On Tuesday, 01/20/2009 at 11:46 EST, Sterling James <ssja...@dstsystems.com> wrote:
> I do have the v3.3.8p2 compiled with SSL support. I am trying to setup the > "dynamic" connection (TELNET START-TLS) vs the static (ssl-tunnel). The > unknowns are "how to" deal with the certificates/ > > From http://x3270.bgp.nu/x3270-man.html > > Prepending an L: onto hostname causes x3270to first create an SSL tunnel to the > host, and then create a TN3270 session inside the tunnel. (This function is > supported only if x3270 was built with SSL/TLS support). Note that > TLS-encrypted sessions using the TELNET START-TLS option are negotiated with > the host automatically; for these sessions the L: prefix should not be used. If you specify L: then you have to use "SECURE <label>" option on the PORT statement entry. If you do not specify, the L:, then you DO NOT use the SECURE option on PORT, but add the SecureConnection and TLSlabel options to the InternalClientParms statement. Note that you cannot mix the two on the same port. If you need both, then use: InternalClientParms Port 23 Port xxxx SecureConnection REQUIRED TLSlabel <label> EndInternalClientParms Port 23 TCP INTCLIEN xxxx TCP INTCLIEN SECURE <label> This allows the L: option to be used with port xxxx, while the default port (23) requires that START-TLS be used. This configuration restricts telnet login to only those telnet clients that support SSL/TLS. The persons that use L: will have to also be given the port number xxxx. (It's just easier to require that the emulator support the START-TLS option.) The telnet server is smart enough to know not to try to negotiate security with a client if it is using a port that is defined as SECURE. The <label> must be a 1-8 character label that was given when the certificate was requested or imported into the database. Feel free to use the same label in both places. Alan Altmark z/VM Development IBM Endicott