On May 5, 2008, at 9:54 AM, Dave Jones wrote:
Hi, Tim.
I think what your are looking for is the VMSSL server. It can secure
Telnet (TN3270) sessions to your z/VM system quite nicely, and it is
supported on your release of VM. You can read more about it in
Chapter 22 of the TCP/IP Planning and Customization Guide.
It is somewhat of a pain to set up, as it requires you to go get and
install a Linux distribution. The folks at Sine Nomine Assc. have
created a nice VMSSL server enabler tool that speeds up the install
process.....you might want to take a look at that here:
http://www.sinenomine.net/
To modify what Dave Jones said a little:
CLIENT versions of SSL-wrapped apps (that is, SSL-wrapped tn3270 and
FTP) are not available until z/VM 5.3.
tn3270 wrapped in SSL works fine with the SSLSERV enabler all the way
back to z/VM 3.1 with the telnet *server* on z/VM.
FTP is also possible, sorta, in 3.1-5.2, but basically you can only do
implicit SSL and you can only protect the authentication stream, not
the data channel. The nice thing is: there's a product out there,
Glub Tech's Secure FTP wrapper, that's quite cheap ($250 for a single
IP address, unlimited connections), that allows you to do secure FTP
to *it* and will then do cleartext FTP out the back end, which is nice
if you want to set up a Linux guest and a private network to z/VM
behind that guest. That way, all the cleartext traffic on the wire is
actually taking place in z/VM's memory and isn't on any externally-
sniffable network at all.
If you *do* have a secure last-hop network for z/VM, you can put the
FTP wrapper on that network on an Intel Linux box and not have to burn
your expensive zSeries cycles doing crypto, too. It all depends on
what your requirements are.
Adam