TLS, AT-TLS, Encryption Requirements
Has anyone done this? Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does anything else, like enabling encryption cards, need to be done? Also, is TLS downward compatible with older TN3270 emulators, like PROCOMM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for things like OMPROUTE and use DELAYSTART if you're autologging things. We're considering whether it is worth changing up parent-child relationships in SA because it can be disconcerting to see lots of ICH408I messages before Policy Agent installs the TLS policy. Once you see some of those you are obliged to inspect to make sure that whatever issued it was intelligent enough to recover, the smart thing is to stamp them all out in your sandbox first. That's pretty much where we sit right now, we have questions about certain requirements with IKE and NSS which hold up our rollout so production experience is not to be had here yet. I believe your emulator needs to be capable, my old Attachmate was not. Encryption will run anywhere, but it's like what they ask you if you want to play baccarat. "Do you have a lot of money?" Crypto hardware not necessary but preferred. In our case, we're playing around with automatic VPN tunneling because relying on products on a desktop to be capable is not always possible. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: "Henke, George" To: IBM-MAIN@bama.ua.edu Date: 02/07/2012 14:32 Subject:TLS, AT-TLS, Encryption Requirements Sent by:IBM Mainframe Discussion List Has anyone done this? Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does anything else, like enabling encryption cards, need to be done? Also, is TLS downward compatible with older TN3270 emulators, like PROCOMM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
tyvm, Tom When you say crypto hardware is not necessary but preferred, do you mean we do not have to enable the cryptographics cards to turn on TLS? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tom Ambros Sent: Tuesday, February 07, 2012 2:54 PM To: IBM-MAIN@bama.ua.edu Subject: Re: TLS, AT-TLS, Encryption Requirements Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for things like OMPROUTE and use DELAYSTART if you're autologging things. We're considering whether it is worth changing up parent-child relationships in SA because it can be disconcerting to see lots of ICH408I messages before Policy Agent installs the TLS policy. Once you see some of those you are obliged to inspect to make sure that whatever issued it was intelligent enough to recover, the smart thing is to stamp them all out in your sandbox first. That's pretty much where we sit right now, we have questions about certain requirements with IKE and NSS which hold up our rollout so production experience is not to be had here yet. I believe your emulator needs to be capable, my old Attachmate was not. Encryption will run anywhere, but it's like what they ask you if you want to play baccarat. "Do you have a lot of money?" Crypto hardware not necessary but preferred. In our case, we're playing around with automatic VPN tunneling because relying on products on a desktop to be capable is not always possible. Thomas Ambros Operating Systems and Connectivity Engineering 518-436-6433 From: "Henke, George" To: IBM-MAIN@bama.ua.edu Date: 02/07/2012 14:32 Subject:TLS, AT-TLS, Encryption Requirements Sent by:IBM Mainframe Discussion List Has anyone done this? Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does anything else, like enabling encryption cards, need to be done? Also, is TLS downward compatible with older TN3270 emulators, like PROCOMM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN This communication may contain privileged and/or confidential information. It is intended solely for the use of the addressee. If you are not the intended recipient, you are strictly prohibited from disclosing, copying, distributing or using any of this information. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse or redisclose such information for any purpose other than to provide the services for which you are receiving the information. 127 Public Square, Cleveland, OH 44114 If you prefer not to receive future e-mail offers for products or services from Key send an e-mail to mailto:dnereque...@key.com with 'No Promotional E-mails' in the SUBJECT line. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
George, You should at least get the freebie encryption turned on for the box. The lack of the SERVAUTH setup can have a deleterious effect if you have a UACC(NONE) at the wrong level and then specify TCPCONFIG TLS will stop all other services from starting up. You can use OBEY to change the TCPCONFIG dynamically and avoid it. Once the negotiation has completed, the encryption will start using some sort of symmetric ... which the freebie will help out with performance. Rob Schramm Senior Systems Consultant On Tue, Feb 7, 2012 at 6:24 PM, Henke, George wrote: > tyvm, Tom > > When you say crypto hardware is not necessary but preferred, do you mean > we do not have to enable the cryptographics cards to turn on TLS? > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Tom Ambros > Sent: Tuesday, February 07, 2012 2:54 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: TLS, AT-TLS, Encryption Requirements > > Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for > things like OMPROUTE and use DELAYSTART if you're autologging things. > > We're considering whether it is worth changing up parent-child > relationships in SA because it can be disconcerting to see lots of > ICH408I messages before Policy Agent installs the TLS policy. Once you > see some of those you are obliged to inspect to make sure that whatever > issued it was intelligent enough to recover, the smart thing is to stamp > them all out in your sandbox first. That's pretty much where we sit right > now, we have questions about certain requirements with IKE and NSS which > hold up our rollout so production experience is not to be had here yet. > > I believe your emulator needs to be capable, my old Attachmate was not. > > Encryption will run anywhere, but it's like what they ask you if you want > to play baccarat. "Do you have a lot of money?" Crypto hardware not > necessary but preferred. > > In our case, we're playing around with automatic VPN tunneling because > relying on products on a desktop to be capable is not always possible. > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > > > > > From: "Henke, George" > To: IBM-MAIN@bama.ua.edu > Date: 02/07/2012 14:32 > Subject:TLS, AT-TLS, Encryption Requirements > Sent by:IBM Mainframe Discussion List > > > > Has anyone done this? > > Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does > anything else, like enabling encryption cards, need to be done? > > Also, is TLS downward compatible with older TN3270 emulators, like > PROCOMM? > > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key > send an e-mail to mailto:dnereque...@key.com with 'No Promotional > E-mails' in the > SUBJECT line. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
ty We have the following RING attributes defined. Are these compatible with TLS? Key Use: HandShake Key Type:Non-ICSF Keysize: 2048 -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm Sent: Wednesday, February 08, 2012 12:41 AM To: IBM-MAIN@bama.ua.edu Subject: Re: TLS, AT-TLS, Encryption Requirements George, You should at least get the freebie encryption turned on for the box. The lack of the SERVAUTH setup can have a deleterious effect if you have a UACC(NONE) at the wrong level and then specify TCPCONFIG TLS will stop all other services from starting up. You can use OBEY to change the TCPCONFIG dynamically and avoid it. Once the negotiation has completed, the encryption will start using some sort of symmetric ... which the freebie will help out with performance. Rob Schramm Senior Systems Consultant On Tue, Feb 7, 2012 at 6:24 PM, Henke, George wrote: > tyvm, Tom > > When you say crypto hardware is not necessary but preferred, do you mean > we do not have to enable the cryptographics cards to turn on TLS? > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On > Behalf Of Tom Ambros > Sent: Tuesday, February 07, 2012 2:54 PM > To: IBM-MAIN@bama.ua.edu > Subject: Re: TLS, AT-TLS, Encryption Requirements > > Make sure you understand the SERVAUTH EZB.INITSTACK.** requirements for > things like OMPROUTE and use DELAYSTART if you're autologging things. > > We're considering whether it is worth changing up parent-child > relationships in SA because it can be disconcerting to see lots of > ICH408I messages before Policy Agent installs the TLS policy. Once you > see some of those you are obliged to inspect to make sure that whatever > issued it was intelligent enough to recover, the smart thing is to stamp > them all out in your sandbox first. That's pretty much where we sit right > now, we have questions about certain requirements with IKE and NSS which > hold up our rollout so production experience is not to be had here yet. > > I believe your emulator needs to be capable, my old Attachmate was not. > > Encryption will run anywhere, but it's like what they ask you if you want > to play baccarat. "Do you have a lot of money?" Crypto hardware not > necessary but preferred. > > In our case, we're playing around with automatic VPN tunneling because > relying on products on a desktop to be capable is not always possible. > > Thomas Ambros > Operating Systems and Connectivity Engineering > 518-436-6433 > > > > > > From: "Henke, George" > To: IBM-MAIN@bama.ua.edu > Date: 02/07/2012 14:32 > Subject:TLS, AT-TLS, Encryption Requirements > Sent by:IBM Mainframe Discussion List > > > > Has anyone done this? > > Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does > anything else, like enabling encryption cards, need to be done? > > Also, is TLS downward compatible with older TN3270 emulators, like > PROCOMM? > > > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > This communication may contain privileged and/or confidential information. > It is intended solely for the use of the addressee. If you are not the > intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. This > communication may contain nonpublic personal information about consumers > subject to the restrictions of the Gramm-Leach-Bliley Act. You may not > directly or indirectly reuse or redisclose such information for any purpose > other than to provide the services for which you are receiving the > information. 127 Public Square, Cleveland, OH 44114 > If you prefer not to receive future e-mail offers for products or services > from Key > send an e-mail to mailto:dnereque...@key.com with 'No Promotional > E-mails' in the > SUBJECT line. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN > > ---
Re: TLS, AT-TLS, Encryption Requirements
All of our TN3270 traffic is now under TLS. The PROFILE entries are a little strange as you have to define a port (unlike FTP). We use ICSF, so it's been on the whole time. Many say it is not a deal breaker requirement. I think that TLS is a superset of SSL, so they might talk ok. Getting SSL/TLS support in a client is often an extra cost option. You should be able to poke around PROCOMM settings and see if you see the configuration options. IMHO, the biggest single challenge is certificate management. Certificates have a pretty steep learning curve. As with any encryption solution, the actual encryption is trivial but the key (certificate) management is a killer. HTH and good luck. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Henke, George Sent: Tuesday, February 07, 2012 1:27 PM To: IBM-MAIN@bama.ua.edu Subject: TLS, AT-TLS, Encryption Requirements Has anyone done this? Besides coding TTLS in the TCPCONFIG statement in the TCPIP PROFILE does anything else, like enabling encryption cards, need to be done? Also, is TLS downward compatible with older TN3270 emulators, like PROCOMM? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: TLS, AT-TLS, Encryption Requirements
Hal Merritt writes: >IMHO, the biggest single challenge is certificate management. Certificates >have a pretty steep learning curve. As with any encryption solution, the >actual encryption is trivial but the key (certificate) management is a killer. It's exactly the same conceptual learning curve you'd have for enabling HTTPS in an arbitrary Web server, and an awful lot of IT workers manage that. Frankly what most people do is to go buy an SSL/TLS server certificate signed by one of the well-known certificate authorities (in the desired file format) then simply go install it. Meaning, they probably don't understand what they're doing, they just do it. If you want to understand how TLS and SSL work, yes, you'll need a little more time. :-) Timothy Sipples Resident Enterprise Architect (Based in Singapore) E-Mail: timothy.sipp...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
