On Wednesday, 08/03/2011 at 04:23 EDT, Daniel Bewley
<daniel.bew...@gmail.com> wrote:
> I experimented with those parameters but had no success with them in
place (I
> still have the commented line in my profile for when I get bored).
>
> I believe the SECURE on the port definition forces it - I know for a
fact that
> I cannot connect to the system without SSL enabled in my client (and a
forced
> port definition of 23 - we use the RUMBA client here and it seems to
assume
> that SSL should travel over some other, unspecified port).
Putting the SECURE option on the PORT statement is for those cases like
https, where the SSL tunnel is established prior to the flow of any
application protocol data. E.g.
PORT
80 TCP HTTPSERV
443 TCP HTTPSERV SECURE MYCERT NOAUTOLOG
However, current telnet and ftp clients use *negotiated* SSL, where the
application decides when to create the SSL tunnel. For these cases, you
must configure the telnet and ftp servers to (1) influence the negotiation
according to your security policy, and (2) have the name of the
certificate they will use. E.g.
InternalClientParms
SecureConnection Required
TLSlabel MYCERT
EndInternalClientParms
MYCERT is the 8-character label you assigned to a [satisfied] certificate
request in the SSL server or an imported certificate. Make sure when you
specify the certificate label on gskkyman that you use uppercase. And in
this case, the SECURE option is NOT present on the PORT entry.
Alan Altmark
Senior Managing z/VM and Linux Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott
