Re: z/OS TCP/IP question: name resolution order/override

[Phil Smith]

Charles Mills wrote:
> Do you "own" the target host? Can you issue your own SSL/TLS server
certificate?

>Because you can issue a certificate for an IP address as well as for a name
(or for both one or two names and one or two addresses). Cute feature: with
a name, you can wildcard the high order node, e.g., *.foo.com. 
With an IP
address, you can wildcard the low order byte, e.g., 192.168.1.*

Yeah, but that won't fly either, alas. Plus it's theologically unclean... but 
thanks!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Charles Mills]

> No, it's an SSL (TLS) connection. Need to address by hostname.

Do you "own" the target host? Can you issue your own SSL/TLS server
certificate?

Because you can issue a certificate for an IP address as well as for a name
(or for both one or two names and one or two addresses). Cute feature: with
a name, you can wildcard the high order node, e.g., *.foo.com. With an IP
address, you can wildcard the low order byte, e.g., 192.168.1.*

Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Phil Smith
Sent: Wednesday, September 21, 2016 4:49 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS TCP/IP question: name resolution order/override

Paul Gilmartin wrote:
> In the interim, could they just use the IP address?

No, it's an SSL (TLS) connection. Need to address by hostname.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Rob Schramm]

Easy.

There is a directive to either do DNS first or Local first.  Previous
poster LOOKUP.  Use local first if you want faster resolution for chatty
DNS apps.. like Websphere.

Convert to COMMONSEARCH to get unix, STC/TSO to resolve the same.

Rob Schramm

On Wed, Sep 21, 2016, 7:07 PM Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Wed, 21 Sep 2016 19:06:08 -0500, Paul Gilmartin wrote:
> >>
> >Someone once told me how to start a ssh client to work as
> >a NAT for AT/TLS.  Tried it.  Sort of worked.  Didn't pursue
> >it because I didn't need it.  And my ssh client was on a laptop
> >not subject to enterprise security.
> >
> Oops.  Don't get your hopes up.  With some RTFM and a little recollection
> on Cygwin I tried:
>
> 510 $ ssh -N -T -L 2992:MVS:992 localhost &
> [1] 10316
>
> Then:
> 511 $ tn3270 localhost 2992
>
> ... connected me to MVS 992.  But it does't resolve the problem because DNS
> must still be able to resolve MVS to an IP address.  But wait!  I was able
> to:
>
> 501 $ ssh -N -T -L 2992:10.xxx.yyy.zzz:992 localhost &
>
> ... supplying an IP address for MVS, and still able to connect via
> localhost 2992.
> But your TLS may be stricter.
>
> How (operator command?) on MVS can I verify the port I'm connected to?
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Paul Gilmartin]

On Wed, 21 Sep 2016 19:06:08 -0500, Paul Gilmartin wrote:
>> 
>Someone once told me how to start a ssh client to work as
>a NAT for AT/TLS.  Tried it.  Sort of worked.  Didn't pursue
>it because I didn't need it.  And my ssh client was on a laptop
>not subject to enterprise security.
> 
Oops.  Don't get your hopes up.  With some RTFM and a little recollection
on Cygwin I tried:

510 $ ssh -N -T -L 2992:MVS:992 localhost &
[1] 10316

Then:
511 $ tn3270 localhost 2992

... connected me to MVS 992.  But it does't resolve the problem because DNS
must still be able to resolve MVS to an IP address.  But wait!  I was able to:

501 $ ssh -N -T -L 2992:10.xxx.yyy.zzz:992 localhost &

... supplying an IP address for MVS, and still able to connect via localhost 
2992.
But your TLS may be stricter.

How (operator command?) on MVS can I verify the port I'm connected to?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Paul Gilmartin]

On Wed, 21 Sep 2016 16:48:37 -0700, Phil Smith wrote:

>Paul Gilmartin wrote:
>> In the interim, could they just use the IP address?
>
>No, it's an SSL (TLS) connection. Need to address by hostname.
> 
Someone once told me how to start a ssh client to work as
a NAT for AT/TLS.  Tried it.  Sort of worked.  Didn't pursue
it because I didn't need it.  And my ssh client was on a laptop
not subject to enterprise security.

