Mark Bodenstein wrote: > I think saying that IBM doesn't supply SSL support on z/VM is going a > bit too far. They do supply SSL support, but in "powdered" form - you > have to add "water", i.e. a Linux system. Well, maybe it's more like > adding milk, because it's not completely trivial. > yes, the "adding the milk" part has caused a lot of heartburn form a number of sites.....but it was a quick way of getting at least some SSL support into VM without spending a ton of $$$.
> Don't get me wrong, though. This is a pain, and worse, it provides a > very minimal SSL feature set. > > You can't, for example, have the SSL and non-SSL version of a > protocol/service/application go to the same port, with SSL negotiated as > part of the session start-up. This is something that is supported in > the MVS implementation of SSL but not VM. To do this in VM would take > SSL-awareness and support on the part of the servers, and in the current > implementation they are unaware that their connections are going through > the SSLSERV Linux SVM and have no support for SSL. > This is both a "feature" and a "bug" in the current implementation. IBM Endicott was able, through some very clever programming, to use the already existing (and therefore, paid for) IBM SSL toolkit. This approach provides for SSL support (at least at some level) for all existing VM TCP/IP based servers, without requiring them to be rewritten.As you note, the existing servers are not even aware of this SSL support, as it's all done under the covers..... > Another lack on the VM side is robust certificate management. With the > VM implementation there's no convenient way to renew a certificate or to > move a certificate from one SSLSERV instance to another, for example > when upgrading SSLSERV. (Discussion about the latter is currently > happening in a separate thread on this list.) > > I would like to formally ask IBM for better VM SSL support, but I'm not > sure of the best way to do that. Is there a customer request mechanism > that I should use? Or should I go through SHARE and create a SHARE > requirement? Anybody know the best (and easiest) way to do this? > You're best approach would be to submit a customer request through SHARE (or some other formally recognized by IBM user's group). There are members on this list that can help you get that done, I am sure. Just posting here will*not* get IBM's official attention and get the SSL enhancements you want added to IBM's to-do list. A formal request, via SHARE, is the best way to go...... Hope this helps. > Mark Bodenstein ([EMAIL PROTECTED]) > Cornell University -- Dave Jones V/Soft Software, Inc. Houston 281.578.7544
