On Wednesday, 08/03/2011 at 04:23 EDT, Daniel Bewley <daniel.bew...@gmail.com> wrote: > I experimented with those parameters but had no success with them in place (I > still have the commented line in my profile for when I get bored). > > I believe the SECURE on the port definition forces it - I know for a fact that > I cannot connect to the system without SSL enabled in my client (and a forced > port definition of 23 - we use the RUMBA client here and it seems to assume > that SSL should travel over some other, unspecified port).
Putting the SECURE option on the PORT statement is for those cases like https, where the SSL tunnel is established prior to the flow of any application protocol data. E.g. PORT 80 TCP HTTPSERV 443 TCP HTTPSERV SECURE MYCERT NOAUTOLOG However, current telnet and ftp clients use *negotiated* SSL, where the application decides when to create the SSL tunnel. For these cases, you must configure the telnet and ftp servers to (1) influence the negotiation according to your security policy, and (2) have the name of the certificate they will use. E.g. InternalClientParms SecureConnection Required TLSlabel MYCERT EndInternalClientParms MYCERT is the 8-character label you assigned to a [satisfied] certificate request in the SSL server or an imported certificate. Make sure when you specify the certificate label on gskkyman that you use uppercase. And in this case, the SECURE option is NOT present on the PORT entry. Alan Altmark Senior Managing z/VM and Linux Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott