Re: Second TCPIP stack and SSL

Thu, 17 Apr 2008 06:37:14 -0700 

Hi, Alan.
See if your shop has installed and supports the OSA ICC feature. It's a no charge feature (that's goodness....:-) that allows for TN3270 clients (PCOMM, Vista, etc.) to attach directly to the OSA card and appear to CP as locally attached 3270s. The VM TCP/IP stack is not involved at all and need not even be up and running. The OSA ICC also supports TN3270 connections over SSL, so you can still encrypt your TN3270 traffic, even if the SSLSERV on VM is down. You can have your cake and eat it too, at least in this situation. 

Have a good one.

Alan Ackerman wrote:

We have been ordered to protect all TN3270 sessions to VM with SSL. This 
means turning on SSLSERV and disabling non-SSL. (INTERNALCLIENTPARMS 
SECURECONNECTION REQUIRED, I think.) IBM level 2 has suggested that other 
shops have a second TCP/IP stack to use when there are problems with TCPIP 
or SSLSERV. (We have found several problems with SSLSERV in our testing.)


I'm curious whether and how other shops use a second TCP/IP stack.

Some possibilities:


1. Have a second TCPIP stack up all the time (userids TCPIP2 and 
MPROUTE2), but with no SSL. It would run on a second IP address. (This is 
security by obscurity.)



2. Have a second TCPIP stack up all the time, with SSL required. (Userids  
TCPIP2, MPROUTE2, SSLSERV2.) This takes 2-3 more 3390-3 packs per system, 
as well as a second IP address for each. (We have 6 first-level VM 
systems, so those packs add up. There is also the administrative time to 
get new certificates, etc.)



3. Have a second TCPIP stack, kept down, with no SSL, but brought up by 
operations when we request it. It would have a second IP address. (So we 
could test without bringing down the other TCPIP stack.)



4. Have a second TCPIP stack, kept down, with no SSL, but brought up by 
operations when we request it. Assume the first stack is down and steal 
the IP address. We could only test during stand-alone time.



We do have a seond way to get into our systems, a PC-based product called 
AP View. It has been unreliable here, and in some cases we have to ask 
operations to page the AP View support, either becsaue it is not working 
or because we are only allowed Read/Only access via AP View to some (the 
most important, naturally) VM systems. This slows down recovery.



We are trying to get rid of VTAM. (Actually, we are waiting for the z/OS 
folks on this.) So that is not a good alternative.



Alan Ackerman                                            
Alan (dot) Ackerman (at) Bank of America (dot) com       


--
DJ

V/Soft
  z/VM and mainframe Linux expertise, training,
  consulting, and software development
www.vsoft-software.com






















					Reply via email to