Re: in Defense of FTP. FUD rules

Fri, 27 Sep 2024 08:37:55 -0700

Thanks Seymour. I'd add 3 things to that, and all require an SSL TN3270 connection:
#1 The terminal emulator, if it wants, can require a CA cert pre-loaded on the PC in order to validate the certificate passed from the host during the initial SSL negotiation. 


#2 The terminal emulator, if it wants, can check the "common name" in 
the host-supplied cert to make sure it matches the host name used for 
the connection.



I know, #1 and #2 are authenticating the host not the client, but I 
thought I'd mention them.



#3 The host can be setup to require a client certificate to be 
pre-loaded on the PC side and passed to the host during SSL negotiation. 
 The host validates the client cert and decides whether or not to let 
the TCPIP connection continue.



It's that last one that I think could be used for protection against 
somebody revoking id's with invalid passwords.  A hacker doesn't even 
get to the point where an id/password can be entered.



Take all this with a grain of salt though, I don't know all the details. 
 Many years ago, working with Tom Conley, we setup his z/OS host and 
successfully tested client certificates.  I'm not sure if many people 
use them though.  He's the only person I ever talked to who even 
mentioned it.


On 9/27/2024 5:50 AM, Seymour J Metz wrote:

TN3270 does not authenticate. The application using VTAM to access a 3270, 
e.g., CICS, TCAS, does its own authentication.

IND$FILE has no security support. Again, it's up to the application.

Of course, in both cases the application is constrained by the ESM, e.g., RACF,

--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
עַם יִשְׂרָאֵל חַי
נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר



________________________________________
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Paul 
Gilmartin <0000042bfe9c879d-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, September 26, 2024 9:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: in Defense of FTP. FUD rules

On Thu, 26 Sep 2024 17:07:21 -0700, Tom Brennan wrote:


Thanks!  It seemed like we were only picking on poor FTP.


What authentication technique does TN3270  use?

What protection does IND$FILE offer against exfiltration
of sensitive data?

--
gil

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN























					Reply via email to