That's what I figured. Sounds like a lot of "Developer: Systems, can you make this change; Systems: OK; done; Developer: Well that didn't work, can you try this instead?" back and forth. Not my idea of fun. Oh well; I have no such requirement at this point. Just pondering the future...
Frank ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Denis <000001664d8ede6c-dmarc-requ...@listserv.ua.edu> Sent: Monday, June 19, 2017 12:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: changing batch job to use SSL Hi Frank, since policy agent belongs to Communication Server and used to have some requirements to be started before TCPIP, I would guess that in most shops a developer cannot do that. Except maybe for play LPARs and zPDT. Denis. -----Original Message----- From: Frank Swarbrick <frank.swarbr...@outlook.com> To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> Sent: Mon, Jun 19, 2017 8:30 pm Subject: Re: changing batch job to use SSL Curious question. Is this something a developer could do in order to test this out, or does it require System level access? Frank ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Denis <000001664d8ede6c-dmarc-requ...@listserv.ua.edu> Sent: Saturday, June 17, 2017 12:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: changing batch job to use SSL Hi Andrew, have a look at the following sample, where just the jobname and the outbound port specify the need to use tls. https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm Example: Configuring AT-TLS for secure communication<https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm> www.ibm.com Example: Configuring AT-TLS for secure communication This topic shows the exemplary setup of the Policy Agent to secure communication for the CIM server. Example: Configuring AT-TLS for secure communication<https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm> Example: Configuring AT-TLS for secure communication<https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm> www.ibm.com Example: Configuring AT-TLS for secure communication This topic shows the exemplary setup of the Policy Agent to secure communication for the CIM server. www.ibm.com<http://www.ibm.com> IBM - United States<http://www.ibm.com/> www.ibm.com For more than a century IBM has been dedicated to every client's success and to creating innovations that matter for the world Example: Configuring AT-TLS for secure communication This topic shows the exemplary setup of the Policy Agent to secure communication for the CIM server. Scroll down to the sample policy that says outbound. Maybe thats all you need to do, but I have not tested it. Denis. -----Original Message----- From: Andrew Rowley <and...@blackhillsoftware.com> To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> Sent: Sat, Jun 17, 2017 07:45 AM Subject: Re: changing batch job to use SSL On 17/06/2017 03:05 AM, Tony Harminc wrote: > It's validated the same way(s) any TLS client app (such as your desktop > browser) validates a server certificate. I'm not sure why you seem to think > this can't be done without client application program involvement. There are 2 things that need to be validated with the certificate: - That is is valid, i.e. has been signed by a trusted CA etc. AND - That it belongs to the entity that the client is trying to connect to. The description of AT-TLS says it takes control when the connection is opened, but at this point name resolution has already occurred, hasn't it? So how does AT-TLS know who the client is trying to connect to so it can check the name in the certificate? I guess it would have to intercept name resolution and assume that later connections to a resolved IP address must match the name. Or, maybe it is not intended for this type of general SSL connection. I have been reading the documentation, but haven't been able to find anything about how (or whether) the name in the certificate is validated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to <a href="mailto:lists...@listserv.ua.edu";>lists...@listserv.ua.edu</a> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
