful if you are getting GSK errors.

SA23-2292-30 Security Server RACF Command Language Reference contains the 
syntax for the RACDCERT instructions.

If you need to see the GKY messages, set the Trace value in the TTLSGroupAction 
parms for both the XYZ_CICS_Rule and XYZ_STC_Rule to Trace 255.  When you 
upload /etc/pagent_TTLS.conf, the policy agent will re-install the policy.

If you make RACF changes to the keyrings, you need to tell the policy agent to 
refresh it’s settings for them.  You can do this by changing the 
EnvironmentAction value & reloading the pagent_TTLS.conf file.

Hth,
Wendell

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Steve Beaver
Well that does take digital certs and pagant. Now there are currently no 
vendors that support AT-ALS if you are looking for something like TPX or CL/SS 
the answer is no

Sent from my iPhone

I promise you I can’t type or
Spell on any smartphone 

> On Jun 28, 2020, at 22:04, Gibney, Dave  wrote:
> 
> The details in the documentation is a bit scattered. Including separate 
> sections for  FTPS and tn3270
> 
>> -Original Message-
>> From: IBM Mainframe Discussion List  On
>> Behalf Of Lionel B Dyck
>> Sent: Sunday, June 28, 2020 3:26 PM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: AT-TLS ?
>> 
>> Anyone have any pointers for configuring AT-TLS on z/OS?
>> 
>> 
>> 
>> 
>> 
>> Lionel B. Dyck <
>> Website:
>> > 0HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
>> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$ >
>> https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY0
>> HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
>> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$
>> 
>> "Worry more about your character than your reputation.  Character is what
>> you are, reputation merely what others think you are." - John Wooden
>> 
>> 
>> 
>> 
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-29 Thread Lionel B Dyck
Thank you everyone for your advice - this morning will be time deep in the
doc.


Lionel B. Dyck <
Website: https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of
Mike Hochee
Sent: Sunday, June 28, 2020 7:08 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS ?

Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few
items from the product doc and a few more that remain in accessible memory
areas...

- Read the relevant sections of Comm Server IP Configuration Ref,
specifically in the chapter on Policy Agent (PA) and Policy Applications.
Also in the IP Configuration Guide, there is a chapter on AT-TLS Security
Data Protection, topic TCPIP Stack Initialization. 

- Use z/OSMF for generation of your initial set of PA config files and
inputs, then consider manually tailoring. I opted for this approach under
z/OS 2.2, but z/OSMF has undoubtedly improved greatly since then, so maybe
you can use z/OSMF exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being
collected for whatever you're interested in (TCPIP is not a pre-req for
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG
statement

- Create the resource profile used to block access to the TCPIP stack during
initialization, the name of the resource will be
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to
the keyring, and depending on what you're doing you may need to permit
access so the keyring and cert can be listed (resources are
IRR.DIGTCERT.LISTRING and IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running
Stop the TCPIP AS (there are undoubtedly less invasive ways) Start the TCPIP
AS and watch for msg EZZ4248E, after which you should start your PA daemon
(eventually, you'll want to automate this), the start will probably look
something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log -c
/etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH,
Mike  
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <
Website:  <https://www.lbdsoftware.com> https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what
you are, reputation merely what others think you are." - John Wooden




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The Redbook : http://www.redbooks.ibm.com/redbooks/pdfs/sg248041.pdf

On Mon, Jun 29, 2020 at 3:30 PM Wayne Bickerdike  wrote:

> The IBM Redbook for RACF RRSF has most of the information needed to
> configure AT-TLS.
>
> We're in the process of rolling out RRSF for RACF password sync. It's
> working between two of our plexes, I followed the book, used SYS1.SAMPLIB
> examples rather than attempting via zOSMF.
>
> On Mon, Jun 29, 2020 at 3:15 PM Itschak Mugzach <
> 0305158ad67d-dmarc-requ...@listserv.ua.edu> wrote:
>
>> A simpler way is to write the protocol yourself. It requires zero
>> configuration other than a set of certificates. Have a look at z/os web
>> enablement toolkit (Http/https protocol enabler portion). Works great and
>> fully supports Rexx.
>>
>> ITschak
>>
>> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
>> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
>> and IBM I **|  *
>>
>> *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404
>> **|*
>> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*
>>
>>
>>
>>
>>
>> On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:
>>
>> > Anyone have any pointers for configuring AT-TLS on z/OS?
>> >
>> >
>> >
>> >
>> >
>> > Lionel B. Dyck <
>> > Website:   https://www.lbdsoftware.com
>> >
>> > "Worry more about your character than your reputation.  Character is
>> what
>> > you are, reputation merely what others think you are." - John Wooden
>> >
>> >
>> >
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>
> --
> Wayne V. Bickerdike
>
>

-- 
Wayne V. Bickerdike

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Wayne Bickerdike
The IBM Redbook for RACF RRSF has most of the information needed to
configure AT-TLS.

We're in the process of rolling out RRSF for RACF password sync. It's
working between two of our plexes, I followed the book, used SYS1.SAMPLIB
examples rather than attempting via zOSMF.

On Mon, Jun 29, 2020 at 3:15 PM Itschak Mugzach <
0305158ad67d-dmarc-requ...@listserv.ua.edu> wrote:

> A simpler way is to write the protocol yourself. It requires zero
> configuration other than a set of certificates. Have a look at z/os web
> enablement toolkit (Http/https protocol enabler portion). Works great and
> fully supports Rexx.
>
> ITschak
>
> *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
> Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
> and IBM I **|  *
>
> *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
> *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*
>
>
>
>
>
> On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:
>
> > Anyone have any pointers for configuring AT-TLS on z/OS?
> >
> >
> >
> >
> >
> > Lionel B. Dyck <
> > Website:   https://www.lbdsoftware.com
> >
> > "Worry more about your character than your reputation.  Character is what
> > you are, reputation merely what others think you are." - John Wooden
> >
> >
> >
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>


-- 
Wayne V. Bickerdike

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Itschak Mugzach
A simpler way is to write the protocol yourself. It requires zero
configuration other than a set of certificates. Have a look at z/os web
enablement toolkit (Http/https protocol enabler portion). Works great and
fully supports Rexx.

ITschak

*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **|  *

*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il  **|*





On Mon, Jun 29, 2020 at 1:26 AM Lionel B Dyck  wrote:

> Anyone have any pointers for configuring AT-TLS on z/OS?
>
>
>
>
>
> Lionel B. Dyck <
> Website:   https://www.lbdsoftware.com
>
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
>
>
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Gibney, Dave
The details in the documentation is a bit scattered. Including separate 
sections for  FTPS and tn3270

> -Original Message-
> From: IBM Mainframe Discussion List  On
> Behalf Of Lionel B Dyck
> Sent: Sunday, June 28, 2020 3:26 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS ?
> 
> Anyone have any pointers for configuring AT-TLS on z/OS?
> 
> 
> 
> 
> 
> Lionel B. Dyck <
> Website:
>  0HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$ >
> https://urldefense.com/v3/__https://www.lbdsoftware.com__;!!JmPEgBY0
> HMszNaDT!-1owYLYM_4h_52OGm8xJE1YxqR9-
> 4UjK4oOFwgRifVu2w8bc_kEvwxGw_GLBCA$
> 
> "Worry more about your character than your reputation.  Character is what
> you are, reputation merely what others think you are." - John Wooden
> 
> 
> 
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS ?

2020-06-28 Thread Mike Hochee
Hi Lionel, 

I did this a few years back and utilized it for a product. Below are a few 
items from the product doc and a few more that remain in accessible memory 
areas...

- Read the relevant sections of Comm Server IP Configuration Ref, specifically 
in the chapter on Policy Agent (PA) and Policy Applications. Also in the IP 
Configuration Guide, there is a chapter on AT-TLS Security Data Protection, 
topic TCPIP Stack Initialization. 

- Use z/OSMF for generation of your initial set of PA config files and inputs, 
then consider manually tailoring. I opted for this approach under z/OS 2.2, but 
z/OSMF has undoubtedly improved greatly since then, so maybe you can use z/OSMF 
exclusively w/out too much pain these days. 

- Configure the syslog daemon, and test it to ensure messages are being 
collected for whatever you're interested in (TCPIP is not a pre-req for 
syslogd) 

- Configure PROFILE.TCPIP, you will need to add a TTLS parm to the TCPCONFIG 
statement

- Create the resource profile used to block access to the TCPIP stack during 
initialization, the name of the resource will be 
EZB.INITSTACK.%sysname.%tcpprocname  (it may be differently named w/ACF2 or 
TSS) 

- Create a server keyring and x509 certificate, and then connect the cert to 
the keyring, and depending on what you're doing you may need to permit access 
so the keyring and cert can be listed (resources are IRR.DIGTCERT.LISTRING and 
IRR.DIGTCERT.LIST) 

- Once you have done the above and are ready to test: 
Ensure syslogd running 
Stop the TCPIP AS (there are undoubtedly less invasive ways) 
Start the TCPIP AS and watch for msg EZZ4248E, after which you should start 
your PA daemon (eventually, you'll want to automate this), the start will 
probably look something like... /usr/lpp/tcpip/sbin/pagent -l /tmp/pagent.log 
-c /etc/pagent.conf & 

- Once started, check out the following for messages... 
MVS system log 
Pagent log file
Output from the pasearch -t command 

If you need additional detail, please feel free to email me directly. 

HTH, 
Mike  
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Lionel B Dyck
Sent: Sunday, June 28, 2020 6:26 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS ?

Caution! This message was sent from outside your organization.

Anyone have any pointers for configuring AT-TLS on z/OS?





Lionel B. Dyck <
Website:   https://www.lbdsoftware.com

"Worry more about your character than your reputation.  Character is what you 
are, reputation merely what others think you are." - John Wooden




--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SSL/TLS MSU usage

2018-08-14 Thread Parwez Hamid
Mounif,

I am unable to comment on any 'increase' of the CP utilization. CPACF has been 
around for a very long time. Both the systems you mention have the CPACF 
function. You will need a no charge feature (not available for embargoed 
countries) for microcode to enable CPACF. The other key point to note is to 
check if CPACF will support all the en/decryption algorithms you want to use. 
If not supported by CPACF then you might need the Crypto Express feature for 
which there is a charge.

Parwez

BTW: I have just Googled for CPACF and Crypto Express performance etc. There 
are lots of hits (I haven't browsed the websites) on this subject including 
some SHARE presentations.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: SSL/TLS MSU usage

2018-08-13 Thread Brian Westerman
The z13 (and I think b|ec12s) have CPACF built into each physical CPU, the 
older machines had CPACF but it was shared between multiple processors.

There is some extra CPU involved when you don't have a cryptoexpress (CEX), but 
you have to remember that not everything is or can be offloaded to the CEX 
either.  I think the cryptoexpress has 8 processors, but depending on what you 
are doing SSL-wise you may not  see any real measurable improvement over CPACF.

If you are going to use CPACF with System SSL or MQ, you have to turn on a 
feature code, (feature #3863).

In reality, some part of the key negotiation will be performed on the General 
Processor (and CPACF) regardless of CEX availability.  Also certain SSLCIPH 
specs are not supported by the CEX cards (as per 
https://www.ibm.com/developerworks/community/blogs/c4142f9d-6cf1-44ef-a44a-b09428ad96d1/entry/is_my_ssl_channel_using_hardware_assist?lang=en
 ).

Brian

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS for HTTP

2018-07-05 Thread Rob Schramm
It is probably just my own FUD that is making me doubt it.

Rob Schramm

On Thu, Jul 5, 2018, 1:59 PM Mike Hochee  wrote:

> I have not used it for that specifically, but I don't see why not.  The
> policy based rules allow for job/task names and support wildcards, and you
> might not even need those if you can filter based on a unique port range.
> I've been impressed with AT-TLS, as it offers a lot of customization
> options, as well as quite a few OOB use cases. An underrated feature of
> comm server IMO.
>
> HTH,
> Mike
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Rob Schramm
> Sent: Thursday, July 5, 2018 12:45 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: AT-TLS for HTTP
>
> This might be a weird one.  I have used Policy Agent AT-TLS in the past to
> secure JDBC communication with a UDB data base.  Can I use Policy agent to
> secure an existing HTTP GET process (assembler program), by doing a similar
> process?  Has anyone else done this?
>
> Thanks,
> Rob Schramm
>
> --
>
> Rob Schramm
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS for HTTP

2018-07-05 Thread Mike Hochee
I have not used it for that specifically, but I don't see why not.  The policy 
based rules allow for job/task names and support wildcards, and you might not 
even need those if you can filter based on a unique port range.  I've been 
impressed with AT-TLS, as it offers a lot of customization options, as well as 
quite a few OOB use cases. An underrated feature of comm server IMO. 

HTH, 
Mike 

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Rob Schramm
Sent: Thursday, July 5, 2018 12:45 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS for HTTP

This might be a weird one.  I have used Policy Agent AT-TLS in the past to 
secure JDBC communication with a UDB data base.  Can I use Policy agent to 
secure an existing HTTP GET process (assembler program), by doing a similar 
process?  Has anyone else done this?

Thanks,
Rob Schramm

-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS replace ICF processor ?

2017-05-02 Thread Charles Mills
I believe AT-TLS generally utilizes ICSF which in turn may utilize your crypto 
hardware.

Charles


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Tuesday, May 2, 2017 11:16 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS replace ICF processor ?

W dniu 2017-04-25 o 18:42, Nathan Astle pisze:
> Hi
>
> Cross posted
>
> Not trying to.resolve anything.
>
> Recently had a discussion with a TCPIP/SNA person and he feels that 
> most of the task offloaded to ICF processor can be handled by AT-TLS.
>
> I was not.able to make any sense out of it.
>
> Aren't ICF processor independent of AT-TLS ?

ICF stands for Integrated Coupling Facility and has nothing to do with 
networking.
I think you mean ICSF which is cryptography software, which can exploit crypto 
hardware, including CPACF and CryptoExpress cards.
Indeed, ICSF (and GSKSRVR) and offload some functions of SSL, TLS, etc.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS replace ICF processor ?

2017-05-02 Thread R.S.

W dniu 2017-04-25 o 18:42, Nathan Astle pisze:

Hi

Cross posted

Not trying to.resolve anything.

Recently had a discussion with a TCPIP/SNA person and he feels that most of
the task offloaded to ICF processor can be handled by AT-TLS.

I was not.able to make any sense out of it.

Aren't ICF processor independent of AT-TLS ?


ICF stands for Integrated Coupling Facility and has nothing to do with 
networking.
I think you mean ICSF which is cryptography software, which can exploit 
crypto hardware, including CPACF and CryptoExpress cards.

Indeed, ICSF (and GSKSRVR) and offload some functions of SSL, TLS, etc.


--
Radoslaw Skorupka
Lodz, Poland




==


   --
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII 
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców 
KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał 
zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
   


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-11 Thread Lester, Bob
Frank,

Good find!  I'm saving this one!

BobL

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Frank Swarbrick
Sent: Tuesday, April 11, 2017 3:05 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options [ EXTERNAL ]

So one of our system programmers found an alternative to using AT-TLS to enable 
use of TLS v1.2 with the z/OS FTP client.  All you have to do is set an LE 
environment variable GSK_PROTOCOL_TLSV1_2=1.  Since the default (non ATTLS) 
SSL/TLS for FTP uses z/OS System SSL it is affected by (I assume) all of the 
"GSK environment variables" (see the "Environment variables" section of the 
"z/OS Cryptographic Services System SSL Programming manual".)


In order to set this variable in a JCL environment you simply do the following:

//DOFTPEXEC PGM=FTP,PARM='your.ftps.server (EXIT'
//CEEOPTS  DD *
ENVAR("GSK_PROTOCOL_TLSV1_2=1")
/*


Works like a charm!  Wish it was more explicitly documented somewhere.


Frank


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of 
Frank Swarbrick <frank.swarbr...@outlook.com>
Sent: Tuesday, April 11, 2017 9:24 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

I'll pass that along to those in charge of such things.  :-)  Thanks.


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom 
Conley <pinnc...@rochester.rr.com>
Sent: Monday, April 10, 2017 9:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

On 4/10/2017 7:04 PM, Frank Swarbrick wrote:
> I'm guessing there's a bit more to it than that, yes?  Such as actually 
> configuring Policy Agent?
>

Frank,

Sorry, thought you already configured PAGENT, but missed the PROFILE member, 
like I did the first time I tried it.  If you run z/OSMF, you can config 
pagent.conf fairly easily with Configuration Assistant.  If not, you can try 
the samples in (WTW):

/usr/lpp/tcpip/samples/pagent_TTLS.conf

Good luck,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

This e-mail transmission may contain information that is proprietary, 
privileged and/or confidential and is intended exclusively for the person(s) to 
whom it is addressed. Any use, copying, retention or disclosure by any person 
other than the intended recipient or the intended recipient's designees is 
strictly prohibited. If you are not the intended recipient or their designee, 
please notify the sender immediately by return e-mail and delete all copies. 
OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or 
disclose the content of all email communications.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-11 Thread Frank Swarbrick
So one of our system programmers found an alternative to using AT-TLS to enable 
use of TLS v1.2 with the z/OS FTP client.  All you have to do is set an LE 
environment variable GSK_PROTOCOL_TLSV1_2=1.  Since the default (non ATTLS) 
SSL/TLS for FTP uses z/OS System SSL it is affected by (I assume) all of the 
"GSK environment variables" (see the "Environment variables" section of the 
"z/OS Cryptographic Services System SSL Programming manual".)


In order to set this variable in a JCL environment you simply do the following:

//DOFTPEXEC PGM=FTP,PARM='your.ftps.server (EXIT'
//CEEOPTS  DD *
ENVAR("GSK_PROTOCOL_TLSV1_2=1")
/*


Works like a charm!  Wish it was more explicitly documented somewhere.


Frank


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of 
Frank Swarbrick <frank.swarbr...@outlook.com>
Sent: Tuesday, April 11, 2017 9:24 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

I'll pass that along to those in charge of such things.  :-)  Thanks.


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom 
Conley <pinnc...@rochester.rr.com>
Sent: Monday, April 10, 2017 9:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

On 4/10/2017 7:04 PM, Frank Swarbrick wrote:
> I'm guessing there's a bit more to it than that, yes?  Such as actually 
> configuring Policy Agent?
>

Frank,

Sorry, thought you already configured PAGENT, but missed the PROFILE
member, like I did the first time I tried it.  If you run z/OSMF, you
can config pagent.conf fairly easily with Configuration Assistant.  If
not, you can try the samples in (WTW):

/usr/lpp/tcpip/samples/pagent_TTLS.conf

Good luck,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-11 Thread Frank Swarbrick
I'll pass that along to those in charge of such things.  :-)  Thanks.


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom 
Conley <pinnc...@rochester.rr.com>
Sent: Monday, April 10, 2017 9:38 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

On 4/10/2017 7:04 PM, Frank Swarbrick wrote:
> I'm guessing there's a bit more to it than that, yes?  Such as actually 
> configuring Policy Agent?
>

Frank,

Sorry, thought you already configured PAGENT, but missed the PROFILE
member, like I did the first time I tried it.  If you run z/OSMF, you
can config pagent.conf fairly easily with Configuration Assistant.  If
not, you can try the samples in (WTW):

/usr/lpp/tcpip/samples/pagent_TTLS.conf

Good luck,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-11 Thread Frank Swarbrick
My testing (and reading of ambiguous documentation) leads me to believe that 
FTP on z/OS, without the use of AT-TLS, supports TLS v1.0 but not v1.2.


This was verified by the fact that I can connect (as a z/OS client) to a v1.0 
configured server, but when v1.0 is eliminated (leaving only v1.2 supported on 
the server) the server intentionally drops the connection when the TLS 
negotiation is attempted.  The server log in this case says "Unable to 
establish SSL connection (unknown protocol)".  Ideally it would say the client 
and server don't both support a common TLS level, but this appears to be what 
is occurring.


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of 
Gibney, Dave <gib...@wsu.edu>
Sent: Monday, April 10, 2017 8:03 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

I am at z/OS 2.1 and have
EXTENSIONS AUTH_TLS
TLSRFCLEVEL RFC4217

And some level of TLS is working

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Rob Schramm
> Sent: Monday, April 10, 2017 6:18 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: FTP TLS options
>
> Yes. But policy agent is not actually that hard...But on zOS GT 1.13 you need
> zOSMF as well.
>
> Rob Schramm
>
> On Mon, Apr 10, 2017, 7:05 PM Frank Swarbrick
> <frank.swarbr...@outlook.com>
> wrote:
>
> > I'm guessing there's a bit more to it than that, yes?  Such as
> > actually configuring Policy Agent?
> >
> > 
> > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on
> > behalf of Tom Conley <pinnc...@rochester.rr.com>
> > Sent: Monday, April 10, 2017 3:46 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: FTP TLS options
> >
> > On 4/10/2017 3:15 PM, Frank Swarbrick wrote:
> > > Hi Mike.
> > >
> > > I assume you mean:
> > > TLSMECHANISM  ATTLS
> > > where the default (which we use) is
> > > TLSMECHANISM  FTP
> > >
> > > Unfortunately we don't currently have AT-TLS set up.  When I try to
> > > use
> > it I get the following:
> > > AT-TLS not enabled on TCPCONFIG
> > >
> > > Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?
> > >
> > >
> > > I am not a sysprog so I can't speak to the question about IBM's
> > > security
> > vulnerability warnings.
> > >
> > > Frank
> >
> > Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet.
> >
> > Yours,
> > Thomas de Conley
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
>
> Rob Schramm
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS setup question

2017-04-11 Thread Tom Conley

On 4/11/2017 9:17 AM, Ernest Nachtigall wrote:

I have two clients, one running SSLv3, the other AT-TLSv1.2 These are ATM 
machines in my test environment.
The SSLv3 support uses a user module, the other is using AT-TLS already.

I need to temporarily support the SSLv3 client to ease migration and hope I can 
turn on both SSLv3 and TLSv1.2 in the AT-TLS definitions.
Can I just specify

KEYRING:USERSSL
SSLV2:  OFF
SSLV3:  ON
TLSV1:  OFF
TLSV1.1:OFF
TLSV1.2:ON

Or must I turn on SSLv2, TLSV1 and TLSV1.1 as well?



Ernest,

You can definitely leave SSLv2 OFF.  Not sure about TLSv1 and TLSv1.1, 
but the book implies that's possible.  Give it a shot and let us know 
the results.


Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Tom Conley

On 4/10/2017 7:04 PM, Frank Swarbrick wrote:

I'm guessing there's a bit more to it than that, yes?  Such as actually 
configuring Policy Agent?



Frank,

Sorry, thought you already configured PAGENT, but missed the PROFILE 
member, like I did the first time I tried it.  If you run z/OSMF, you 
can config pagent.conf fairly easily with Configuration Assistant.  If 
not, you can try the samples in (WTW):


/usr/lpp/tcpip/samples/pagent_TTLS.conf

Good luck,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Gibney, Dave
I am at z/OS 2.1 and have
EXTENSIONS AUTH_TLS
TLSRFCLEVEL RFC4217

And some level of TLS is working

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Rob Schramm
> Sent: Monday, April 10, 2017 6:18 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: FTP TLS options
> 
> Yes. But policy agent is not actually that hard...But on zOS GT 1.13 you need
> zOSMF as well.
> 
> Rob Schramm
> 
> On Mon, Apr 10, 2017, 7:05 PM Frank Swarbrick
> <frank.swarbr...@outlook.com>
> wrote:
> 
> > I'm guessing there's a bit more to it than that, yes?  Such as
> > actually configuring Policy Agent?
> >
> > 
> > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on
> > behalf of Tom Conley <pinnc...@rochester.rr.com>
> > Sent: Monday, April 10, 2017 3:46 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: FTP TLS options
> >
> > On 4/10/2017 3:15 PM, Frank Swarbrick wrote:
> > > Hi Mike.
> > >
> > > I assume you mean:
> > > TLSMECHANISM  ATTLS
> > > where the default (which we use) is
> > > TLSMECHANISM  FTP
> > >
> > > Unfortunately we don't currently have AT-TLS set up.  When I try to
> > > use
> > it I get the following:
> > > AT-TLS not enabled on TCPCONFIG
> > >
> > > Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?
> > >
> > >
> > > I am not a sysprog so I can't speak to the question about IBM's
> > > security
> > vulnerability warnings.
> > >
> > > Frank
> >
> > Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet.
> >
> > Yours,
> > Thomas de Conley
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
> 
> Rob Schramm
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Rob Schramm
Yes. But policy agent is not actually that hard...But on zOS GT 1.13 you
need zOSMF as well.

Rob Schramm

On Mon, Apr 10, 2017, 7:05 PM Frank Swarbrick <frank.swarbr...@outlook.com>
wrote:

> I'm guessing there's a bit more to it than that, yes?  Such as actually
> configuring Policy Agent?
>
> 
> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf
> of Tom Conley <pinnc...@rochester.rr.com>
> Sent: Monday, April 10, 2017 3:46 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: FTP TLS options
>
> On 4/10/2017 3:15 PM, Frank Swarbrick wrote:
> > Hi Mike.
> >
> > I assume you mean:
> > TLSMECHANISM  ATTLS
> > where the default (which we use) is
> > TLSMECHANISM  FTP
> >
> > Unfortunately we don't currently have AT-TLS set up.  When I try to use
> it I get the following:
> > AT-TLS not enabled on TCPCONFIG
> >
> > Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?
> >
> >
> > I am not a sysprog so I can't speak to the question about IBM's security
> vulnerability warnings.
> >
> > Frank
>
> Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet.
>
> Yours,
> Thomas de Conley
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Frank Swarbrick
I'm guessing there's a bit more to it than that, yes?  Such as actually 
configuring Policy Agent?


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom 
Conley <pinnc...@rochester.rr.com>
Sent: Monday, April 10, 2017 3:46 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

On 4/10/2017 3:15 PM, Frank Swarbrick wrote:
> Hi Mike.
>
> I assume you mean:
> TLSMECHANISM  ATTLS
> where the default (which we use) is
> TLSMECHANISM  FTP
>
> Unfortunately we don't currently have AT-TLS set up.  When I try to use it I 
> get the following:
> AT-TLS not enabled on TCPCONFIG
>
> Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?
>
>
> I am not a sysprog so I can't speak to the question about IBM's security 
> vulnerability warnings.
>
> Frank

Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet.

Yours,
Thomas de Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Tom Conley

On 4/10/2017 3:15 PM, Frank Swarbrick wrote:

Hi Mike.

I assume you mean:
TLSMECHANISM  ATTLS
where the default (which we use) is
TLSMECHANISM  FTP

Unfortunately we don't currently have AT-TLS set up.  When I try to use it I 
get the following:
AT-TLS not enabled on TCPCONFIG

Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?


I am not a sysprog so I can't speak to the question about IBM's security 
vulnerability warnings.

Frank


Thou needst TCPCONFIG TTLS in thy PROFILE member, varlet.

Yours,
Thomas de Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Frank Swarbrick
Hi Mike.

I assume you mean:
TLSMECHANISM  ATTLS
where the default (which we use) is
TLSMECHANISM  FTP

Unfortunately we don't currently have AT-TLS set up.  When I try to use it I 
get the following:
AT-TLS not enabled on TCPCONFIG

Does z/OS FTP not support TLS v1.2 when TLSMECHANISM=FTP?


I am not a sysprog so I can't speak to the question about IBM's security 
vulnerability warnings.

Frank


From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of 
Mike Wawiorko <014ab5cdfb21-dmarc-requ...@listserv.ua.edu>
Sent: Monday, April 10, 2017 4:10 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

Frank,

You should change to AT-TLS

SECURE_MECHANISM  ATTLS

That will get TLSv1.2 support but just as important will allow you to use newer 
cipher suites.

Many of the older cipher suites supported by the FTP client (or server) 
internal SSL/TLS function have been the subject of security warnings over the 
last couple of years.

Do you subscribe to IBM's security vulnerability warnings?

Mike Wawiorko

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Frank Swarbrick
Sent: 07 April 2017 19:28
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

Does z/OS 2.2 support TLS v1.2 for FTP clients without the use of AT-TLS?  This 
new server we have is (currently) configured to support only TLS v1.2, and 
nothing earlier.  We're trying to get approval to "back down" to TLS v1.0, but 
I figured I'd ask this anyway.

Frank
nstructions, send email to lists...@listserv.ua.edu with the message: INFO 
IBM-MAIN
This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.

Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). 
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.

Barclays Bank PLC is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority (Financial Services Register No. 122702).

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-10 Thread Mike Wawiorko
Frank,

You should change to AT-TLS

SECURE_MECHANISM  ATTLS   

That will get TLSv1.2 support but just as important will allow you to use newer 
cipher suites.

Many of the older cipher suites supported by the FTP client (or server) 
internal SSL/TLS function have been the subject of security warnings over the 
last couple of years.

Do you subscribe to IBM's security vulnerability warnings?

Mike Wawiorko
   
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Frank Swarbrick
Sent: 07 April 2017 19:28
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: FTP TLS options

Does z/OS 2.2 support TLS v1.2 for FTP clients without the use of AT-TLS?  This 
new server we have is (currently) configured to support only TLS v1.2, and 
nothing earlier.  We're trying to get approval to "back down" to TLS v1.0, but 
I figured I'd ask this anyway.

Frank
nstructions, send email to lists...@listserv.ua.edu with the message: INFO 
IBM-MAIN
This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.

Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). 
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority (Financial Services Register No. 122702).

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: FTP TLS options

2017-04-07 Thread Frank Swarbrick
Does z/OS 2.2 support TLS v1.2 for FTP clients without the use of AT-TLS?  This 
new server we have is (currently) configured to support only TLS v1.2, and 
nothing earlier.  We're trying to get approval to "back down" to TLS v1.0, but 
I figured I'd ask this anyway.

Frank


From: IBM Mainframe Discussion List  on behalf of 
Frank Swarbrick 
Sent: Friday, April 7, 2017 10:21 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: FTP TLS options

We currently use the following options for client connections to an FTPS server:

SECURE_MECHANISM  TLS   ;Use TLS, if supported by server
SECURE_DATACONN   PRIVATE   ;Protect data connection when using TLS
KEYRING   FTPS/ftpsring ;Key ring for TLS encryption
NETRCLEVEL2 ;Use userid.NETRC by default
LOGCLIENTERR  TRUE  ;Log errors to the console
CLIENTERRCODESEXTENDED
EPSV4 TRUE  ;Extended Passive mode

We're trying to connect to a new server and its failing.  With "verbose mode" 
on the client I see the following:

Using 'DVFJS.FTP.DATA' for local site configuration parameters.
Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the control 
connection.
Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the data 
connection.
IBM FTP CS V2R2
Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
Connecting to: ServUmft.FB 10.0.34.16 port: 3443.
220 Serv-U FTP Server v15.1 ready...
FC0270 ftpAuth: security values: mech=TLS, tlsmech=FTP, tlsreuse=N, sFTP=A, 
sCC=C, sDC=P
FC0317 ftpAuth:  cipherspecs =
FC0362 ftpAuth: environment_open()
FC0526 ftpAuth: environment_init()
FC0535 ftpAuth: environment initialization complete
>>> AUTH TLS
234 AUTH command OK. Initializing SSL connection.
FC0989 authServer: secure_socket_open()
FC1056 authServer: secure_socket_init()
FC1069 authServer: secure_socket_init failed with rc = 420 (Socket closed by 
remote partner)
FC1543 endSecureConn: entered
Authentication negotiation failed
FC1575 endSecureEnv: entered
*** Control connection with ServUmft.FB dies.
SC4159 SETCEC code = 10
You must first issue the 'OPEN' command
PC1047 logClientErrMsg: entered
PC0945 setClientRC: entered
PC1015 setClientRC: std_rc=10234, rc_type=STD, rc=10234
DVFJS4 FTP failed - Cmd = 10(open) Reply = 234 NX STD RC = 10234

The server has the following logs:
[02] Fri 07Apr17 10:05:47 - (263266) Connected to 10.0.200.250 (local address 
10.0.36.53, port 3443)
[02] Fri 07Apr17 10:05:47 - (263266) Unable to establish SSL connection 
(unknown protocol)
[02] Fri 07Apr17 10:05:47 - (263266) Closed session

The server also indicates use of the following
Protocol: TLS1.2
Key exchange: ECDHE-RSA
Cipher: AES-256-GCM
MAC: AEAD

Are these supported on z/OS?  If so, what config settings are required?

Thanks, Frank

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS config help

2015-06-11 Thread Scott Ford
Andrew:

I know I  missed something..so I appreciate the help

SyslogD:

//*
//CONFPDS EXEC PGM=SYSLOGD,REGION=30M,TIME=NOLIMIT,
//PARM='POSIX(ON) ALL31(ON)/'
Comments

//SYSPRINT DD SYSOUT=*
//SYSINDD DUMMY
//SYSERR   DD SYSOUT=*
//SYSOUT   DD SYSOUT=*
//CEEDUMP  DD SYSOUT=*

 EDIT   /ADCD113S/etc/syslog.conf   Columns 1
00072
 ** * Top of Data
**
 01 *.* /tmp/syslogd.log
 02 daemon.debug  /tmp/daemon.trace
 **  Bottom of Data



 Pagent:

//PAGENT   PROC
//*
comments.
//STDENV   DD PATH='/etc/pagent.env',PATHOPTS=(ORDONLY)
//SYSPRINT DD SYSOUT=*
//SYSOUT   DD SYSOUT=*


  ** * Top of Data
**
 01 PAGENT_CONFIG_FILE=/etc/pagent.conf
 02 PAGENT_LOG_FILE=/etc/pagent.log
 03 PAGENT_LOG_CONTROL=3000,2
 04 TZ=EST5EDTC
 **  Bottom of Data


  EDIT   /ADCD113S/etc/pagent.conf   Columns 1
00072
 ** * Top of Data
**
 01 TTLSConfig /etc/pagent.ttls.conf FLUSH
 02 LogLevel 511
 **  Bottom of Data



Regards,
Scott

On Thu, Jun 11, 2015 at 9:08 AM, Andrew Armstrong 
androidarmstr...@gmail.com wrote:

 If Pioneer is the server then I think you should code HandShakeRole
 Server.

 As for tracing, how have you configured your syslogd?

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS config help

2015-06-11 Thread Andrew Armstrong
If Pioneer is the server then I think you should code HandShakeRole
  Server.

As for tracing, how have you configured your syslogd?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS config help

2015-06-10 Thread Donald J.
after the Trace 15, add something like this:
{   
   SyslogFacility   auth
}   

-- 
  Donald J.
  dona...@4email.net

On Wed, Jun 10, 2015, at 12:16 PM, Scott Ford wrote:
 Guys/Gals:
 
 We have a Cobol CICS Sockets STC Server with a Java client.
 The Java client will send in requests and receive output from the Socket
 Server.
 We are on z/OS 1.13 ,,below is my ‘pagent.ttls.conf’
 
 TTLSRule PioneerServer
 {
  LocalPortRange 5799
  JobName PIONEER
  Direction Inbound
  Priority 1
  TTLSGroupActionRef PionGrpAct
  TTLSEnvironmentActionRef PionEnvAct
  TTLSConnectionActionRef  PionConn
 }
 TTLSGroupAction PionGrpAct
 {
  TTLSEnabled On
  FIPS140 Off
  Trace 15  # Log Errors to syslogd * IP joblog
 }
 TTLSEnvironmentActionPionEnvAct
 {
  HandShakeRole  Client
  TTLSKeyRingParmsRefPionRing
 }
 TTLSKeyRingParmsPionRing
 {
   Keyring  pionring
 }
 TTLSConnectionActionPionConn
 {
  TTLSConnectionAdvancedParms
  {
SSLv2 Off
SSLv3 On
TLSv1 On
  }
 }
 
 I have SYSLOGD configured ..but I am not seeing trace output ..
 Can someone offer some help.
 
 

-- 
http://www.fastmail.com - Faster than the air-speed velocity of an
  unladen european swallow

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-15 Thread Scott Ford
Rob,

Sorry for the late reply. The mismatch of ciphers was ADCD, this version of
z/OS appears to give the customer a subset of ciphers. I am in the process
of contacting IBM to find out more information. We have it working on the
supplied ciphers. My concern of course is what the customer is using.

