Re: SSLSERV question
Not a red book, but a place to start if you haven't seen it yet is 'Getting Started With Linux on System Z' SC24-6096 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of clifford jackson Sent: Tuesday, February 17, 2009 12:36 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV question I am in the process of building a SSLSERV virtual machine, under z/VM 5.3 SLU 801, using SLES 9 SP3. ONE question is there a Red book for this process….. _ Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie. Learn http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008 Now
Re: SSLSERV question
On Tuesday, 02/17/2009 at 01:41 EST, clifford jackson cliffordjackson...@msn.com wrote: I am in the process of building a SSLSERV virtual machine, under z/VM 5.3 SLU 801, using SLES 9 SP3. ONE question is there a Red book for this process?.. No. We tried to make the instructions in the TCP/IP Planning Admin book as easy to follow as we could. (There is a paper floating around Somewhere out there written by some IBMers, but I wouldn't use it.) Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV question
On Feb 17, 2009, at 4:21 PM, Alan Altmark wrote: On Tuesday, 02/17/2009 at 01:41 EST, clifford jackson cliffordjackson...@msn.com wrote: I am in the process of building a SSLSERV virtual machine, under z/VM 5.3 SLU 801, using SLES 9 SP3. ONE question is there a Red book for this process?.. No. We tried to make the instructions in the TCP/IP Planning Admin book as easy to follow as we could. (There is a paper floating around Somewhere out there written by some IBMers, but I wouldn't use it.) Or you (meaning Clifford, not Alan) could save yourself the pain, and go to http://www.sinenomine.net/products/vm/sslenabler and follow the instructions thereon. Adam
Re: SSLSERV question
Here's a writeup I put together when I had to do it: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/e0z1p161/26.1.1?SHELF=DT=20080627173833CASE= Watch for wrap on that URL. -- Jay Brenneman
Re; SSLSERV and TN3270
Hello James, a small hint from my site with using SSLSERV with z/VM 5.4: Dymamic SSL (TLS) does not run with SECURECONNECTION ALLOWED at this point of time. We have a PMR open. The circumvention is SECURECONNECTION PREFERRED or SECURECONNECTION REQUIRED. Best regards Eddi Sontowski
Re: Re; SSLSERV and TN3270
This problem does not happen with all clients so it depends on what client one is using. Marci Beach From: Sontowski, Edgar (LBV) edgar.sontow...@lbv.nrw.de To: IBMVM@LISTSERV.UARK.EDU Date: 01/22/2009 07:00 AM Subject: Re; SSLSERV and TN3270 Hello James, a small hint from my site with using SSLSERV with z/VM 5.4: Dymamic SSL (TLS) does not run with SECURECONNECTION ALLOWED at this point of time. We have a PMR open. The circumvention is SECURECONNECTION PREFERRED or SECURECONNECTION REQUIRED. Best regards Eddi Sontowski
Re: SSLSERV and TN3270
Hi Sterling, Based on the trace, SSL is set properly in Bluezone for Implicit SSL. That means that BlueZone will attempt to set up the SSL connection first, then, negotiate the TN3270 session. This is the only mode supported in BlueZone prior to version 5.1. In version 5.1 Explicit SSL/TLS (Start-TLS) is supported allowing SSL to be negotiated on port 23. While testing the SSL connection, select the Ask to Ignore invalid certificates so you don't get stuck on a certificate trust issue. After you can successfully connect with SSL, then you can install a copy of the server certificate so the client trusts the host. Feel free to PM me if you have any questions. Steve Bireley SVP Product Development BlueZone Software BlueZone Secure FTP is Free www.bluezonesoftware.comhttp://www.bluezonesoftware.com/ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Sterling James Sent: Tuesday, January 20, 2009 12:03 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSLSERV and TN3270 Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
Re: SSLSERV and TN3270
Mark Pace mpac...@gmail.com I don't know anything about the BlueZone client. For x3270 on linux you simply add the -L switch when starting an x3270 session. However the x3270 has to have been compiled with SSL support. I do have the v3.3.8p2 compiled with SSL support. I am trying to setup the dynamic connection (TELNET START-TLS) vs the static (ssl-tunnel). The unknowns are how to deal with the certificates/ From http://x3270.bgp.nu/x3270-man.html Prepending an L: onto hostname causes x3270 to first create an SSL tunnel to the host, and then create a TN3270 session inside the tunnel. (This function is supported only if x3270 was built with SSL/TLS support). Note that TLS-encrypted sessions using the TELNET START-TLS option are negotiated with the host automatically; for these sessions the L: prefix should not be used. Thanks - Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
Re: SSLSERV and TN3270
Raymond Noal raymond.n...@hds.com BlueZone does support SSL connections - you have a choice for SSL V3 from the Security Tab in the Session Configuration = TN3270 Configuration panels. Thanks Ray, I have the configuration set for ssl v3( actually tls v1, but same results). And the Certificate tab set to No Client Certificate On VM, I did create, for testing, a self-signed CA root certificate and imported into my windows certificate store. When I try to create a session, I receive, from Bluzeone trace; Time: 10:59:18.290Event: SSL Status SSL_connect() : SSLv3 write client hello A Time: 10:59:18.390Event: SSL Data From Server FF FB'.. ' Time: 10:59:18.390Event: SSL Data To Server 15 FD 28 00 02 02 28 '..(...( ' Time: 10:59:18.390Event: SSL Status SSL3 alert write:fatal:handshake failure Time: 10:59:22.526Event: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Time: 10:59:22.526Event: Socket Connection Closed by BlueZone Time: 10:59:22.526Event: Unable to establish connection with host. The SSL handshake failed. Thanks - Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
Re: SSLSERV and TN3270
On Tuesday, 01/20/2009 at 11:46 EST, Sterling James ssja...@dstsystems.com wrote: I do have the v3.3.8p2 compiled with SSL support. I am trying to setup the dynamic connection (TELNET START-TLS) vs the static (ssl-tunnel). The unknowns are how to deal with the certificates/ From http://x3270.bgp.nu/x3270-man.html Prepending an L: onto hostname causes x3270to first create an SSL tunnel to the host, and then create a TN3270 session inside the tunnel. (This function is supported only if x3270 was built with SSL/TLS support). Note that TLS-encrypted sessions using the TELNET START-TLS option are negotiated with the host automatically; for these sessions the L: prefix should not be used. If you specify L: then you have to use SECURE label option on the PORT statement entry. If you do not specify, the L:, then you DO NOT use the SECURE option on PORT, but add the SecureConnection and TLSlabel options to the InternalClientParms statement. Note that you cannot mix the two on the same port. If you need both, then use: InternalClientParms Port 23 Port SecureConnection REQUIRED TLSlabel label EndInternalClientParms Port 23 TCP INTCLIEN TCP INTCLIEN SECURE label This allows the L: option to be used with port , while the default port (23) requires that START-TLS be used. This configuration restricts telnet login to only those telnet clients that support SSL/TLS. The persons that use L: will have to also be given the port number . (It's just easier to require that the emulator support the START-TLS option.) The telnet server is smart enough to know not to try to negotiate security with a client if it is using a port that is defined as SECURE. The label must be a 1-8 character label that was given when the certificate was requested or imported into the database. Feel free to use the same label in both places. Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV and TN3270
On Tuesday, 01/20/2009 at 12:12 EST, Sterling James ssja...@dstsystems.com wrote: Raymond Noal raymond.n...@hds.com BlueZone does support SSL connections - you have a choice for SSL V3 from the Security Tab in the Session Configuration = TN3270 Configuration panels. Thanks Ray, I have the configuration set for ssl v3( actually tls v1, but same results). And the Certificate tab set to No Client Certificate On VM, I did create, for testing, a self-signed CA root certificate and imported into my windows certificate store. When I try to create a session, I receive, from Bluzeone trace; Time: 10:59:18.290Event: SSL Status SSL_connect() : SSLv3 write client hello A Time: 10:59:18.390Event: SSL Data From Server FF FB'.. ' Time: 10:59:18.390Event: SSL Data To Server 15 FD 28 00 02 02 28 '..(...( ' Time: 10:59:18.390Event: SSL Status SSL3 alert write:fatal:handshake failure Time: 10:59:22.526Event: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Time: 10:59:22.526Event: Socket Connection Closed by BlueZone Time: 10:59:22.526Event: Unable to establish connection with host. The SSL handshake failed. Your target port is not protected by SSL. That FF FB that came back is the start of a telnet negotiation sequence, not an SSL handshake response. Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV and TN3270
I don't know anything about the BlueZone client. For x3270 on linux you simply add the -L switch when starting an x3270 session. However the x3270 has to have been compiled with SSL support. On Fri, Jan 16, 2009 at 12:27 PM, Sterling James ssja...@dstsystems.comwrote: Hello, I'm trying to get TN3270 sessions to use SSL/TLS-protected communications. I have the static SSL Connections (PERFSVM web) working. I am trying to get Window's BlueZone client to attach to VM54 with SSL (then x3270 on linux would be next) . If someone has accomplished this and would be kind enough to share some information about what they did, it would be appreciated. (After TN3270, FTP would be the next attempt) TIA -- Please consider the environment before printing this email and any attachments. * This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. * -- Mark Pace Mainline Information Systems 1700 Summit Lake Drive Tallahassee, FL. 32317
Re: SSLSERV and TN3270
James, BlueZone does support SSL connections - you have a choice for SSL V3 from the Security Tab in the Session Configuration == TN3270 Configuration panels. HITACHI DATA SYSTEMS Raymond E. Noal Senior Technical Engineer Office: (408) 970 - 7978 From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Sterling James Sent: Friday, January 16, 2009 9:27 AM To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV and TN3270 Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.
Re: SSLSERV and TN3270
Hello, I'm trying to get TN3270 sessions to use SSL/TLS-protected communications. I have the static SSL Connections (PERFSVM web) working. I am trying to get Window's BlueZone client to attach to VM54 with SSL (then x3270 on linux would be next) . If someone has accomplished this and would be kind enough to share some information about what they did, it would be appreciated. (After TN3270, FTP would be the next attempt) TIA Hi Sterling, Ray provided the correct information regarding the SSL/TLS configuration of BlueZone. If you still have problems, feel free to call or write me. Best Regards, Steve Bireley SVP BlueZone Software BlueZone Secure FTP is Free Save 80% on your Terminal Emulator maintenance with BlueZone www.bluezonesoftware.comhttp://www.bluezonesoftware.com/ sbire...@bluezonesoftware.commailto:sbire...@bluezonesoftware.com 404-364-1731
Re: SSLSERV
One SSLSERV per stack, but you can have multiple stacks each with their own IP address. When I get maintenance for TCPIP, it goes on a TCPTEST server with its own SSLTEST server, different IP address but I can get to the same system. /Tom Kern Suleiman Shahin wrote: Greetings, In the light of the restriction of 128 concurrent secured sessions on a system, can one (I) utilise more than one SSL server, and what mechanism can be used to have one server or the other service the connection? Thanks. Suleiman Shahin Proud to be a PC? Show the world. Download the “I’m a PC” Messenger themepack now. Download now. http://clk.atdmt.com/MRT/go/119642558/direct/01/
Re: SSLSERV
Now I see light -:) Thanks. Suleiman Shahin Date: Tue, 18 Nov 2008 13:13:31 -0500 From: [EMAIL PROTECTED] Subject: Re: SSLSERV To: IBMVM@LISTSERV.UARK.EDU One SSLSERV per stack, but you can have multiple stacks each with their own IP address. When I get maintenance for TCPIP, it goes on a TCPTEST server with its own SSLTEST server, different IP address but I can get to the same system. /Tom Kern Suleiman Shahin wrote: Greetings, In the light of the restriction of 128 concurrent secured sessions on a system, can one (I) utilise more than one SSL server, and what mechanism can be used to have one server or the other service the connection? Thanks. Suleiman Shahin Proud to be a PC? Show the world. Download the “I’m a PC” Messenger themepack now. Download now. http://clk.atdmt.com/MRT/go/119642558/direct/01/ _ Access your email online and on the go with Windows Live Hotmail. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_access_112008
Re: SSLSERV
More light coming -:) Thanks so much. Suleiman Shahin Date: Tue, 18 Nov 2008 13:53:44 -0500 From: [EMAIL PROTECTED] Subject: Re: SSLSERV To: IBMVM@LISTSERV.UARK.EDU Re: SSLSERV One per TCPIP stack. You need to use some kind of connection distribution outside the VM stack to manage distributing connections to multiple stacks (eg, LVS or a outboard load balancer with connection persistence capabilities). On 11/18/08 1:06 PM, Suleiman Shahin [EMAIL PROTECTED] wrote: Greetings, In the light of the restriction of 128 concurrent secured sessions on a system, can one (I) utilise more than one SSL server, and what mechanism can be used to have one server or the other service the connection? _ Access your email online and on the go with Windows Live Hotmail. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_access_112008
Re: SSLSERV
Has anyone seen specs for the new CMS based SSL that will be available next month for 5.4 (maybe earlier releases too) Will it support more than 128 connections? -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Behalf Of Suleiman Shahin Sent: Tuesday, November 18, 2008 1:18 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSLSERV More light coming -:) Thanks so much. Suleiman Shahin _ Date: Tue, 18 Nov 2008 13:53:44 -0500 From: [EMAIL PROTECTED] Subject: Re: SSLSERV To: IBMVM@LISTSERV.UARK.EDU One per TCPIP stack. You need to use some kind of connection distribution outside the VM stack to manage distributing connections to multiple stacks (eg, LVS or a outboard load balancer with connection persistence capabilities). On 11/18/08 1:06 PM, Suleiman Shahin [EMAIL PROTECTED] http://hotmail.com wrote: Greetings, In the light of the restriction of 128 concurrent secured sessions on a system, can one (I) utilise more than one SSL server, and what mechanism can be used to have one server or the other service the connection? _ Access your email online and on the go with Windows Live Hotmail. Sign http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_access_112008 up today.
Re: SSLSERV
On Tuesday, 11/18/2008 at 02:51 EST, Huegel, Thomas [EMAIL PROTECTED] wrote: Has anyone seen specs for the new CMS based SSL that will be available next month for 5.4 (maybe earlier releases too) Will it support more than 128 connections? Yes. :-) Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
Yes, you have seen the specs or Yes, it will support more than 128 connections? Regards, Richard Schuh -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Tuesday, November 18, 2008 12:01 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSLSERV On Tuesday, 11/18/2008 at 02:51 EST, Huegel, Thomas [EMAIL PROTECTED] wrote: Has anyone seen specs for the new CMS based SSL that will be available next month for 5.4 (maybe earlier releases too) Will it support more than 128 connections? Yes. :-) Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
On Tuesday, 11/18/2008 at 03:06 EST, Schuh, Richard [EMAIL PROTECTED] wrote: Yes, you have seen the specs or Yes, it will support more than 128 connections? Yes, I have seen the specs. Yes, it will support more than 128 connections. Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
I wish to second Tom, and publicly thank their David for his great help. Suleiman Shahin From: Huegel, Thomas [EMAIL PROTECTED] Reply-To: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV Date: Wed, 25 Jul 2007 09:22:59 -0500 I just wanted to publically thank Sine Nomine Associates for providing a free download LINUX/SSL SERVER. After messing with IBM - SUSE for a week with no positive results I downloaded the SNA code and was up and running in about 4 hrs. (including lunch). Again thanks for helping us nonLINUX sysprogs. Tom __ ella for Spam Control has removed VSE-List messages and set aside VM-List for me You can use it too - and it's FREE! http://www.ellaforspam.com _ http://newlivehotmail.com
Re: SSLSERV question
Hi, Thomas. Can you tell us what 3270 emulator product you're using? Is it giving you any particular error or status messages (perhaps in a hard to see status bar at the edge of the window?). It took me several tries, but I finally managed to get IBM's PCOMM 3270 emulator to successfully connect with a secure VM site via the SSLSERV. DJ - Original Message Follows - From: Huegel, Thomas [EMAIL PROTECTED] To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV question Date: Mon, 23 Jul 2007 17:42:28 -0500 Now I have this SSLSERV / LINUX machine running. I can do SSLADMIN commands. I have port 992 TCP SECURE TESTING. TESTING is a valid X509 certificate. My emulator is set to SSL enabled and accept selfsigned certificates. But I can't connect.. Anyone have a clue as to what I might be missing? Thanks _ ella for Spam Control has removed 12188 VSE-List messages and set aside 10872 VM-List for me You can use it too - and it's FREE! www.ellaforspam.com http://www.ellaforspam.com
Re: SSLSERV question
I had trouble with Hummingbird until I received the SSL feature. Which 3270 product are you using? hans _ From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Huegel, Thomas Sent: July 23, 2007 6:42 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV question Now I have this SSLSERV / LINUX machine running. I can do SSLADMIN commands. I have port 992 TCP SECURE TESTING. TESTING is a valid X509 certificate. My emulator is set to SSL enabled and accept selfsigned certificates. But I can't connect.. Anyone have a clue as to what I might be missing? Thanks _ ella for Spam Control has removed 12188 VSE-List messages and set aside 10872 VM-List for me You can use it too - and it's FREE! www.ellaforspam.com
Re: SSLSERV question
On Monday, 07/23/2007 at 06:42 EDT, Huegel, Thomas [EMAIL PROTECTED] wrote: Now I have this SSLSERV / LINUX machine running. I can do SSLADMIN commands. I have port 992 TCP SECURE TESTING. TESTING is a valid X509 certificate. My emulator is set to SSL enabled and accept selfsigned certificates. But I can't connect.. Anyone have a clue as to what I might be missing? Since you're specifying SECURE on the PORT statement, that means that your emulator must be capable of establishing an SSL connection with the host BEFORE it tries to send any data. (Negotiated SSL is available only in z/VM 5.3.) One other thing: Did you add port 992 to the list of telnet ports in the InternalClientParms? Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
Hello, In case this problem has not yet been resolved: 13:32:22 * MSG FROM TCPIP2 : Restarting you because you have no passive open on TCP port check that the correct TCPIP DATA file is being referenced by the SSL server, and that the TCPIPUSERID statement in that file cites the correct TCP/IP stack ID (TCPIP2). I suspect you've configured the TCPIP2 stack f or using the SSL server, but that the TCPIPUSERID statement in effect is directing the SSL server to connect to a different stack (likely, 'TCPIP' ). Regards, Mark Cibula (IBM z/VM Systems Management)
Re: SSLSERV
On Apr 3, 2007, at 12:39 PM, Dusha, Cecelia CIV WHS/ITMD wrote: Am testing Sine Nomine's debian Linux SSLSERV appliance. The SSLSERV machine keeps getting the following: sslserv login: 13:32:22 * MSG FROM TCPIP2 : Restarting you because you have no passive open o n TCP port DTCSSL201E algorithm.rror--GSKKM error 24. Ready(1); Any ideas? Let's see the relevant bits from PROFILE TCPIP. Do the other ssladmin commands work OK? Adam
Re: SSLSERV
On Apr 3, 2007, at 12:39 PM, Dusha, Cecelia CIV WHS/ITMD wrote: Also when I attempt to save some CA certificates, I receive the following message: ssladmin store D3R2 CA D3R2 DTCSSL201E algorithm.rror--GSKKM error 24. Ready(1); Any ideas? From what I can determine, GSKKM error 24 (decimal) is GSKKM_ERR_DATABASE_DUPLICATE_KEY_SIGNATURE Maybe the key is already stored? Adam
Re: SSLSERV
I had a similar problem storing my certificates. The vendor that supplies them also needs to send you a root certificate if that make sense. Hans -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Dusha, Cecelia CIV WHS/ITMD Sent: April 3, 2007 1:40 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSLSERV Am testing Sine Nomine's debian Linux SSLSERV appliance. The SSLSERV machine keeps getting the following: sslserv login: 13:32:22 * MSG FROM TCPIP2 : Restarting you because you have no passive open o n TCP port Please advice. Also when I attempt to save some CA certificates, I receive the following message: ssladmin store D3R2 CA D3R2 DTCSSL201E algorithm.rror--GSKKM error 24. Ready(1); Any ideas? Thanks. Cecelia
Re: SSLSERV
Is there documentation that discusses this package from the security perspective? The benefits of having it in place are obvious. What I require is documentation that says no one can modify the configuration because it has not been assigned an IP address or something of that nature. As far as I know, no one has conducted a formal evaluation of the SSL Enabler appliance system yet, and I don't remember any explicit commentary in the IBM security reviews on SSLSERV (but my memory is not what it used to be, I'm afraid). There is commentary in the IBM TCPIP documentation (in the planning and administration guide) on SSLSERV and how it operates, and the installation README file inside the RPM describes at what point the IP stack in the Linux guest is rendered non-functional. After that point, it's pretty tough to change *anything* in that guest without access to the virtual machine console (which would be covered by your VM security package) and even then, you'd have to be comfortable with line-mode editing tools at an unusually capable level. The number of people with Unix experience on real TTYs is not growing...8-) I suspect that to get a formal security confirmation from IBM you would need to move to a SuSE or RH based SSLSERV, as that's what they've evaluated. I'd be happy to work with IBM to get that confirmation for the SSL Enabler appliance, if there's interest. I think there would be a lot of value to cooperatively developing things like this with IBM if the prohibition of IBM being a Linux distributor continues. I know I have a wish list of changes I'd make to the SSLSERV code if I could tweak that OCO module's contents. If either RH or Novell are interested in working on appliances like this with us, please contact us offline. I suspect there is a good opportunity here to gain mindshare for a distributor (with proper credit, of course). -- db
Re: SSLSERV
On Monday, 03/26/2007 at 10:53 AST, David Boyes [EMAIL PROTECTED] wrote: As far as I know, no one has conducted a formal evaluation of the SSL Enabler appliance system yet, and I don't remember any explicit commentary in the IBM security reviews on SSLSERV (but my memory is not what it used to be, I'm afraid). IBM makes no claims about what the SNA SSL Enabler appliance does or does not do. There is commentary in the IBM TCPIP documentation (in the planning and administration guide) on SSLSERV and how it operates, and the installation README file inside the RPM describes at what point the IP stack in the Linux guest is rendered non-functional. After that point, it's pretty tough to change *anything* in that guest without access to the virtual machine console (which would be covered by your VM security package) and even then, you'd have to be comfortable with line-mode editing tools at an unusually capable level. The number of people with Unix experience on real TTYs is not growing...8-) When installed in the IBM-supported environments according IBM documentation, four layers of protection are provided: 1. The SSL server's native AF_INET IP stack and device drivers are rendered inoperative. 2. The only service that is running is the SSL administrative interface. 3. The SSL admin interface binds to the loopback address to limit connections to local VM TCP/IP apps. 4. It uses assists in the VM TCP/IP stack to ensure that only users in the VM TCP/IP obey list can connect to the administrative interface. With all four layers of protection in place, I feel that the SSL server is [more than?] reasonably protected from unauthorized tampering. Naturally, if you give someone access to the SSLSERVE virtual machine itself, none of those protections amount to a hill of beans. But, using one of my freshly-printed Get Out of Jail Free cards, I declare that as Authorized Tampering. Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
On Friday, 04/07/2006 at 01:59 AST, Jim Bohnsack [EMAIL PROTECTED] wrote: I have not opened a problem with IBM, but I suspect that we could be seeing something either in the IBM SSLSERV code or the IUCV path. As you know, Jim, we don't support the SSL server on anything other than SUSE and RedHat. Did you try the same test (pound on PA2) *without* SSL? Alan Altmark z/VM Development IBM Endicott
Re: SSLSERV
Yes, and I cannott get it to fail with the same emulator without SSL. I'm trying as many different combinations (or is it permutations) as I can. The one that I can't as easily try is to bring up SSLSERV with either SUSE or RedHat. That's why I'm hoping that someone with SSLSERV and one of those two distributions can try it and see if they can or cannot lock up the emulator. Jim At 06:01 PM 4/9/2006, you wrote: On Friday, 04/07/2006 at 01:59 AST, Jim Bohnsack [EMAIL PROTECTED] wrote: I have not opened a problem with IBM, but I suspect that we could be seeing something either in the IBM SSLSERV code or the IUCV path. As you know, Jim, we don't support the SSL server on anything other than SUSE and RedHat. Did you try the same test (pound on PA2) *without* SSL? Alan Altmark z/VM Development IBM Endicott Jim Bohnsack Cornell Univ. (607) 255-1760
Re: SSLSERV
Jim: I cannot help with your problem, but I can tell you an end-user story. The user called that nothing could be input into the terminal, and that it was beeping constantly. The user was fairly high on the corporate ladder, so I ran down there. I found a dictionary resting on the right part of the keyboard, pushing the ENTER key there! David Wakser Actually, an end user wouldn't likely be doing that, but with endusers, you never know. Confidentiality Note: This e-mail, including any attachment to it, may contain material that is confidential, proprietary, privileged and/or Protected Health Information, within the meaning of the regulations under the Health Insurance Portability Accountability Act of 1996. If it is not clear that you are the intended recipient, you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this e-mail, including any attachment to it, is strictly prohibited. If you have received this e-mail in error, please immediately return it to the sender and delete it from your system. Thank you.