>> Or choose a friendly nameserver in /etc/resolv.conf?
>
>Hm? The host isn't *in* DNS, or is in wrong. That's the problem.
>
Just thought there might be more than one nameserver you could access.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Phil Smith]

Paul Gilmartin wrote:
> In the interim, could they just use the IP address?

No, it's an SSL (TLS) connection. Need to address by hostname.

> Or choose a friendly nameserver in /etc/resolv.conf?

Hm? The host isn't *in* DNS, or is in wrong. That's the problem.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Tony Harminc]

On 21 September 2016 at 18:40, Phil Smith  wrote:
> I had some vague idea that on z/OS, the Resolver can use some or all of:
>
> 1. DNS
>
> 2. Its own configuration data sets, via GLOBALIPNODES statements
>
> 3. /etc/hosts
>
> I just spent some time looking at IBM doc, and what I found seems to support 
> this. What I couldn't seem to grok was whether you can control the *order* in 
> which the three are used: that is, can you say "OK, we use the DNS server at 
> this IP, but we want to look in /etc/hosts *first*"?

There is a LOOKUP statement in the TCPDATA member/file.

; LOOKUP indicates the order of name and address resolution.  DNS means
; use the DNSs listed on the NSINTERADDR and NAMESERVER statements.
; LOCAL means use the local host tables as appropriate for the
; environment being used (UNIX System Services or Native MVS).

You may be able to point a particular app at its own TCPDATA (DDNAME
SYSTCPD or via the various UNIXy search orders), which in turn can
contain not only its own LOOKUP statement, but perhaps even point to a
different DNS server than the system-wide default. In particular, you
could run your own tiny DNS on the same z/OS image, perhaps listening
on a highish port so you don't run into trouble with not being allowed
to listen on a well known one. But probably this is overcomplicated.

Tony H.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS TCP/IP question: name resolution order/override

[Paul Gilmartin]

On Wed, 21 Sep 2016 15:40:24 -0700, Phil Smith wrote:
>
>What I'm really looking for is a way for a user-possibly a sysprog-to define 
>or override a hostname-to-IP mapping to test something. We keep coming across 
>customer systems that don't have a DNS entry for a server that uses SSL (TLS), 
>and getting a DNS update requires an act of Congress, so we wind up waiting. 
>Some of them know they can't update /etc/hosts, but if they can, it doesn't 
>always seem to take effect.
>
In the interim, could they just use the IP address?

Or choose a friendly nameserver in /etc/resolv.conf?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS TCP/IP question: name resolution order/override

[Phil Smith]

I had some vague idea that on z/OS, the Resolver can use some or all of:

1. DNS

2. Its own configuration data sets, via GLOBALIPNODES statements

3. /etc/hosts

I just spent some time looking at IBM doc, and what I found seems to support 
this. What I couldn't seem to grok was whether you can control the *order* in 
which the three are used: that is, can you say "OK, we use the DNS server at 
this IP, but we want to look in /etc/hosts *first*"? There's lots of discussion 
of the "search order", but nothing that clearly indicated (to me, at least) 
that you could control the *order*. It does look to me like you could specify 
/etc/hosts on a GLOBALIPNODES statement, but that isn't quite what I mean.

What I'm really looking for is a way for a user-possibly a sysprog-to define or 
override a hostname-to-IP mapping to test something. We keep coming across 
customer systems that don't have a DNS entry for a server that uses SSL (TLS), 
and getting a DNS update requires an act of Congress, so we wind up waiting. 
Some of them know they can't update /etc/hosts, but if they can, it doesn't 
always seem to take effect.

I see lots of ways (for example, in this marathon post by Chris Mason: 
http://newsgroups.derkeiler.com/Archive/Comp/bit.listserv.ibm-main/2006-05/msg00727.html)
 that a name can get resolved. And I found COMMONSEARCH/NOCOMMONSEARCH, which 
at least explain differences between POSIX-land and batch jobs, but Chris's 
list of 13 paths mostly just raises more questions.

And I realize that the answer may be "it depends", based on which of the 13 are 
configured currently. Ideally, there would be a foolproof way for a user to 
mess themselves up when they wanted to. Is this a pipe dream? I can imagine 
that it might not make sense-it certainly doesn't most of the time!-but it sure 
would be a handy technique if 'twere available.
--
...phsiii

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN