Re: VM TCP/IP Secure Telnet

2008-05-11 Thread Wayne Driscoll 
That's just because if Alan falls asleep, Chuckie will take control of the
keyboard!

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Saturday, May 10, 2008 1:12 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

On Friday, 05/09/2008 at 10:39 EDT, Adam Thornton 
<[EMAIL PROTECTED]> wrote:

> Take a look at how the secure option is done with SSLSERV.
> 
> I don't actually know that this will work with arbitrary programs (and
> a thorough reading of the manual may prove that it won't), butif
> you AUTOLOG SSLSERV and add SECURE CERTNAME to the end of the inetd-
> equivalent entry in PROFILE TCPIP (something like:
> 
> 992TCP TUBESSECURE MYCERT NOAUTOLOG

It works with any arbitrary program where all connections are initiated by 
the client prior to sending any protocol data.

If you had a non-secure web server, simply:
   80   TCP MYWEB
  443   TCP MYWEB SECURE MYCERT

Et voila!  A secure web server.

And it is true that The Alan never sleeps.  He waits.  He watches.  He 
pounces.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-10 Thread Alan Altmark 
On Friday, 05/09/2008 at 12:50 EDT, David Boyes <[EMAIL PROTECTED]> 
wrote:

> PVM also has the downside of not being easily licensable on IFLs at the
> moment. The VM guys might be about to do something about that, but at
> the moment, getting PVM for an IFL install is a lengthy and somewhat
> complicated process. It's also not cheap.

I can't comment on the difficulty; you're the one who experienced it! 
Generally, the first special bid (by any customer) takes the longest since 
SWG has to create the electronic gizmos that allow the order and to set a 
price and Ts&Cs.  After that, it's usually smooth sailing using an 
"off-the-shelf" price.  SOME people might run into problems getting it 
because their BP or IBMer doesn't know how to handle special bids, but 
that's a different problem!

As to the cost, do the math.  How long were you thinking of running the 
product?  How many years of monthly license fees does it cover?  After 
that, all you're paying is an annual maintenance fee.  If we stop service, 
you can stop paying, but you still get to keep using the software. (Unlike 
ICA.)

There is a significant downside to special bids, however:  They do not 
include the rights to free upgrades as you have with our IPLA software and 
often have limited use clauses.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-10 Thread Alan Altmark 
On Friday, 05/09/2008 at 12:19 EDT, "Les Geer (607-429-3580)" 
<[EMAIL PROTECTED]> wrote:
 
> PVM (AKA VM/Pass-Through Facility) is a session manager product
> supporting multiple sessions on one terminal.  However, it does not
> support creation of telnet sessions so does not support SSL.

With z/VM 5.3's client-side support for SSL, anyone wanting to write a 
pair of Pascal program or assembler modules can create a 
nearly-transparent proxy relay.  Most would find it easier to use an 
adjacent Linux guest on each system with ssh port forwarding.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-10 Thread Alan Altmark 
On Friday, 05/09/2008 at 10:39 EDT, Adam Thornton 
<[EMAIL PROTECTED]> wrote:

> Take a look at how the secure option is done with SSLSERV.
> 
> I don't actually know that this will work with arbitrary programs (and
> a thorough reading of the manual may prove that it won't), butif
> you AUTOLOG SSLSERV and add SECURE CERTNAME to the end of the inetd-
> equivalent entry in PROFILE TCPIP (something like:
> 
> 992TCP TUBESSECURE MYCERT NOAUTOLOG

It works with any arbitrary program where all connections are initiated by 
the client prior to sending any protocol data.

If you had a non-secure web server, simply:
   80   TCP MYWEB
  443   TCP MYWEB SECURE MYCERT

Et voila!  A secure web server.

And it is true that The Alan never sleeps.  He waits.  He watches.  He 
pounces.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-10 Thread Alan Altmark 
On Friday, 05/09/2008 at 09:12 EDT, Tim Joyce <[EMAIL PROTECTED]> wrote:
> I think the problem is, TUBES really is taking control of port 23. One
> of the procedures to setup TUBES telnet, is to take (comment) out the
> PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
> TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
> says secure telnet IS NOT supported, indicates secure telnet will not
> work.

(sigh)  There are TWO kinds of secure telnet servers:
1. The SSL tunnel is established BEFORE any telnet traffic begins ("static 
SSL")
2. The SSL tunnel is established AFTER telnet protocol negotiation has 
started, but before any user data is transferred ("dynamic SSL")

If your TN3270 client supports static SSL, then it should work with TUBES, 
as TUBES would be unaware that the SSL session is in effect.