Regards,
Scott
www.idmworks.com

On Thursday, May 14, 2015, Rob Schramm rob.schr...@gmail.com wrote:

 Diagnosis Guide with a direct hit


 http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hald001/atprble.htm

 q0 - did you copy one of the GUI samples for the AT-TLS setup or build it
 from scratch?

 q1 - what ciphers did you select in Config Assistant or z/OSMF when you
 setup the connection?

 q2 - what ciphers are supported on the client side? sslv3/tlsv10/tlsv11 etc
 etc

 Rob Schramm




 Rob Schramm
 Senior Systems Consultant


 On Thu, May 14, 2015 at 8:11 AM, Donald J. dona...@4email.net
 javascript:; wrote:

  Correction: This is the server supported cipher list
  Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -
  C02FC030009E009F009C009D002F0035000A
 
  Client ciphers are in the client hello.  2nd packet in ATTLS trace below:
  (002F 0035  0005 etc)
  RECV CIPHER 160301005F
  RECV CIPHER
 
 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81
  0002F00350005000A00320038 ...
 
  --
Donald J.
dona...@4email.net javascript:;
 
  On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote:
   If you use trace level: Trace   127   you will get debugging info
   on ciphers and other things.
   Cipher list presented by client:
   CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -
  C02FC030009E009F009C009D002F0035000A
   Cipher chosen by server:
   CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1
   CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F
  
   --
 Donald J.
 dona...@4email.net javascript:;
  
   On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
All,
We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
SYSLOGD. We are testing a Java client inbound to a COBOL STC running
  CICS
Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS
 Error
  RC:
 402 Initial Handshake. The server is showing a socket-read
 errno=54  -
Econnreset. Does this imply the cipher is wrong ?
The Java client is sending a self-signed certificate which we
  generated. We
know it's ok locally in the same physical office with another server.
  What
I am not sure about is what ciphers, if this is the issue are
  supported on
AT-TLS ..can someone be kind enough to help me out.
   
Regards,
Scott
   
   
 --
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu javascript:; with the
 message: INFO IBM-MAIN
  
   --
   http://www.fastmail.com - The way an email service should be
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions,
   send email to lists...@listserv.ua.edu javascript:; with the
 message: INFO IBM-MAIN
 
  --
  http://www.fastmail.com - A no graphics, no pop-ups email service
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu javascript:; with the message:
 INFO IBM-MAIN
 

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu javascript:; with the message:
 INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-14 Thread Donald J.
Correction: This is the server supported cipher list
Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  C02FC030009E009F009C009D002F0035000A

Client ciphers are in the client hello.  2nd packet in ATTLS trace below: (002F 
0035  0005 etc)
RECV CIPHER 160301005F  
  
RECV CIPHER 
015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81
0002F00350005000A00320038 ...
 
-- 
  Donald J.
  dona...@4email.net

On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote:
 If you use trace level: Trace   127   you will get debugging info 
 on ciphers and other things.
 Cipher list presented by client:
 CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  
 C02FC030009E009F009C009D002F0035000A
 Cipher chosen by server:
 CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1  
 CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F
 
 -- 
   Donald J.
   dona...@4email.net
 
 On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
  All,
  We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
  SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS
  Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:
   402 Initial Handshake. The server is showing a socket-read errno=54  -
  Econnreset. Does this imply the cipher is wrong ?
  The Java client is sending a self-signed certificate which we generated. We
  know it's ok locally in the same physical office with another server.  What
  I am not sure about is what ciphers, if this is the issue are supported on
  AT-TLS ..can someone be kind enough to help me out.
  
  Regards,
  Scott
  
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
 -- 
 http://www.fastmail.com - The way an email service should be
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-14 Thread Donald J.
If you use trace level: Trace   127   you will get debugging info 
on ciphers and other things.
Cipher list presented by client:
CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -  
C02FC030009E009F009C009D002F0035000A
Cipher chosen by server:
CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1  
CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F

-- 
  Donald J.
  dona...@4email.net

On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
 All,
 We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
 SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS
 Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:
  402 Initial Handshake. The server is showing a socket-read errno=54  -
 Econnreset. Does this imply the cipher is wrong ?
 The Java client is sending a self-signed certificate which we generated. We
 know it's ok locally in the same physical office with another server.  What
 I am not sure about is what ciphers, if this is the issue are supported on
 AT-TLS ..can someone be kind enough to help me out.
 
 Regards,
 Scott
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.com - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-14 Thread Rob Schramm
Diagnosis Guide with a direct hit

http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.hald001/atprble.htm

q0 - did you copy one of the GUI samples for the AT-TLS setup or build it
from scratch?

q1 - what ciphers did you select in Config Assistant or z/OSMF when you
setup the connection?

q2 - what ciphers are supported on the client side? sslv3/tlsv10/tlsv11 etc
etc

Rob Schramm




Rob Schramm
Senior Systems Consultant


On Thu, May 14, 2015 at 8:11 AM, Donald J. dona...@4email.net wrote:

 Correction: This is the server supported cipher list
 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -
 C02FC030009E009F009C009D002F0035000A

 Client ciphers are in the client hello.  2nd packet in ATTLS trace below:
 (002F 0035  0005 etc)
 RECV CIPHER 160301005F
 RECV CIPHER
 015B030155548ECF35553E488B83C575E3ED52CAA2E0C8DBB37AA97EEAC35115EAC90CB81
 0002F00350005000A00320038 ...

 --
   Donald J.
   dona...@4email.net

 On Thu, May 14, 2015, at 04:56 AM, Donald J. wrote:
  If you use trace level: Trace   127   you will get debugging info
  on ciphers and other things.
  Cipher list presented by client:
  CONNID: DA17  RC:0 Set GSK_V3_CIPHER_SPECS_EXPANDED(214) -
 C02FC030009E009F009C009D002F0035000A
  Cipher chosen by server:
  CONNID: DA17  RC:0 Get GSK_CONNECT_SEC_TYPE(208) -  TLSV1
  CONNID: DA17  RC:0 Get GSK_CONNECT_CIPHER_SPEC(207) -  002F
 
  --
Donald J.
dona...@4email.net
 
  On Wed, May 13, 2015, at 03:20 PM, Scott Ford wrote:
   All,
   We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and
   SYSLOGD. We are testing a Java client inbound to a COBOL STC running
 CICS
   Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error
 RC:
402 Initial Handshake. The server is showing a socket-read errno=54  -
   Econnreset. Does this imply the cipher is wrong ?
   The Java client is sending a self-signed certificate which we
 generated. We
   know it's ok locally in the same physical office with another server.
 What
   I am not sure about is what ciphers, if this is the issue are
 supported on
   AT-TLS ..can someone be kind enough to help me out.
  
   Regards,
   Scott
  
   --
   For IBM-MAIN subscribe / signoff / archive access instructions,
   send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
 
  --
  http://www.fastmail.com - The way an email service should be
 
  --
  For IBM-MAIN subscribe / signoff / archive access instructions,
  send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

 --
 http://www.fastmail.com - A no graphics, no pop-ups email service

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-14 Thread Mike Wawiorko
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSLTBW_1.13.0/com.ibm.zos.r13.hald001/comtls.htm

AT-TLS return codes

z/OS Communications Server: IP Diagnosis Guide
GC31-8782-13

402

Connection Init

A SSL cipher suite could not be agreed upon between the client and server. 
Check the following:

 *   If V2Ciphers or V3Ciphers are coded, verify that the remote end supports 
at least one of the cipher suites coded. If configuring using the IBM 
Configuration Assistant for z/OS Communications Server, the ciphers are 
selected for each Security Level.
 *   Verify that the certificate being used for the connection supports the 
cipher suites. For example, V3 Cipher suite TLS_DH_DSS_WITH_DES_CBC_SHA(0C) 
requires a certificate defined with a Diffie-Hellman key.
 *   For ciphers defined as exportable, verify that the proper FMIDs to support 
the encryption level are installed.






Mike Wawiorko

 Please consider the environment before printing this e-mail



-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Scott Ford
Sent: 13 May 2015 23:20
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS question , issue



All,

We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. 
We are testing a Java client inbound to a COBOL STC running CICS Sockets 
(ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:

402 Initial Handshake. The server is showing a socket-read errno=54  - 
Econnreset. Does this imply the cipher is wrong ?

The Java client is sending a self-signed certificate which we generated. We 
know it's ok locally in the same physical office with another server.  What I 
am not sure about is what ciphers, if this is the issue are supported on AT-TLS 
..can someone be kind enough to help me out.



Regards,

Scott



--

For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edumailto:lists...@listserv.ua.edu with the message: 
INFO IBM-MAIN

This e-mail and any attachments are confidential and intended solely for the 
addressee and may also be privileged or exempt from disclosure under applicable 
law. If you are not the addressee, or have received this e-mail in error, 
please notify the sender immediately, delete it from your system and do not 
copy, disclose or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or virus-free. The 
Barclays Group does not accept responsibility for any loss arising from 
unauthorised access to, or interference with, any Internet communications by 
any third party, or from the transmission of any viruses. Replies to this 
e-mail may be monitored by the Barclays Group for operational or business 
reasons.

Any opinion or other information in this e-mail or its attachments that does 
not relate to the business of the Barclays Group is personal to the sender and 
is not given or endorsed by the Barclays Group.

Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). 
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. 

Barclays Bank PLC is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority (Financial Services Register No. 122702).

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question , issue

2015-05-13 Thread Gilson, Lynn
Scott,
I was looking at this document a little while ago:

IBM z/OS V1R13 CS TCP/IP Implementation: Volume 4 Security and Policy-Based 
Networking

on Chapter 16 'Telnet  Security' it has some good information on this.  Page 
680 has a Table 16-1
that details the order of the ciphers.  I think you can influence the order of 
this in the TCPIP parameters used.

I believe this command would detail the ciphers in effect for the profile and 
port:
D TCPIP,TN3270D,T,PROF,PORT=992,DET,MAX=*
EZZ6080I TN3270D PROFILE DISPLAY 631
  PERSIS FUNCTION DIA SECURITY TIMERS MISC
 (LMTGCAK)(OPATSKTQSSHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
  --- - --- - --- 
  *** ***TSBTQ***RT EC* BB**D *P**STS *DD* *DEFAULT
  --- T --- - ---  *TGLOBAL
  -M- S --F SSS-E*--- *---ST- S--- *TPARMS
  *M* ***TSBTQ***RT ECF SSS*E *P**STS SDD* CURR
SECURITY
   SECUREPORT 992   1
   CONNTYPE SECURE  2
   KEYRING SAF TCPIP/SharedRing13
   CRLLDAPSERVER NONE/TTLS/**N/A**
   ENCRYPTION DS,3S 4
   CLIENTAUTH NONE  5
   NOEXPRESSLOGON
   NONACUSERID
   NOSSLV2
   TIMERS
   INACTIVE 0 (OFF)
   PROFILEINACTIVE 1800
   KEEPINACTIVE 0 (OFF)
   PRTINACTIVE 0 (OFF)
   SCANINTERVAL 120
   TIMEMARK 600
   SSLTIMEOUT 5
   KEYRING SAF TCPIP/SharedRing16


In this example, the numbers correspond to the following information:
1. Port 992 is used.
2. The port is for secure connection.
3. The name of the key ring in use.
   The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA). 
See
   Table 16-1 on page 680 for the complete list of supported ciphers.
5. The client authentication is not used.
6. The key ring used is SharedRing1, which is managed by an SAF product (RACF, 
in our
   case).
4. The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA).

See Table 16-1 on page 680 for the complete list of supported



Hope this helps out.

Lynn Gilson
ANTM,Inc.

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Scott Ford
Sent: Wednesday, May 13, 2015 15:20
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: AT-TLS question , issue

All,
We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. 
We are testing a Java client inbound to a COBOL STC running CICS Sockets 
(ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC:
 402 Initial Handshake. The server is showing a socket-read errno=54  - 
Econnreset. Does this imply the cipher is wrong ?
The Java client is sending a self-signed certificate which we generated. We 
know it's ok locally in the same physical office with another server.  What I 
am not sure about is what ciphers, if this is the issue are supported on AT-TLS 
..can someone be kind enough to help me out.

Regards,
Scott

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


AW: Re: AT-TLS question

2014-05-03 Thread Peter Hunkeler
Yes, it does the encryption (and more important - the negotiation) without the 
z/OS application having to be aware, though the app can be if it wants to.
[snip]


Trying to summarize what I understand so far.
An SSL capable application does all the handshake and en/decryption stuff  by 
itself. If  one end does *not* know how to  talk SSL, AT/TLS can jump in and 
do the handshake and en/decryption on the non-SSL. On the SSL end, then the 
traffic will be passed on to the application unchanged, i.e. encrypted.
I'll have to read about this in the appropriate doc.


--
Peter Hunkeler

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AW: Re: AT-TLS question

2014-05-03 Thread Jim McAlpine
Yes, that's basically it as I now understand. We currently have it
configured for CICS sockets but now also want to configure it where z/OS is
the client and Websphere on windows is the SSL client. See below for SHARE
presentation.

https://share.confex.com/share/120/webprogram/Session12775.html

Jim Mc
 On 3 May 2014 09:01, Peter Hunkeler p...@gmx.ch wrote:

 Yes, it does the encryption (and more important - the negotiation)
 without the z/OS application having to be aware, though the app can be if
 it wants to.
 [snip]


 Trying to summarize what I understand so far.
 An SSL capable application does all the handshake and en/decryption stuff
  by itself. If  one end does *not* know how to  talk SSL, AT/TLS can jump
 in and do the handshake and en/decryption on the non-SSL. On the SSL
 end, then the traffic will be passed on to the application unchanged, i.e.
 encrypted.
 I'll have to read about this in the appropriate doc.


 --
 Peter Hunkeler

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AW: Re: AT-TLS question

2014-05-03 Thread Jim McAlpine
That should have said SSL server and not SSL client obviously.

Jim Mc.
On 3 May 2014 10:28, Jim McAlpine jim.mcalp...@gmail.com wrote:

 Yes, that's basically it as I now understand. We currently have it
 configured for CICS sockets but now also want to configure it where z/OS is
 the client and Websphere on windows is the SSL client. See below for SHARE
 presentation.

 https://share.confex.com/share/120/webprogram/Session12775.html

 Jim Mc
  On 3 May 2014 09:01, Peter Hunkeler p...@gmx.ch wrote:

 Yes, it does the encryption (and more important - the negotiation)
 without the z/OS application having to be aware, though the app can be if
 it wants to.
 [snip]


 Trying to summarize what I understand so far.
 An SSL capable application does all the handshake and en/decryption stuff
  by itself. If  one end does *not* know how to  talk SSL, AT/TLS can jump
 in and do the handshake and en/decryption on the non-SSL. On the SSL
 end, then the traffic will be passed on to the application unchanged, i.e.
 encrypted.
 I'll have to read about this in the appropriate doc.


 --
 Peter Hunkeler

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


AW: Re: AT-TLS question

2014-05-02 Thread Peter Hunkeler
Yes - this is probably the classic use case for AT-TLS.

Wouldn't this only encrypt the path from ip to ip. ip would decrypt and send 
plain text to WebSphere?

I understand application transparent to say that the traffic is enctrypted 
on the wire (only) without the help of applications. Am I mixing up things?

