I think saying that IBM doesn't supply SSL support on z/VM is going a
bit too far. They do supply SSL support, but in "powdered" form -
you have to add "water", i.e. a Linux system. Well, maybe it's more
like adding milk, because it's not completely trivial.
Don't get me wrong, though. This is a pain, and worse, it provides a
very minimal SSL feature set.
You can't, for example, have the SSL and non-SSL version of a
protocol/service/application go to the same port, with SSL negotiated
as part of the session start-up. This is something that is supported
in the MVS implementation of SSL but not VM. To do this in VM would
take SSL-awareness and support on the part of the servers, and in the
current implementation they are unaware that their connections are
going through the SSLSERV Linux SVM and have no support for SSL.
Another lack on the VM side is robust certificate management. With
the VM implementation there's no convenient way to renew a
certificate or to move a certificate from one SSLSERV instance to
another, for example when upgrading SSLSERV. (Discussion about the
latter is currently happening in a separate thread on this list.)
I would like to formally ask IBM for better VM SSL support, but I'm
not sure of the best way to do that. Is there a customer request
mechanism that I should use? Or should I go through SHARE and create
a SHARE requirement? Anybody know the best (and easiest) way to do this?
Mark Bodenstein ([EMAIL PROTECTED])
Cornell University
At 07:31 AM 11/11/2005, Duane wrote:
That is very unfortunate. IBM supplies SSL support for TCPIP on
z/OS but not z/VM. Go figure.
At 08:57 PM 11/10/2005, you wrote:
> I am reading the IBM Program Directory z/VM 5.1 for TCPIP, about SSL.
> IT seems to imply that SSL is for use with LINUX.
> I simply want to use SSL to connect to TCPIP on VM. We now make
> our TSO users use SSL to connect to TSO.
You must have a Linux virtual machine to use the IBM SSL support on CMS.
It's implemented as a Linux application that ties into the VM TCPIP stack.
IBM does not include the Linux distribution to allow it to function. You
have to supply that, or grab a copy of our SSL Enabler appliance.
-- db