Your PROFILE would show
  23 TCP  TUBESVM  SECURE 

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread David Boyes 
> I have used it and it works fine, as with a lot of IBM's stuff the
setup
> is a little complicated, but maybe no worse than anyone elses.
> 
> What I don't know is if it works with SSL..

PVM doesn't have any direct IP terminal interface (you have to do the
DIAL PVM hack in the telnet server exit), but if that's OK, it certainly
tolerates SSL wrapped sessions just fine. It doesn't work anything like
TUBES, though, and you'd have to redo all your macros. The IBM product
that used to be "TUBES-like" was Netview/Access Services, but I don't
think that's still available (it also required CMS VSAM, which isn't
supported or available any longer). 

PVM also has the downside of not being easily licensable on IFLs at the
moment. The VM guys might be about to do something about that, but at
the moment, getting PVM for an IFL install is a lengthy and somewhat
complicated process. It's also not cheap.

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread David Boyes 
> I think the problem is, TUBES really is taking control of port 23. One
> of the procedures to setup TUBES telnet, is to take (comment) out the
> PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
> TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
> says secure telnet IS NOT supported, indicates secure telnet will not
> work.

That's odd. Since port 23 is less than 1024 (ie, in the "privileged"
range), you should have to list the virtual machine that is authorized
to use the port in PROFILE TCPIP. The place you do that is in the PORT
statement, which is exactly where you'd put the SECURE item. Unless
they're putting the TUBES virtual machine in the OBEYFILE list (ewww)? 

The trivial test would be to put in a PORT statement for the TUBES
virtual machine on port 23 with the SECURE option and see if it works.
Eg, something like: 

23 TUBES SECURE xx

I'd bet it will work. I can see them making the statement that it
wouldn't be supported for outgoing sessions, but I can't see how the
application binding the socket on incoming ever would know. If you have
a test stack and a test TUBES machine, it'd be worth trying it. 

> Macro 4 indicated it does not plan to add support for secure telnet in
> the future! Whatever happened to supporting the customer anyway! If
> TUBES cannot grow with the needs of the customer, I think we will
> eventually need to move away from TUBES.

Sounds more like "we don't want to test it and then have to document
it".

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Les Geer (607-429-3580) 
>I have used it and it works fine, as with a lot of IBM's stuff the setup
>is a little complicated, but maybe no worse than anyone elses.
>
>What I don't know is if it works with SSL..
>
>
>>I have heard of the VM pass-through facility, but not familiar with how
>>it works. I will investigate further. Is anyone using pass-through as a
>>session manager?
>>
>>>I don't know one way or the other, but what about IBM's PVM?


PVM (AKA VM/Pass-Through Facility) is a session manager product
supporting multiple sessions on one terminal.  However, it does not
support creation of telnet sessions so does not support SSL.

Best Regards,
Les Geer
IBM z/VM and Linux Development

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Adam Thornton 

On May 9, 2008, at 8:16 AM, Huegel, Thomas wrote:


I think the problem is, TUBES really is taking control of port 23. One
of the procedures to setup TUBES telnet, is to take (comment) out the
PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
says secure telnet IS NOT supported, indicates secure telnet will not
work.


Well...maybe, maybe not.,

Take a look at how the secure option is done with SSLSERV.

I don't actually know that this will work with arbitrary programs (and  
a thorough reading of the manual may prove that it won't), butif  
you AUTOLOG SSLSERV and add SECURE CERTNAME to the end of the inetd- 
equivalent entry in PROFILE TCPIP (something like:


  992TCP TUBESSECURE MYCERT NOAUTOLOG

)

Then you *might* end up with a secure TUBES.

It'd be worth a 5-minute try, anyway.

Or, now that I've brought it up, we can just wait 15 minutes, and  
Alan, who never sleeps, will say, "No, that doesn't work, sorry."


Adam

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Huegel, Thomas 
I have used it and it works fine, as with a lot of IBM's stuff the setup is a 
little complicated, but maybe no worse than anyone elses.

What I don't know is if it works with SSL.. 



-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
Behalf Of Tim Joyce
Sent: Friday, May 09, 2008 8:22 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet


I have heard of the VM pass-through facility, but not familiar with how
it works. I will investigate further. Is anyone using pass-through as a
session manager?

Tim

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Huegel, Thomas
Sent: Friday, May 09, 2008 9:17 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

I don't know one way or the other, but what about IBM's PVM?

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
Behalf Of Tim Joyce
Sent: Friday, May 09, 2008 8:13 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet


I think the problem is, TUBES really is taking control of port 23. One
of the procedures to setup TUBES telnet, is to take (comment) out the
PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
says secure telnet IS NOT supported, indicates secure telnet will not
work.

I think we have figured out a way around this. We have a limited number
of users required to be PCI compliant, so we are planning to have them
secure telnet directly to the VSE machine (using CSI TCPIP for VSE
secure telnet) and then cross domain to VM TUBES. Not exactly ideal, but
the goal is to keep the users in familiar territory. They are used to
TUBES! There are many scripts set up in TUBES that automatically signon
CMS and CICS and take end users directly to applications etc...  

Macro 4 indicated it does not plan to add support for secure telnet in
the future! Whatever happened to supporting the customer anyway! If
TUBES cannot grow with the needs of the customer, I think we will
eventually need to move away from TUBES.

Thanks for the responses,

Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Thursday, May 08, 2008 6:58 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add
a
> secure port to test with, then I remembered our session manager (Macro
4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. 

They may not support it in TUBES, but the stack is doing all the work
anyway, so I suspect it won't matter. SSLSERV operates before any
application that uses the stack gets the data, the TCP app (ie, TUBES in
this case) never knows that the SSL encryption happened -- it just sees
normal TCP packet traffic post-encryption/decryption. That was the
appeal of doing implicit SSL -- no application changes are necessary,
and the application doesn't even know it is happening. 

Since most users now have programmable workstations rather than dumb
terminals, most people just drop the session manager altogether and just
open multiple windows on the workstation. There are good and bad
arguments, but free vs whatever nonzero cost for a session manager is
pretty hard to argue with. 

Keep in mind the limited number of SSL session that SSLSERV (even with
the current patches) can support will affect this decision, so keeping
Tubes might be a good idea in that it will let you limit the number of
incoming TCP sessions that need encryption.

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Tim Joyce 
I have heard of the VM pass-through facility, but not familiar with how
it works. I will investigate further. Is anyone using pass-through as a
session manager?

Tim

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Huegel, Thomas
Sent: Friday, May 09, 2008 9:17 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

I don't know one way or the other, but what about IBM's PVM?

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
Behalf Of Tim Joyce
Sent: Friday, May 09, 2008 8:13 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet


I think the problem is, TUBES really is taking control of port 23. One
of the procedures to setup TUBES telnet, is to take (comment) out the
PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
says secure telnet IS NOT supported, indicates secure telnet will not
work.

I think we have figured out a way around this. We have a limited number
of users required to be PCI compliant, so we are planning to have them
secure telnet directly to the VSE machine (using CSI TCPIP for VSE
secure telnet) and then cross domain to VM TUBES. Not exactly ideal, but
the goal is to keep the users in familiar territory. They are used to
TUBES! There are many scripts set up in TUBES that automatically signon
CMS and CICS and take end users directly to applications etc...  

Macro 4 indicated it does not plan to add support for secure telnet in
the future! Whatever happened to supporting the customer anyway! If
TUBES cannot grow with the needs of the customer, I think we will
eventually need to move away from TUBES.

Thanks for the responses,

Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Thursday, May 08, 2008 6:58 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add
a
> secure port to test with, then I remembered our session manager (Macro
4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. 

They may not support it in TUBES, but the stack is doing all the work
anyway, so I suspect it won't matter. SSLSERV operates before any
application that uses the stack gets the data, the TCP app (ie, TUBES in
this case) never knows that the SSL encryption happened -- it just sees
normal TCP packet traffic post-encryption/decryption. That was the
appeal of doing implicit SSL -- no application changes are necessary,
and the application doesn't even know it is happening. 

Since most users now have programmable workstations rather than dumb
terminals, most people just drop the session manager altogether and just
open multiple windows on the workstation. There are good and bad
arguments, but free vs whatever nonzero cost for a session manager is
pretty hard to argue with. 

Keep in mind the limited number of SSL session that SSLSERV (even with
the current patches) can support will affect this decision, so keeping
Tubes might be a good idea in that it will let you limit the number of
incoming TCP sessions that need encryption.

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Huegel, Thomas 
I don't know one way or the other, but what about IBM's PVM?

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
Behalf Of Tim Joyce
Sent: Friday, May 09, 2008 8:13 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet


I think the problem is, TUBES really is taking control of port 23. One
of the procedures to setup TUBES telnet, is to take (comment) out the
PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
says secure telnet IS NOT supported, indicates secure telnet will not
work.

I think we have figured out a way around this. We have a limited number
of users required to be PCI compliant, so we are planning to have them
secure telnet directly to the VSE machine (using CSI TCPIP for VSE
secure telnet) and then cross domain to VM TUBES. Not exactly ideal, but
the goal is to keep the users in familiar territory. They are used to
TUBES! There are many scripts set up in TUBES that automatically signon
CMS and CICS and take end users directly to applications etc...  

Macro 4 indicated it does not plan to add support for secure telnet in
the future! Whatever happened to supporting the customer anyway! If
TUBES cannot grow with the needs of the customer, I think we will
eventually need to move away from TUBES.

Thanks for the responses,

Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Thursday, May 08, 2008 6:58 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add
a
> secure port to test with, then I remembered our session manager (Macro
4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. 

They may not support it in TUBES, but the stack is doing all the work
anyway, so I suspect it won't matter. SSLSERV operates before any
application that uses the stack gets the data, the TCP app (ie, TUBES in
this case) never knows that the SSL encryption happened -- it just sees
normal TCP packet traffic post-encryption/decryption. That was the
appeal of doing implicit SSL -- no application changes are necessary,
and the application doesn't even know it is happening. 

Since most users now have programmable workstations rather than dumb
terminals, most people just drop the session manager altogether and just
open multiple windows on the workstation. There are good and bad
arguments, but free vs whatever nonzero cost for a session manager is
pretty hard to argue with. 

Keep in mind the limited number of SSL session that SSLSERV (even with
the current patches) can support will affect this decision, so keeping
Tubes might be a good idea in that it will let you limit the number of
incoming TCP sessions that need encryption.

Re: VM TCP/IP Secure Telnet

2008-05-09 Thread Tim Joyce 
I think the problem is, TUBES really is taking control of port 23. One
of the procedures to setup TUBES telnet, is to take (comment) out the
PORT 23 statement from PROFILE TCPIP. So, there is no way of letting
TCPIP know that port 23 is a SECURE port. I think the fact that Macro4
says secure telnet IS NOT supported, indicates secure telnet will not
work.

I think we have figured out a way around this. We have a limited number
of users required to be PCI compliant, so we are planning to have them
secure telnet directly to the VSE machine (using CSI TCPIP for VSE
secure telnet) and then cross domain to VM TUBES. Not exactly ideal, but
the goal is to keep the users in familiar territory. They are used to
TUBES! There are many scripts set up in TUBES that automatically signon
CMS and CICS and take end users directly to applications etc...  

Macro 4 indicated it does not plan to add support for secure telnet in
the future! Whatever happened to supporting the customer anyway! If
TUBES cannot grow with the needs of the customer, I think we will
eventually need to move away from TUBES.

Thanks for the responses,

Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Thursday, May 08, 2008 6:58 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add
a
> secure port to test with, then I remembered our session manager (Macro
4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. 

They may not support it in TUBES, but the stack is doing all the work
anyway, so I suspect it won't matter. SSLSERV operates before any
application that uses the stack gets the data, the TCP app (ie, TUBES in
this case) never knows that the SSL encryption happened -- it just sees
normal TCP packet traffic post-encryption/decryption. That was the
appeal of doing implicit SSL -- no application changes are necessary,
and the application doesn't even know it is happening. 

Since most users now have programmable workstations rather than dumb
terminals, most people just drop the session manager altogether and just
open multiple windows on the workstation. There are good and bad
arguments, but free vs whatever nonzero cost for a session manager is
pretty hard to argue with. 

Keep in mind the limited number of SSL session that SSLSERV (even with
the current patches) can support will affect this decision, so keeping
Tubes might be a good idea in that it will let you limit the number of
incoming TCP sessions that need encryption.

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread David Boyes 
> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add
a
> secure port to test with, then I remembered our session manager (Macro
4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. 

They may not support it in TUBES, but the stack is doing all the work
anyway, so I suspect it won't matter. SSLSERV operates before any
application that uses the stack gets the data, the TCP app (ie, TUBES in
this case) never knows that the SSL encryption happened -- it just sees
normal TCP packet traffic post-encryption/decryption. That was the
appeal of doing implicit SSL -- no application changes are necessary,
and the application doesn't even know it is happening. 

Since most users now have programmable workstations rather than dumb
terminals, most people just drop the session manager altogether and just
open multiple windows on the workstation. There are good and bad
arguments, but free vs whatever nonzero cost for a session manager is
pretty hard to argue with. 