--
Peter Hunkeler


 Von: Tony Harminc t...@harminc.net An:   
IBM-MAIN@LISTSERV.UA.EDU Betreff: Re: AT-TLS question Datum: 01.05.14 19:38


On 1 May 2014 07:48, Jim McAlpine jim.mcalp...@gmail.com wrote:
 We have the need to encrypt messages sent from z/OS on a particular port to
 an application running under Webshere on Windows. The outgoing messages are
 HTTP protocol and they would need to be converted to the HTTPS that
 Websphere understands. Is that something that can be done with AT-TLS.

Yes - this is probably the classic use case for AT-TLS. You should
simply be able to configure Policy Agent so that all traffic from
your particular jobname and/or source or destination IP address is
forced to use TLS. If you don't require client authentication via
certificates (the normal case for a person sitting at a browser), then
things should be pretty straightforward once you catch on to the
gratuitously novel syntax of the Policy Agent configuration files.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question

2014-05-02 Thread Jim McAlpine
Are you saying that the certificate dance is not required in this scenario ?

Jim Mc.


On Thu, May 1, 2014 at 6:38 PM, Tony Harminc t...@harminc.net wrote:

 On 1 May 2014 07:48, Jim McAlpine jim.mcalp...@gmail.com wrote:
  We have the need to encrypt messages sent from z/OS on a particular port
 to
  an application running under Webshere on Windows. The outgoing messages
 are
  HTTP protocol and they would need to be converted to the HTTPS that
  Websphere understands. Is that something that can be done with AT-TLS.

 Yes - this is probably the classic use case for AT-TLS. You should
 simply be able to configure Policy Agent so that all traffic from
 your particular jobname and/or source or destination IP address is
 forced to use TLS. If you don't require client authentication via
 certificates (the normal case for a person sitting at a browser), then
 things should be pretty straightforward once you catch on to the
 gratuitously novel syntax of the Policy Agent configuration files.

 Tony H.

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question

2014-05-02 Thread Tony Harminc
On 2 May 2014 03:40, Peter Hunkeler p...@gmx.ch wrote:
Yes - this is probably the classic use case for AT-TLS.

 Wouldn't this only encrypt the path from ip to ip. ip would decrypt and send 
 plain text to WebSphere?

 I understand application transparent to say that the traffic is enctrypted 
 on the wire (only) without the help of applications. Am I mixing up things?

Yes, it does the encryption (and more important - the negotiation)
without the z/OS application having to be aware, though the app can be
if it wants to.

So you can configure AT-TLS via Policy Agent to do all this TLSy stuff
while talking to a TLS app at the other end on any platform. If your
z/OS app is the client (specified in the Policy Agent config), then if
you connect from that app using ordinary TCP/IP sockets calls, AT-TLS
will start with a TLS handshake, negotiate cipher suites and all the
other TLS options, send and/or receive certificates as necessary, and
the other end knows nothing about AT-TLS.

 Are you saying that the certificate dance is not required in this scenario ?
Jim Mc.

No - TLS always involves at least a server certificate, but things can
be set up so that the validation is very slack indeed. The AT-TLS app
does need access to a RACF keyring, but if the app is acting as a
client, and the server sends a cert that is signed by a well-known CA,
then you may need little more than enabling TRUST for the appropriate
CA cert that's already in RACF.

There is lots more you may have to do, but the idea as a whole is sound.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question

2014-05-01 Thread Staller, Allan
AT-TLS(application transparent transport layer security)  is a transport layer 
protocol. It encrypts data sent over the link.
HTTPS is  an application level protocol. The date is encrypted prior to being 
sent over the link.

Using HTTPS with AT-TLS is encrypting the data twice. Once by the application 
and again by the link.

You will probably get more informed responses on the TCP/IP list.

For IBMTCP-L subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edu with the message: INFO IBMTCP-L

HTH,

snip
We have the need to encrypt messages sent from z/OS on a particular port to an 
application running under Webshere on Windows. The outgoing messages are HTTP 
protocol and they would need to be converted to the HTTPS that Websphere 
understands. Is that something that can be done with AT-TLS.
/snip


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question

2014-05-01 Thread Mike Wawiorko
Not sure about the response below.



I read your question as:

· Windows is a Websphere server running an HTTPS server expecting only 
encrypted requests

· z/OS is an HTTP client trying to send unencrypted requests to the 
Windows server

· This won’t work

· You need to convert the z/OS from HTTP to HTTPS with SSL/TLS



If I’ve understood correctly this is what AT-TLS can do for you. It will take 
the unencrypted HTTP and wrap it up in SSL/TLS for and present encrypted HTTPS 
to the server,



You’ll need to do some work with both AT-TLS configuration and your RACF (or 
equivalent) to install keyrings.



Mike Wawiorko

 Please consider the environment before printing this e-mail



-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Staller, Allan
Sent: 01 May 2014 13:30
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS question



AT-TLS(application transparent transport layer security)  is a transport layer 
protocol. It encrypts data sent over the link.

HTTPS is  an application level protocol. The date is encrypted prior to being 
sent over the link.



Using HTTPS with AT-TLS is encrypting the data twice. Once by the application 
and again by the link.



You will probably get more informed responses on the TCP/IP list.



For IBMTCP-L subscribe / signoff / archive access instructions, send email to 
lists...@vm.marist.edumailto:lists...@vm.marist.edu with the message: INFO 
IBMTCP-L



HTH,



snip

We have the need to encrypt messages sent from z/OS on a particular port to an 
application running under Webshere on Windows. The outgoing messages are HTTP 
protocol and they would need to be converted to the HTTPS that Websphere 
understands. Is that something that can be done with AT-TLS.

/snip





--

For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edumailto:lists...@listserv.ua.edu with the message: 
INFO IBM-MAIN

This e-mail and any attachments are confidential and intended
solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or
have received this e-mail in error, please notify the sender
immediately, delete it from your system and do not copy, disclose
or otherwise act upon any part of this e-mail or its attachments.

Internet communications are not guaranteed to be secure or
virus-free.
The Barclays Group does not accept responsibility for any loss
arising from unauthorised access to, or interference with, any
Internet communications by any third party, or from the
transmission of any viruses. Replies to this e-mail may be
monitored by the Barclays Group for operational or business
reasons.

Any opinion or other information in this e-mail or its attachments
that does not relate to the business of the Barclays Group is
personal to the sender and is not given or endorsed by the Barclays
Group.

Barclays Bank PLC. Registered in England and Wales (registered no.
1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United
Kingdom.

Barclays Bank PLC is authorised by the Prudential Regulation
Authority and regulated by the Financial Conduct Authority and the
Prudential Regulation Authority (Financial Services Register No.
122702).

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Re: AT-TLS question

2014-05-01 Thread Tony Harminc
On 1 May 2014 07:48, Jim McAlpine jim.mcalp...@gmail.com wrote:
 We have the need to encrypt messages sent from z/OS on a particular port to
 an application running under Webshere on Windows. The outgoing messages are
 HTTP protocol and they would need to be converted to the HTTPS that
 Websphere understands. Is that something that can be done with AT-TLS.

Yes - this is probably the classic use case for AT-TLS. You should
simply be able to configure Policy Agent so that all traffic from
your particular jobname and/or source or destination IP address is
forced to use TLS. If you don't require client authentication via
certificates (the normal case for a person sitting at a browser), then
things should be pretty straightforward once you catch on to the
gratuitously novel syntax of the Policy Agent configuration files.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN