Re: Encrypting z/OS SNMP traps to Windows SNMP server
Attila Fogarasi wrote: >CA Common Services supports SNMPv3 with DES encryption and SHA-5 and >MD5 authentication, hopefully that works with your Solar Winds Orion >server. Even if the target server currently supports DES, I don't recommend this idea. It's entirely possible, even likely, that the next release update will disable support for DES. It'd be a very short-term solution at best. Are there any other encryption and hashing algorithms that CA Common Services SNMPv3 supports? For example, is it possible to configure CA Common Services to use whatever z/OS System SSL supports? - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
CA Common Services supports SNMPv3 with DES encryption and SHA-5 and MD5 authentication, hopefully that works with your Solar Winds Orion server. You define the use of encryption in the SNMPCNFG member for your ENFSNMPM procedure (sample with good comments is in CAW0OPTV dataset). That would be an easy change (not affecting OPS/MVS). On Tue, Jul 21, 2020 at 2:28 AM John McKown wrote: > This is a new requirement from the higher ups in our new owning company. We > are still on z/OS 1.12, so I don't have any new fancy stuff. We use > CA-OPS/MVS to trap "abend" messages from the CA-7 Browse log. We send these > messages to an Solar Winds "Orion" SNMP server so that it can interface > with CA Service Desk to automatically open Service Desk tickets. This is > all on internal (Data Center) LAN. But it is "server to server" by the > standards of our new masters and so it MUST be encrypted or we must stop > doing it. > > I have been trying to read up on AT/TLS, but it is totally over my head. I > don't really know anything about IP encryption. Or Windows people are also > ignorant of IP encryption on z/OS (of course). > > -- > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
What about using SNMPv3? It is encrypted if you tell it to enable privacy. On Mon, Jul 20, 2020, 19:42 Charles Mills wrote: > Does SNMP flow by TCP or by UDP? UDP would be wrinkle. TLS-UDP is not > unheard of but not super common in my experience. Does AT-TLS support UDP? > > Charles > > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of John McKown > Sent: Monday, July 20, 2020 9:28 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Encrypting z/OS SNMP traps to Windows SNMP server > > This is a new requirement from the higher ups in our new owning company. We > are still on z/OS 1.12, so I don't have any new fancy stuff. We use > CA-OPS/MVS to trap "abend" messages from the CA-7 Browse log. We send these > messages to an Solar Winds "Orion" SNMP server so that it can interface > with CA Service Desk to automatically open Service Desk tickets. This is > all on internal (Data Center) LAN. But it is "server to server" by the > standards of our new masters and so it MUST be encrypted or we must stop > doing it. > > I have been trying to read up on AT/TLS, but it is totally over my head. I > don't really know anything about IP encryption. Or Windows people are also > ignorant of IP encryption on z/OS (of course). > > -- > People in sleeping bags are the soft tacos of the bear world. > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Grant Taylor wrote: >Why not use "transport" mode vs "tunnel" mode? That should be fine. - - - - - - - - - - Timothy Sipples I.T. Architect Executive Digital Asset & Other Industry Solutions IBM Z & LinuxONE - - - - - - - - - - E-Mail: sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
On 7/21/20 12:19 AM, Timothy Sipples wrote: Another possible option is to configure an IKEv2/IPsec tunnel between z/OS and Microsoft Windows Server, then run your message traffic over the encrypted IPsec connection. Why not use "transport" mode vs "tunnel" mode? Wouldn't tunnel require more IPs and routing changes? Conversely transport would just encrypt the traffic via policy targeting, much like AT-TLS does. -- Grant. . . . unix || die -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Another possible option is to configure an IKEv2/IPsec tunnel between z/OS
and Microsoft Windows Server, then run your message traffic over the
encrypted IPsec connection. For your colleagues, Microsoft documents some
configuration procedures here ("Devices not joined to a domain"):
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2
I concur with the advice to upgrade z/OS 1.12 and the rest of the software
stack to supported releases that are still receiving security and
integrity updates.
- - - - - - - - - -
Timothy Sipples
I.T. Architect Executive
Digital Asset & Other Industry Solutions
IBM Z & LinuxONE
- - - - - - - - - -
E-Mail: sipp...@sg.ibm.com
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
Does SNMP flow by TCP or by UDP? UDP would be wrinkle. TLS-UDP is not unheard of but not super common in my experience. Does AT-TLS support UDP? Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Monday, July 20, 2020 9:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Encrypting z/OS SNMP traps to Windows SNMP server This is a new requirement from the higher ups in our new owning company. We are still on z/OS 1.12, so I don't have any new fancy stuff. We use CA-OPS/MVS to trap "abend" messages from the CA-7 Browse log. We send these messages to an Solar Winds "Orion" SNMP server so that it can interface with CA Service Desk to automatically open Service Desk tickets. This is all on internal (Data Center) LAN. But it is "server to server" by the standards of our new masters and so it MUST be encrypted or we must stop doing it. I have been trying to read up on AT/TLS, but it is totally over my head. I don't really know anything about IP encryption. Or Windows people are also ignorant of IP encryption on z/OS (of course). -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Encrypting z/OS SNMP traps to Windows SNMP server
John, you forgot to say X-Posted! I answered on the TCP list but I suspect the main dialog will end up being here. Here X-Posted is what I wrote on the TCP list. The whole point of AT-TLS is that it all just happens automagically (the z/OS end only). I'm not an expert on AT-TLS but to a great extent TLS is TLS. (I have also totally forgotten what was and was not in V1R12.) They are going to have to pretty much drive the thing. They are going to have to set up Orion to be a TLS server. Possibly they have already done that for other clients? They will need to give you a CA certificate (either from a well-known CA such as DigiCert, or a home-grown CA, which may well be adequate) that you will then install in a keyring in RACF. They need to tell you their requirements. Your higher-ups may have a problem in that the encryption that V1R12 supports is probably "inadequate" by current standards. (Whether that is a real problem or not is a different discussion, assuming it is not the NSA or the KGB that has an interest in your ABENDs. But it may be a problem for the pointy-heads.) Hmmm. Did anyone think to mention that staying on V1R12 might be a security exposure? (Just zinging you. Sorry.) Charles -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Monday, July 20, 2020 9:28 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Encrypting z/OS SNMP traps to Windows SNMP server This is a new requirement from the higher ups in our new owning company. We are still on z/OS 1.12, so I don't have any new fancy stuff. We use CA-OPS/MVS to trap "abend" messages from the CA-7 Browse log. We send these messages to an Solar Winds "Orion" SNMP server so that it can interface with CA Service Desk to automatically open Service Desk tickets. This is all on internal (Data Center) LAN. But it is "server to server" by the standards of our new masters and so it MUST be encrypted or we must stop doing it. I have been trying to read up on AT/TLS, but it is totally over my head. I don't really know anything about IP encryption. Or Windows people are also ignorant of IP encryption on z/OS (of course). -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Encrypting z/OS SNMP traps to Windows SNMP server
This is a new requirement from the higher ups in our new owning company. We are still on z/OS 1.12, so I don't have any new fancy stuff. We use CA-OPS/MVS to trap "abend" messages from the CA-7 Browse log. We send these messages to an Solar Winds "Orion" SNMP server so that it can interface with CA Service Desk to automatically open Service Desk tickets. This is all on internal (Data Center) LAN. But it is "server to server" by the standards of our new masters and so it MUST be encrypted or we must stop doing it. I have been trying to read up on AT/TLS, but it is totally over my head. I don't really know anything about IP encryption. Or Windows people are also ignorant of IP encryption on z/OS (of course). -- People in sleeping bags are the soft tacos of the bear world. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
