Hi Dave, Let me preface I’m just a part time VM’er. I just got on this listserve a few weeks ago, so I didn’t see any of the previous. I spend most of my time with z/OS TCP/IP, but the two stacks are pretty close.
- Last time I looked, x3270 is a TN3270 client, not TN3270e. The little ‘e’ makes all the difference for SSL support. You could run Stunnel on your client machine. We use it under a bunch of our clients older 3270 packages. I haven’t tried it specifically with x3270, but haven’t heard of any other packages where it wouldn’t. Passport is TN3270e, so I’d lean toward using that guy for testing. - If you don’t already have FTPD setup for SSL, I’d try that first. It’s a lot easier verifying the TCP/IP SSL config with FTP before dinking with TN3270. I use one guest or LPAR logon to contact the other test server. The IBM FTP client at least provides some tracing functions. - Are you running self signed certs? That generates some setup wrinkles on the client side of things. - For Passport we specify Microsoft Security. I can’t remember exactly why we did this, just that it works. - Forgive me if this sounds stupid. I know Passport has both telnet (VT100) and 3270 modes. Is your server 992 port is hooked to 3270? Vanilla telnet doesn’t support SSL (the encrypted telnet flavor of the month is generally ssh). - And another stupid. Make sure your vendor’s CA certs are trusted. The ones IBM supplies in RACF are all set to NOTRUST. (How untrusting of those guys!) - And! If that’s not enough, does your cert vendor use intermediate certs? At least in RACF’land, folks like Digicert and Comodo have given me considerable heartburn. They don’t provide documentation in mainframe-ese how you set them up. I’ve gotten bitten where the main CA cert verifies, but fails because there’s a missing intermediate. FTP and trace gives you some idea which one it gagged on. Hope something in there helps, Bruce Bruce Heckler ACT Datacenter, University of California – San Diego 10280 North Torrey Pines Rd. #375 La Jolla CA. 92093 (858) 534-2152 From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Dave Keeton Sent: Tuesday, May 12, 2009 4:23 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 I've been very interested in this thread, as I'm also trying to set up the SSLSERV for Telnet sessions. I am also experiencing the same problem of connections failing. I have tried to use both x3270 under Linux (using the L:<host>:992 option) and using Passport to connect using SSL. Neither completes a connection - VM disconnects immediately. Was there a final solution? Thanks, Dave -----Original Message----- From: Michael Coffin <michaelcof...@mccci.com<mailto:michael%20coffin%20%3cmichaelcof...@mccci.com%3e>> Reply-to: The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> To: IBMVM@LISTSERV.UARK.EDU<mailto:IBMVM@LISTSERV.UARK.EDU> Subject: Re: SSL Encryption For TN3270 Date: Fri, 27 Mar 2009 09:31:41 -0400 FYI... IBM and Attachmate are looking at this, it appears to be a problem either with the Attachmate TN3270 client or the z/VM 5.4 TCPIP/TN3270/SSL . The TN3270 client SHOULD be negotiating a secure connection in explicit mode if capable, or fall back to unencrypted if not. -Mike -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Michael Coffin Sent: Thursday, March 26, 2009 9:23 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 Hi Marci, Oh, that simple. In the Configure Connection page: Terminal is IBM-3279 Encryption: SSL V3.0 The following checkboxes are unchecked: Use Attachmate Security Use Microsoft Security implementation Verify Server Identity There is a checkbox at the bottom that is checked and reads "Automatically enter data on this screen for new connections". I cannot find HELP for this and don't know what it is, but have been leaving it at the default (checked) value (which works for implicit TN3270 connections with SECURE on the PORT statement, but not explicit TN3270 connections). -Mike -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marci Beach Sent: Thursday, March 26, 2009 8:47 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 I mean on the client end in Attachmate Infoconnect. From: Michael Coffin <michaelcof...@mccci.com> To: IBMVM@LISTSERV.UARK.EDU Date: 03/26/2009 08:40 AM Subject: Re: SSL Encryption For TN3270 ________________________________ Hi Marci, What do you mean by "security configuration"? If you are referring to RACF, we don't use it - we use VM:Secure and the Rules Facility. If you are referring to the INTERNALCLIENTPARMS just SECURECONNECTION PREFERRED and the TSLABEL statements. -Mike -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Marci Beach Sent: Thursday, March 26, 2009 7:33 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 What does your Security Configuration window look like and what values do you have set ? Marci Beach From: Michael Coffin <michaelcof...@mccci.com> To: IBMVM@LISTSERV.UARK.EDU Date: 03/25/2009 03:25 PM Subject: Re: SSL Encryption For TN3270 ________________________________ Hi Alan, Good call on PREFERRED vs. ALLOWED, but unfortunately that didn't clear it up (but I think I will keep PREFERRED as the setting). I put a trace on Telnet but its 250+ lines so rather than include it in this email if you are interested you can see the trace here: http://www.mccci.com/misc/telnet_trace.txt Does anything look out of the ordinary in that trace? -Mike -----Original Message----- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Wednesday, March 25, 2009 1:45 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Encryption For TN3270 On Wednesday, 03/25/2009 at 12:00 EDT, Michael Coffin <michaelcof...@mccci.com> wrote: > Thanks Miguel, you confirmed my understanding - but the darned client isn't > behaving the way it should. The client is Attachmate InfoConnect > 8.1. > > When a TN3270 client connects using SSL in Config 1 (explicit, no SECURE parm > on PORT) I see the connection open, the IP and port are reported, and the > connection closes immediately in the TCPIP console log. There is nothing on > the SSL server console (with TRACE ALL): > > 11:37:08 DTCSTM305I Telnet server: Secure Connections are ALLOWED > 11:37:08 DTCSTM309I Telnet server: TLS Label is NOTSHOWN > 11:44:17 DTCSTM163I Telnet server: Conn 0: Connection opened 03/25/09 at > 11:44:17 > 11:44:17 DTCPRC150I Conn 0: Foreign internet address and port: net address = > 10.215.0.218, port= 3651 > 11:44:17 DTCSTM349I Telnet server: Conn 0: Connection closed 03/25/09 at > 11:44:17 Try setting SECURECONNECTION PREFERRED in PROFILE TCPIP. If that works, please open a PMR so that we can figure out why ALLOWED doesn't work. The difference is whether (preferred) or not (allowed) the server proposes the use of TLS. Alan Altmark z/VM Development IBM Endicott