IPSEC
All, I have a dumb question and apologize in advance for asking it here. We have a LDAP sitting on Windows being sent data , that's encrypted with AES128 encryption . The STC on z/OS sends a 32k packet via a socket write and the customer has IPSEC turned on. We saw a hang of the Windows LDAP and we had the customer turn off IPSEC, everything worked.. We are scratching our heads, wondering if we have a compatibility issue or is IPSEC completely transparent to the application... Can someone enlighten this old man Scott -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IPSec
All, I am looking at implementing IPSec between z/os and windows/XP server. The RedBook sg247342 mentions using IBMs Configuration Assistant, does anyone know if this is a requirement ? Scott ford www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSEC
TCP packet size issue comes to mind. IPSEC adds to the total. Causing packet fragmentation and has been know to uncover other issues that would not normally be a problem. Check with the network folks what it should be set to for IPSEC. Rob On Mon, Dec 12, 2016, 10:12 PM scott Ford wrote: > All, > > I have a dumb question and apologize in advance for asking it here. We have > a LDAP sitting on Windows being sent data , that's encrypted with AES128 > encryption . The STC on z/OS sends a 32k packet via a socket write and the > customer has IPSEC turned on. We saw a hang of the Windows LDAP and we had > the customer turn off IPSEC, everything worked.. > > We are scratching our heads, wondering if we have a compatibility issue or > is IPSEC completely transparent to the application... > > Can someone enlighten this old man > > > Scott > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSec
You want to use zOSMF and the configuration selections within there. It is possible to write the configuration files yourself but it is much like taping together the contents of a shredder bucket to restore the original documents. It is not a requirement to use the GUI but you will be glad you did. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: Scott Ford To: IBM-MAIN@LISTSERV.UA.EDU Date: 09/21/2012 11:08 Subject:IPSec Sent by:IBM Mainframe Discussion List All, I am looking at implementing IPSec between z/os and windows/XP server. The RedBook sg247342 mentions using IBMs Configuration Assistant, does anyone know if this is a requirement ? Scott ford www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSec
OEDIT would do the trick as well, but the Config assistant also writes your Policy Files as well. OEDIT typical usage (from option 6) oedit /ADCD/etc/TCPIP.policy Welcome to the Policy Agent.. => You want to use zOSMF and the configuration selections within there. It => is possible to write the configuration files yourself but it is much like => taping together the contents of a shredder bucket to restore the original => documents. It is not a requirement to use the GUI but you will be glad => you did. => => Thomas Ambros => Operating Systems and Connectivity Engineering => 518-436-6433 => => => => => => From: Scott Ford => To: IBM-MAIN@LISTSERV.UA.EDU => Date: 09/21/2012 11:08 => Subject:IPSec => Sent by:IBM Mainframe Discussion List => => => => All, => => I am looking at implementing IPSec between z/os and windows/XP server. => The RedBook sg247342 mentions using IBMs Configuration Assistant, does => anyone know if this is a requirement ? => => Scott ford => www.identityforge.com => -- => For IBM-MAIN subscribe / signoff / archive access instructions, => send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN => => => => This communication may contain privileged and/or confidential information. => It is intended solely for the use of the addressee. If you are not the => intended recipient, you are strictly prohibited from disclosing, copying, => distributing or using any of this information. If you received this => communication in error, please contact the sender immediately and destroy => the material in its entirety, whether electronic or hard copy. This => communication may contain nonpublic personal information about consumers => subject to the restrictions of the Gramm-Leach-Bliley Act. You may not => directly or indirectly reuse or redisclose such information for any => purpose other than to provide the services for which you are receiving the => information. => => 127 Public Square, Cleveland, OH 44114 => If you prefer not to receive future e-mail offers for products or services => from Key => send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' => in the => SUBJECT line. => => -- => For IBM-MAIN subscribe / signoff / archive access instructions, => send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN => John Cassidy (Dipl.-Ingr.) Kapellenstr. 21a D-65193 Wiesbaden EU Mobile: +49 (0) 170 794 3616 http://www.JDCassidy.net http://en.federaleurope.org/ http://sva-zhosting.com/en/index.php -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSec
I used the configuration assistant initially, but couldn't get my head wrapped around why it was working the way it was until I looked at the code it was generating. Once I understood that, I found it easier to just code it manually and stopped using the assistant. The resulting code is a lot more compact and easier to read/debug. Bart -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Scott Ford Sent: Friday, September 21, 2012 11:03 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: IPSec All, I am looking at implementing IPSec between z/os and windows/XP server. The RedBook sg247342 mentions using IBMs Configuration Assistant, does anyone know if this is a requirement ? Scott ford www.identityforge.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSec
You can use either z/OSMF, or the Windows based Config Assistant. I think I read that after z/OS v1r13 you'll have to use z/OSMF, unfortunately. Regards Patrick Loftus TNT Express ICS Ltd -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IPSEC Configuration and Performance
We're considering using IPSEC to secure traffic between an internal router and a CICS application. Can anyone on this list give us any hints, tips or gotchas they may have from doing something similar themselves. Thanks in advance. Robert Crawford Mainframe Management United Services Automobile Association (210) 913-3822 « Des clochards comme nous, bébé nous sommes nés pour courir » - Voltaire Please send requests to mainframe management through our front door at go/mfmfrontdoor<https://onc.jira.usaacloud.com/secure/Dashboard.jspa?selectPageId=15466> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSEC Configuration and Performance
On 7/1/20 1:49 PM, Crawford, Robert C. wrote: We're considering using IPSEC to secure traffic between an internal router and a CICS application. Can anyone on this list give us any hints, tips or gotchas they may have from doing something similar themselves. I can't help. But I'd love to be a fly on the wall and learn. I've also got some questions, but that's more active than fly on the wall. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSEC Configuration and Performance
Ditto, sorry to go "off-topic" again ... I hope IBM is reading this, and hope they look to adding WireGuard support on Z. >From what little I know, WireGuard is far more manageable and performant than >IPSec & IKEv2. Adding WireGuard support to z/OS shouldn't be too much of a "deviation" too, considering that the Linux kernel and OpenBSD now come baked-in with WG. Link - https://www.wireguard.com/ - KB ‐‐‐ Original Message ‐‐‐ On Thursday, July 2, 2020 4:11 AM, Grant Taylor <023065957af1-dmarc-requ...@listserv.ua.edu> wrote: > On 7/1/20 1:49 PM, Crawford, Robert C. wrote: > > > We're considering using IPSEC to secure traffic between an internal > > router and a CICS application. Can anyone on this list give us any > > hints, tips or gotchas they may have from doing something similar > > themselves. > > I can't help. > > But I'd love to be a fly on the wall and learn. > > I've also got some questions, but that's more active than fly on the wall. > > > -- > > Grant. . . . > unix || die > > - > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSEC Configuration and Performance
On 7/2/20 1:27 AM, kekronbekron wrote: Ditto, sorry to go "off-topic" again ... I hope IBM is reading this, and hope they look to adding WireGuard support on Z. I would be mildly, but pleasantly, surprised to see WireGuard added to z/OS. Adding WireGuard support to z/OS shouldn't be too much of a "deviation" too, considering that the Linux kernel and OpenBSD now come baked-in with WG. I naively assumed that IPsec on z/OS would be transport mode, not tunnel mode. I say this because I assume that most of the IP traffic to / from a mainframe is terminal on the mainframe and doesn't actually route through the mainframe as a router. With this in mind, I wonder how effective IPsec tunnel mode would be, seeing as how additional IP traffic would need to go inside of it. Conversely transport mode would be used to authenticate and / or encrypt traffic to / from the mainframe. But, I am just speculating and could be completely wrong. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IPSEC Configuration and Performance
We did setup an ipsec tunnel between our z/os system down to a group of devices. Our environment may be different in that the tunnel goes to our firewall, which the devices are in a secure vlan behind the firewall. a couple of notes: 1) the ipsec tunnel definition is between your base (i.e./ primary) ip address and the remote end 2) your cics traffic will need to be coming from a different ip address (i.e. also referenced as "interesting traffic"). Use SRCIP to set the ip address of the cics region (if cics is the session initiator). If the cics is the target, just make sure the listener is this secondary ip address Peter -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Cisco IPSEC client for Nexus Android tablet
Is there such a thing as the above ? Jim McAlpine -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Cisco IPSEC client for Nexus Android tablet
>>> On 1/18/2013 at 03:11 AM, Jim McAlpine wrote: > Is there such a thing as the above ? http://lmgtfy.com/?q=cisco+ipsec+client+for+android Mark Post -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IPSec filter rule definition for sysplex distributed dynamic VIPA
ROUTED or LOCAL? I *think* it may have to be ROUTED but I am not finding any information to conclusively prove that and before I test it out, I ask. The reason I ask is because I have reason to specify a traffic descriptor for a restricted set of ports and that would not be in compliance with RFC 4301. I understand that the distributing stack forwards the packets, but at the same time the VIPA is on the distributing stack... so is it local or is it routed? Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN