Re: IWS Agent for z/OS - SSL Configuration
I've done some work with AT-TLS. There is a collection of blog posts on AT-TLS here <https://colinpaice.blog/category/tcpip/at-tls/> (including using z/OSMF and TCP configuration assistant). Getting AT-TLS and PAGENT to work on z/OS – start here <https://colinpaice.blog/2022/05/31/getting-at-tls-and-pagent-to-work-on-z-os-start-here/> . Colin On Fri, 22 Jul 2022 at 14:42, Gilson Cesar de Oliveira wrote: > Hi Tim and Colin, > > Many thanks for your prompt help. > I´ll work with the team who owns the IWS in order to implement > these > configurations and test them before the roll-out. > > If it works I´ll post the results here for the list. > > Regards, > > Gilson > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of > Timothy Sipples > Sent: sexta-feira, 22 de julho de 2022 01:59 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: IWS Agent for z/OS - SSL Configuration > > I think Colin has pointed you in the right direction. > > I wonder if (alternatively) you could configure IBM Z Workload Scheduler > for > HTTP (unencrypted) traffic but then use z/OS AT-TLS to provide the TLS 1.2+ > support with your desired cipher suites. > > — — — — — > Timothy Sipples > Senior Architect > Digital Assets, Industry Solutions, and Cybersecurity IBM > zSystems/LinuxONE, > Asia-Pacific sipp...@sg.ibm.com > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IWS Agent for z/OS - SSL Configuration
Hi Tim and Colin, Many thanks for your prompt help. I´ll work with the team who owns the IWS in order to implement these configurations and test them before the roll-out. If it works I´ll post the results here for the list. Regards, Gilson -Original Message- From: IBM Mainframe Discussion List On Behalf Of Timothy Sipples Sent: sexta-feira, 22 de julho de 2022 01:59 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: IWS Agent for z/OS - SSL Configuration I think Colin has pointed you in the right direction. I wonder if (alternatively) you could configure IBM Z Workload Scheduler for HTTP (unencrypted) traffic but then use z/OS AT-TLS to provide the TLS 1.2+ support with your desired cipher suites. Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IWS Agent for z/OS - SSL Configuration
I think Colin has pointed you in the right direction. I wonder if (alternatively) you could configure IBM Z Workload Scheduler for HTTP (unencrypted) traffic but then use z/OS AT-TLS to provide the TLS 1.2+ support with your desired cipher suites. — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IWS Agent for z/OS - SSL Configuration
My post Using z/OS LDAP with TLS 1.3 <https://colinpaice.blog/2021/11/03/using-z-os-ldap-with-tls-1-3/>may give you a few clues. It talks about removing cipher specs you do not want to use. Search for .GSK_V2_CIPHER_SPECS in the GSK doc (SC14-7495-50) below. There is a list of cipher specs in Appendix C. Cipher suite definitions in SC14-7495-50 (Cryptographic Services System Secure Sockets Layer Programming) Colin On Thu, 21 Jul 2022 at 13:21, Gilson Cesar de Oliveira wrote: > Hi Timothy, > > Many thanks for your help. > In the second URL there is an information about how to setup > TLSV1.2 > but we also need to restrict the ciphers to the ones our customer would > like > to have enabled. > I´m still looking for on how to restrict the ciphers. > If you have further informations on how to do it, I really > appreciate that. > > Regards, > > Gilson > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of > Timothy Sipples > Sent: quinta-feira, 21 de julho de 2022 02:15 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: IWS Agent for z/OS - SSL Configuration > > Gilson, > > Does the information here help? > > 1. > > https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=ssae-enabling-f > ips-compliance-over-z-workload-scheduler-server-ssl-secured-connection > <https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=ssae-enabling-fips-compliance-over-z-workload-scheduler-server-ssl-secured-connection> > 2. > > https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=server-configur > ing-tls-connect-z-workload-scheduler#configTLS > <https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=server-configuring-tls-connect-z-workload-scheduler#configTLS> > > — — — — — > Timothy Sipples > Senior Architect > Digital Assets, Industry Solutions, and Cybersecurity IBM > zSystems/LinuxONE, > Asia-Pacific sipp...@sg.ibm.com > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IWS Agent for z/OS - SSL Configuration
Hi Timothy, Many thanks for your help. In the second URL there is an information about how to setup TLSV1.2 but we also need to restrict the ciphers to the ones our customer would like to have enabled. I´m still looking for on how to restrict the ciphers. If you have further informations on how to do it, I really appreciate that. Regards, Gilson -Original Message- From: IBM Mainframe Discussion List On Behalf Of Timothy Sipples Sent: quinta-feira, 21 de julho de 2022 02:15 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: IWS Agent for z/OS - SSL Configuration Gilson, Does the information here help? 1. https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=ssae-enabling-f ips-compliance-over-z-workload-scheduler-server-ssl-secured-connection 2. https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=server-configur ing-tls-connect-z-workload-scheduler#configTLS Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IWS Agent for z/OS - SSL Configuration
Gilson, Does the information here help? 1. https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=ssae-enabling-fips-compliance-over-z-workload-scheduler-server-ssl-secured-connection 2. https://www.ibm.com/docs/en/workload-automation/10.1.0?topic=server-configuring-tls-connect-z-workload-scheduler#configTLS — — — — — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM zSystems/LinuxONE, Asia-Pacific sipp...@sg.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
IWS Agent for z/OS - SSL Configuration
Hi everyone, We are facing some issues regarding IWS Agent for z/OS where we have to configure HTTPOPTS but for this option there is no way to restrict the encryption protocol for TLSv1.2 only. All they have available to configure are the following: >--+---+> | .-CAONLY-.| '-SSLAUTHMODE--(--+-STRING-+--)-' >--+-+--> | .-tws.| '-SSLAUTHSTRING--(--+-SSL string-+--)-' >--++---> '-SSLKEYRING--(SSL key ring db filename)-' >--++---> '-SSLKEYRINGPSW--(SSL key ring psw filename)-' >--+---+> |.-SAF-.| '-SSLKEYRINGTYPE--(--+-USS-+--)-' >--++---> | .-512-.| '-SSLPORT--(--+-SSL port number-+--)-' We have to fix all the issues related to the vulnerabilities but for this service it looks like there is no solution available for it. Does anyone that already have problems with it would suggest a way to do it ?? Pagent would be an alternative viable to implement ?? Thanks in advance for any help. Gilson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
