Re: How to reload SSL certificate for z/OS TN3270 server
Wayne How time flies! It seems only yesterday I was reflecting on the novelty of actually having the TN3270 server function running as an "external client" as is the relationship of all the other server - and indeed *real* client - functions associated with TCP/IP for MVS - as I first knew it - to the main address space. Actually it seems only the day before yesterday I was wrestling with this novel networking software, its peculiar ways and its cavalier approach to terminology when the same component was sometimes a "server" and sometimes a "client", whether "internal" or "external". Chris Mason - Original Message - From: "Wayne Driscoll" <[EMAIL PROTECTED]> Newsgroups: bit.listserv.ibm-main To: Sent: Wednesday, May 16, 2007 1:02 PM Subject: Re: How to reload SSL certificate for z/OS TN3270 server Chris, All true, except, "encouragement" should be replaced by "long term requirement" as z/OS 1.8 is the last version of CS that supports the TN3270 running as a subtask of the TCPIP stack. The sooner you get to running the TN3270 in a separate address space, the sooner you eliminate a migration task. Wayne Driscoll Product Developer JME Software LLC [EMAIL PROTECTED] Phone: (630) 663-0719 Mobile: (630) 247-1632 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chris Mason Sent: Tuesday, May 15, 2007 11:08 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: How to reload SSL certificate for z/OS TN3270 server Tom The encouragement today is to split the "internal client", namely the TN3270 server function, from the main CS IP address space and run it in its own address space. Thus "recycling" the TN3270 server is not necessarily going to involve "recycling" the whole of CS IP. Perhaps the need sometimes to "recycle" the TN3270 server is one of the reasons why the split is encouraged. Chris Mason -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
Either way, Subtask of TCPIP or seperate address space, doesn't matter. To reload the SSL cert for TN3270 all secureports must be stopped. Can be done with OBEYFILE commands, but will disrupt all secure TN3270 connections. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
Chris, All true, except, "encouragement" should be replaced by "long term requirement" as z/OS 1.8 is the last version of CS that supports the TN3270 running as a subtask of the TCPIP stack. The sooner you get to running the TN3270 in a separate address space, the sooner you eliminate a migration task. Wayne Driscoll Product Developer JME Software LLC [EMAIL PROTECTED] Phone: (630) 663-0719 Mobile: (630) 247-1632 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chris Mason Sent: Tuesday, May 15, 2007 11:08 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: How to reload SSL certificate for z/OS TN3270 server Tom The encouragement today is to split the "internal client", namely the TN3270 server function, from the main CS IP address space and run it in its own address space. Thus "recycling" the TN3270 server is not necessarily going to involve "recycling" the whole of CS IP. Perhaps the need sometimes to "recycle" the TN3270 server is one of the reasons why the split is encouraged. Chris Mason -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
Tom The encouragement today is to split the "internal client", namely the TN3270 server function, from the main CS IP address space and run it in its own address space. Thus "recycling" the TN3270 server is not necessarily going to involve "recycling" the whole of CS IP. Perhaps the need sometimes to "recycle" the TN3270 server is one of the reasons why the split is encouraged. Chris Mason - Original Message - From: "Thomas Conley" <[EMAIL PROTECTED]> Newsgroups: bit.listserv.ibm-main To: Sent: Tuesday, May 15, 2007 6:24 PM Subject: Re: How to reload SSL certificate for z/OS TN3270 server ... Make no mistake, varying the port offline will kill existing sessions, but it is less disruptive than recycling all of TCP/IP. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
On Tue, 15 May 2007 11:37:49 -0400, Matt Simpson <[EMAIL PROTECTED]> wrote: >Our SSL certificate is about to expire, and we have received a renewal >certificate. Does the TN3270 server read the certificate each time a >connection is established, so it will get the new one as soon as it is >updated? Or is the certificate loaded into memory when the server is >started, so that some action is necessary to reload it? And if it has >to be reloaded, what is the least disruptive way to do it? I assume >restarting the TCP/IP system would do it, but that tends to make the >phones ring. Matt, First things first. Did you update RACF or gskkyman with the new certificate? Make no mistake, varying the port offline will kill existing sessions, but it is less disruptive than recycling all of TCP/IP. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Longnecker, Dennis) wrote: > TO load this certificate without recycling. > > 1)Take the port offline: > V TCPIP,tcpip,T,STOP,PORT=23001 > > 2)Now activate it: Thanks. Does this disrupt existing sessions? Or does it just prevent new connections for the brief time that the port is being restarted? -- Matt Simpson -- z/OS Support 219 McVey Hall -- (859) 257-2900 x300 University Of Kentucky, Lexington, KY 40506 http://jms.cc.uky.edu/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: How to reload SSL certificate for z/OS TN3270 server
Here are my notes to install a new certificate (port 23001 is my SSL port). TO load this certificate without recycling. 1) Take the port offline: V TCPIP,tcpip,T,STOP,PORT=23001 2) Now activate it: v tcpip,tcpip,obeyfile,dsn=SYS1.TCPPARMS($$dennis) v tcpip,tcpip,obeyfile,dsn=SYS1.TCPPARMS($$dennit) for Test LPAR Where the obeyfile member has the necessary begin VTAM and TELNETPARMS section in it. If you need more detailed examples, send me a note. Dennis -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Matt Simpson Sent: Tuesday, May 15, 2007 8:38 AM To: IBM-MAIN@BAMA.UA.EDU Subject: How to reload SSL certificate for z/OS TN3270 server Our SSL certificate is about to expire, and we have received a renewal certificate. Does the TN3270 server read the certificate each time a connection is established, so it will get the new one as soon as it is updated? Or is the certificate loaded into memory when the server is started, so that some action is necessary to reload it? And if it has to be reloaded, what is the least disruptive way to do it? I assume restarting the TCP/IP system would do it, but that tends to make the phones ring. -- Matt Simpson -- z/OS Support 219 McVey Hall -- (859) 257-2900 x300 University Of Kentucky, Lexington, KY 40506 http://jms.cc.uky.edu/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
How to reload SSL certificate for z/OS TN3270 server
Our SSL certificate is about to expire, and we have received a renewal certificate. Does the TN3270 server read the certificate each time a connection is established, so it will get the new one as soon as it is updated? Or is the certificate loaded into memory when the server is started, so that some action is necessary to reload it? And if it has to be reloaded, what is the least disruptive way to do it? I assume restarting the TCP/IP system would do it, but that tends to make the phones ring. -- Matt Simpson -- z/OS Support 219 McVey Hall -- (859) 257-2900 x300 University Of Kentucky, Lexington, KY 40506 http://jms.cc.uky.edu/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
