FYI... IBM and Attachmate are looking at this, it appears to be a problem either with the Attachmate TN3270 client or the z/VM 5.4 TCPIP/TN3270/SSL . The TN3270 client SHOULD be negotiating a secure connection in explicit mode if capable, or fall back to unencrypted if not. -Mike
-----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Michael Coffin Sent: Thursday, March 26, 2009 9:23 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 Hi Marci, Oh, that simple. In the Configure Connection page: Terminal is IBM-3279 Encryption: SSL V3.0 The following checkboxes are unchecked: Use Attachmate Security Use Microsoft Security implementation Verify Server Identity There is a checkbox at the bottom that is checked and reads "Automatically enter data on this screen for new connections". I cannot find HELP for this and don't know what it is, but have been leaving it at the default (checked) value (which works for implicit TN3270 connections with SECURE on the PORT statement, but not explicit TN3270 connections). -Mike -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marci Beach Sent: Thursday, March 26, 2009 8:47 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 I mean on the client end in Attachmate Infoconnect. From: Michael Coffin <michaelcof...@mccci.com> To: IBMVM@LISTSERV.UARK.EDU Date: 03/26/2009 08:40 AM Subject: Re: SSL Encryption For TN3270 _____ Hi Marci, What do you mean by "security configuration"? If you are referring to RACF, we don't use it - we use VM:Secure and the Rules Facility. If you are referring to the INTERNALCLIENTPARMS just SECURECONNECTION PREFERRED and the TSLABEL statements. -Mike -----Original Message----- From: The IBM z/VM Operating System [ <mailto:IBMVM@LISTSERV.UARK.EDU> mailto:ib...@listserv.uark.edu] On Behalf Of Marci Beach Sent: Thursday, March 26, 2009 7:33 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 What does your Security Configuration window look like and what values do you have set ? Marci Beach From: Michael Coffin <michaelcof...@mccci.com> To: IBMVM@LISTSERV.UARK.EDU Date: 03/25/2009 03:25 PM Subject: Re: SSL Encryption For TN3270 _____ Hi Alan, Good call on PREFERRED vs. ALLOWED, but unfortunately that didn't clear it up (but I think I will keep PREFERRED as the setting). I put a trace on Telnet but its 250+ lines so rather than include it in this email if you are interested you can see the trace here: <http://www.mccci.com/misc/telnet_trace.txt> http://www.mccci.com/misc/telnet_trace.txt Does anything look out of the ordinary in that trace? -Mike -----Original Message----- From: The IBM z/VM Operating System [ <mailto:IBMVM@LISTSERV.UARK.EDU> mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, March 25, 2009 1:45 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 On Wednesday, 03/25/2009 at 12:00 EDT, Michael Coffin <michaelcof...@mccci.com> wrote: > Thanks Miguel, you confirmed my understanding - but the darned client isn't > behaving the way it should. The client is Attachmate InfoConnect > 8.1. > > When a TN3270 client connects using SSL in Config 1 (explicit, no SECURE parm > on PORT) I see the connection open, the IP and port are reported, and the > connection closes immediately in the TCPIP console log. There is nothing on > the SSL server console (with TRACE ALL): > > 11:37:08 DTCSTM305I Telnet server: Secure Connections are ALLOWED > 11:37:08 DTCSTM309I Telnet server: TLS Label is NOTSHOWN > 11:44:17 DTCSTM163I Telnet server: Conn 0: Connection opened 03/25/09 at > 11:44:17 > 11:44:17 DTCPRC150I Conn 0: Foreign internet address and port: net address = > 10.215.0.218, port= 3651 > 11:44:17 DTCSTM349I Telnet server: Conn 0: Connection closed 03/25/09 at > 11:44:17 Try setting SECURECONNECTION PREFERRED in PROFILE TCPIP. If that works, please open a PMR so that we can figure out why ALLOWED doesn't work. The difference is whether (preferred) or not (allowed) the server proposes the use of TLS. Alan Altmark z/VM Development IBM Endicott