Keep in mind the limited number of SSL session that SSLSERV (even with
the current patches) can support will affect this decision, so keeping
Tubes might be a good idea in that it will let you limit the number of
incoming TCP sessions that need encryption.

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Ed Zell 
> Hey Ed,
>
> I am using TUBES 4.500E . There is a TUBES setting:
>
> TCP YES 
>   STN3270 23   
>
> This has TUBES intercept port 23 from VM TCPIP so if you
> telnet to your VM TCPIP stack port 23 you get a TUBES menu!
>
> Tim


Cool Tim, thanks for the info.  I am not on TUBES 4.x, so that
is not available for me.  But I guess I am accomplishing the 
same thing anyway, since the only way out of the TN3270 exit
is to DIAL into TUBES  (if the DIAL fails, I do NOT give them
a VM Logo).

Ed Zell
Illinois Mutual Life
(309) 636-0107
.


CONFIDENTIALITY: This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information, and unauthorized 
disclosure or use is prohibited.  If you receive this e-mail in error, notify 
the sender and delete this e-mail from your system.

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Tim Joyce 
Looks good .. Thanks Dave!

Tim

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Dave Jones
Sent: Thursday, May 08, 2008 2:14 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

Hi, Tim.

Take a look at these two products.

1) Session (Arty Ecock)
(http://ukcc.uky.edu/%7Etools/1998/session.vmarc)
2) YVETTE (Chip Coy)
(http://www.vm.ibm.com/download/packages/yvette.vmarc)

They're both free, and I believe will provide session management
functions similar to TUBES, and support SSL.

Good luck.

Tim Joyce wrote:
> Hey Guys,
> 
> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add

> a secure port to test with, then I remembered our session manager 
> (Macro 4
> - TUBES) intercepts port 23 for telnet and uses the port for TUBES. I 
> found out that TUBES DOES NOT support, nor plan to support, secure 
> telnet. This got me wondering what other shops are using for session 
> managers? Are most users just using there telnet clients to manage 
> sessions? Is there something out there that can replace my TUBES 
> product that works with VM TCP/IP?
> 
> Thanks, Tim
> 
> 
> Tim Joyce
> Sr. Systems Programmer / Project Leader Alex Lee, Inc.
> Email : [EMAIL PROTECTED]
> Phone: (828) 725-4448
> Fax: (828) 725-4800

--
DJ

V/Soft
   z/VM and mainframe Linux expertise, training,
   consulting, and software development
www.vsoft-software.com

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Tim Joyce 
Hey Ed,

I am using TUBES 4.500E . There is a TUBES setting:

TCP YES 
   STN3270 23   
 
This has TUBES intercept port 23 from VM TCPIP so if you telnet to your
VM TCPIP stack port 23 you get a TUBES menu!

Tim

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Ed Zell
Sent: Thursday, May 08, 2008 2:13 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> Well I got my SSLSERV up and started to update my PROFILE TCPIP to add

> a secure port to test with, then I remembered our session manager 
> (Macro 4 - TUBES) intercepts port 23 for telnet and uses the port for 
> TUBES. I found out that TUBES DOES NOT support, nor plan to support, 
> secure telnet.

Tim,

  What release of TUBES are you on?  I am on a pretty old version,
  but it does nothing at all with IP stuff.  I TN3270 into the
  VM stack, and then have the exit do a DIAL TUBES for me.  This
  works great.  I am not using SSL however, but I could if I wanted
  to using this setup.

Ed Zell
Illinois Mutual Life
(309) 636-0107
.


CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited.  If you receive this e-mail in error,
notify the sender and delete this e-mail from your system.

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Dave Jones 

Hi, Tim.

Take a look at these two products.

1) Session (Arty Ecock) (http://ukcc.uky.edu/%7Etools/1998/session.vmarc)
2) YVETTE (Chip Coy) (http://www.vm.ibm.com/download/packages/yvette.vmarc)

They're both free, and I believe will provide session management 
functions similar to TUBES, and support SSL.


Good luck.

Tim Joyce wrote:

Hey Guys,

Well I got my SSLSERV up and started to update my PROFILE TCPIP to add a
secure port to test with, then I remembered our session manager (Macro 4
- TUBES) intercepts port 23 for telnet and uses the port for TUBES. I
found out that TUBES DOES NOT support, nor plan to support, secure
telnet. This got me wondering what other shops are using for session
managers? Are most users just using there telnet clients to manage
sessions? Is there something out there that can replace my TUBES product
that works with VM TCP/IP?

Thanks, Tim


Tim Joyce
Sr. Systems Programmer / Project Leader 
Alex Lee, Inc. 
Email : [EMAIL PROTECTED] 
Phone: (828) 725-4448  
Fax: (828) 725-4800


--
DJ

V/Soft
  z/VM and mainframe Linux expertise, training,
  consulting, and software development
www.vsoft-software.com

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Ed Zell 
> Well I got my SSLSERV up and started to update my PROFILE TCPIP
> to add a secure port to test with, then I remembered our session
> manager (Macro 4 - TUBES) intercepts port 23 for telnet and uses
> the port for TUBES. I found out that TUBES DOES NOT support, nor
> plan to support, secure telnet. 

Tim,

  What release of TUBES are you on?  I am on a pretty old version,
  but it does nothing at all with IP stuff.  I TN3270 into the
  VM stack, and then have the exit do a DIAL TUBES for me.  This
  works great.  I am not using SSL however, but I could if I wanted
  to using this setup.

Ed Zell
Illinois Mutual Life
(309) 636-0107
.


CONFIDENTIALITY: This e-mail (including any attachments) may contain 
confidential, proprietary and privileged information, and unauthorized 
disclosure or use is prohibited.  If you receive this e-mail in error, notify 
the sender and delete this e-mail from your system.

Re: VM TCP/IP Secure Telnet

2008-05-08 Thread Tim Joyce 
Hey Guys,

Well I got my SSLSERV up and started to update my PROFILE TCPIP to add a
secure port to test with, then I remembered our session manager (Macro 4
- TUBES) intercepts port 23 for telnet and uses the port for TUBES. I
found out that TUBES DOES NOT support, nor plan to support, secure
telnet. This got me wondering what other shops are using for session
managers? Are most users just using there telnet clients to manage
sessions? Is there something out there that can replace my TUBES product
that works with VM TCP/IP?

Thanks, Tim


Tim Joyce
Sr. Systems Programmer / Project Leader 
Alex Lee, Inc. 
Email : [EMAIL PROTECTED] 
Phone: (828) 725-4448  
Fax: (828) 725-4800

Re: VM TCP/IP Secure Telnet

2008-05-06 Thread Mrohs, Ray 
Alan,

Is there a way to turn off SSLv2 compatibility via parms or some other
setting? On our companion z/OS systems, it is turned off by default with
an option to switch it on. Thanks.


Ray Mrohs
   

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Tuesday, May 06, 2008 11:07 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

On Tuesday, 05/06/2008 at 08:27 EDT, "Mrohs, Ray" <[EMAIL PROTECTED]> 
wrote:
> If your site runs port scans against your z/VM 5.2 SSLSERV, you might
> get notes from the network people saying you are running an old 2.0
> version of SSL.

LOL.  Actually, you're running a new SSLv3/TLSv1 server that accepts
SSLv2 
for compatibility.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-06 Thread Alan Altmark 
On Tuesday, 05/06/2008 at 08:27 EDT, "Mrohs, Ray" <[EMAIL PROTECTED]> 
wrote:
> If your site runs port scans against your z/VM 5.2 SSLSERV, you might
> get notes from the network people saying you are running an old 2.0
> version of SSL.

LOL.  Actually, you're running a new SSLv3/TLSv1 server that accepts SSLv2 
for compatibility.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-06 Thread Mrohs, Ray 
If your site runs port scans against your z/VM 5.2 SSLSERV, you might
get notes from the network people saying you are running an old 2.0
version of SSL.


Ray Mrohs
 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Tuesday, May 06, 2008 4:26 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

On Monday, 05/05/2008 at 10:35 EDT, Tim Joyce <[EMAIL PROTECTED]>
wrote:

> Am I  to infer from  this that Secure telnet is not available with our

current 
> 5.2 release level? Is  anyone using secure telnet out there that can 
point me 
> in the right  direction?

In z/VM 5.2 you can use SSL with FTP and TN3270, or any other protocol, 
provided your client supports the model of "Establish the SSL tunnel
first 
and the flow the protocol over it" (a la https).  We call that "static"
or 
"transparent" SSL.

In z/VM 5.3 you do those same things, but you can also use clients that 
negotiate the use of SSL over the traditionally unsecured port.
Further, 
you can add SMTP and client-side (CMS) FTP and TELNET command support to

the list.

IBM Personal Communications 5.9 is an example of a TN3270 client that 
supports both kinds of secure telnet.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-06 Thread Alan Altmark 
On Monday, 05/05/2008 at 10:35 EDT, Tim Joyce <[EMAIL PROTECTED]> wrote:

> Am I  to infer from  this that Secure telnet is not available with our 
current 
> 5.2 release level? Is  anyone using secure telnet out there that can 
point me 
> in the right  direction?

In z/VM 5.2 you can use SSL with FTP and TN3270, or any other protocol, 
provided your client supports the model of "Establish the SSL tunnel first 
and the flow the protocol over it" (a la https).  We call that "static" or 
"transparent" SSL.

In z/VM 5.3 you do those same things, but you can also use clients that 
negotiate the use of SSL over the traditionally unsecured port.  Further, 
you can add SMTP and client-side (CMS) FTP and TELNET command support to 
the list.

IBM Personal Communications 5.9 is an example of a TN3270 client that 
supports both kinds of secure telnet.

Alan Altmark
z/VM Development
IBM Endicott

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Adam Thornton 

On May 5, 2008, at 2:56 PM, Tim Joyce wrote:


Ah, I will look into 1.5 then ... Thanks!


Actually, 1.2 is the latest 1.x release currently available.

There will probably eventually be a 1.3 release, but the updates are  
minor; if you're not going to have more than 120 simultaneous users  
connected via SSL-wrapped sockets, 1.2 should be adequate for you.


Adam

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Tim Joyce 
Ah, I will look into 1.5 then ... Thanks!

Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Monday, May 05, 2008 3:51 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

> I saw this link on your previous email, but it looked as if it would 
> only work with z/VM 5.3 ! We are still 5.2 . We plan to migrate
sometime
> this year, but not before I need to start on this secure telnet
project.

Version 2.0 requires 5.3. Version 1.5 will work with 5.2 down to 3.1.

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread David Boyes 
> I saw this link on your previous email, but it looked as if it would
> only work with z/VM 5.3 ! We are still 5.2 . We plan to migrate
sometime
> this year, but not before I need to start on this secure telnet
project.

Version 2.0 requires 5.3. Version 1.5 will work with 5.2 down to 3.1.

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Tim Joyce 
Hey Dave,

I saw this link on your previous email, but it looked as if it would
only work with z/VM 5.3 ! We are still 5.2 . We plan to migrate sometime
this year, but not before I need to start on this secure telnet project.

Thanks, Tim 

-Original Message-
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of Dave Jones
Sent: Monday, May 05, 2008 3:45 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet

Oh, an easy one:-)

Go grab the SNA VMSSL enabler tool. It will save you a lot of headaches,
imho. Look on: www.sinenomine.net for more details on how to get it,
etc.

Tim Joyce wrote:
> Thanks for the responses! 
>  
> I understand that I will need a Linux guest for VMSSL. As this will be

> my first attempt at installing Linux, any recommendations on 
> documentation and the best place to start with Linux, would be greatly

> appreciated.
>  
> Thanks, Tim
> 
> 
> 
> From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] 
> On Behalf Of David Boyes
> Sent: Monday, May 05, 2008 3:16 PM
> To: IBMVM@LISTSERV.UARK.EDU
> Subject: Re: VM TCP/IP Secure Telnet
> 
> 
> 
> You have server support for SSL-wrapped telnet, via a Linux guest. The

> telnet client on VM doesn't gain that support until 5.3. The option 
> you reference is just what you want the 5.3 client to default - secure

> or plaintext telnet. You still need the Linux guest, etc.
> 
>  
> 
> 

--
DJ

V/Soft
   z/VM and mainframe Linux expertise, training,
   consulting, and software development
www.vsoft-software.com

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Dave Jones 

Oh, an easy one:-)

Go grab the SNA VMSSL enabler tool. It will save you a lot of headaches, 
imho. Look on: www.sinenomine.net for more details on how to get it, etc.


Tim Joyce wrote:
Thanks for the responses! 
 
I understand that I will need a Linux guest for VMSSL. As this will be

my first attempt at installing Linux, any recommendations on
documentation and the best place to start with Linux, would be greatly
appreciated. 
 
Thanks, Tim




From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Monday, May 05, 2008 3:16 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet



You have server support for SSL-wrapped telnet, via a Linux guest. The
telnet client on VM doesn't gain that support until 5.3. The option you
reference is just what you want the 5.3 client to default - secure or
plaintext telnet. You still need the Linux guest, etc. 

 





--
DJ

V/Soft
  z/VM and mainframe Linux expertise, training,
  consulting, and software development
www.vsoft-software.com

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Tim Joyce 
Thanks for the responses! 
 
I understand that I will need a Linux guest for VMSSL. As this will be
my first attempt at installing Linux, any recommendations on
documentation and the best place to start with Linux, would be greatly
appreciated. 
 
Thanks, Tim



From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On
Behalf Of David Boyes
Sent: Monday, May 05, 2008 3:16 PM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: VM TCP/IP Secure Telnet



You have server support for SSL-wrapped telnet, via a Linux guest. The
telnet client on VM doesn't gain that support until 5.3. The option you
reference is just what you want the 5.3 client to default - secure or
plaintext telnet. You still need the Linux guest, etc.

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread David Boyes 
You have server support for SSL-wrapped telnet, via a Linux guest. The
telnet client on VM doesn't gain that support until 5.3. The option you
reference is just what you want the 5.3 client to default - secure or
plaintext telnet. You still need the Linux guest, etc.

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Adam Thornton 

On May 5, 2008, at 9:54 AM, Dave Jones wrote:


Hi, Tim.

I think what your are looking for is the VMSSL server. It can secure  
Telnet (TN3270) sessions to your z/VM system quite nicely, and it is  
supported on your release of VM. You can read more about it in  
Chapter 22 of the TCP/IP Planning and Customization Guide.


It is somewhat of a pain to set up, as it requires you to go get and  
install a Linux distribution. The folks at Sine Nomine Assc. have  
created a nice VMSSL server enabler tool that speeds up the install  
process.you might want to take a look at that here:


http://www.sinenomine.net/


To modify what Dave Jones said a little:

CLIENT versions of SSL-wrapped apps (that is, SSL-wrapped tn3270 and  
FTP) are not available until z/VM 5.3.


tn3270 wrapped in SSL works fine with the SSLSERV enabler all the way  
back to z/VM 3.1 with the telnet *server* on z/VM.


FTP is also possible, sorta, in 3.1-5.2, but basically you can only do  
implicit SSL and you can only protect the authentication stream, not  
the data channel.  The nice thing is: there's a product out there,  
Glub Tech's Secure FTP wrapper, that's quite cheap ($250 for a single  
IP address, unlimited connections), that allows you to do secure FTP  
to *it* and will then do cleartext FTP out the back end, which is nice  
if you want to set up a Linux guest and a private network to z/VM  
behind that guest.  That way, all the cleartext traffic on the wire is  
actually taking place in z/VM's memory and isn't on any externally- 
sniffable network at all.


If you *do* have a secure last-hop network for z/VM, you can put the  
FTP wrapper on that network on an Intel Linux box and not have to burn  
your expensive zSeries cycles doing crypto, too.  It all depends on  
what your requirements are.


Adam

Re: VM TCP/IP Secure Telnet

2008-05-05 Thread Dave Jones 

Hi, Tim.

I think what your are looking for is the VMSSL server. It can secure 
Telnet (TN3270) sessions to your z/VM system quite nicely, and it is 
supported on your release of VM. You can read more about it in Chapter 
22 of the TCP/IP Planning and Customization Guide.


It is somewhat of a pain to set up, as it requires you to go get and 
install a Linux distribution. The folks at Sine Nomine Assc. have 
created a nice VMSSL server enabler tool that speeds up the install 
process.you might want to take a look at that here:


http://www.sinenomine.net/

Have a good one.
Tim Joyce wrote:

Hey Guys,
 
We are looking into using secure telnet on our z/VM 5.2 TCP/IP stack.

When looking over info on the VM site, I found the following :
 
Changes Introduced in TCP/IP Level 530 
 
A new statement, SECURETELNETCLIENT, may now be specified in the TCPIP

DATA file. This statement provides the default Telnet client security
value to use when neither the SECURE nor NOSECURE option is specified on
the Telnet command. 
 
Am I  to infer from this that Secure telnet is not available with our

current 5.2 release level? Is anyone using secure telnet out there that
can point me in the right direction?
 
Thanks, Tim




Tim Joyce
Sr. Systems Programmer / Project Leader 
Alex Lee, Inc. 
Email : [EMAIL PROTECTED]   
Phone: (828) 725-4448  
Fax: (828) 725-4800


 



--
DJ

V/Soft
  z/VM and mainframe Linux expertise, training,
  consulting, and software development
www.vsoft-software.com