Re: SSL Server on z/VM 5.4 RSU 802
It defiantly does get confusing. I was hoping RSU 0901 would be out and include the CMS SSL code before I undertook the SSL task. No such luck. Still I think it is an improvement over the LINUX approach, especially for non-LINUX shops. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Tuesday, March 10, 2009 6:31 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 Thanks. Thats was it. I found the enablement PTFs and installed them. This is a real PITA. From having to figure out that ssl needed to be enabled to finally getting SSLSERV to initialize properly only after storing the database password in a friggin stash file with the right permissions; made for a long day. I feel cooked. Tyler Koyl Viterra Inc. Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 03/10/2009 03:34 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I don't know.. do you have the SSL enabling PTF's on? -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Tuesday, March 10, 2009 4:31 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSL Server on z/VM 5.4 RSU 802 Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
I have something like this .. INTERNALCLIENTPARMS PORT 992 SECURECONNECTION REQUIRED TLSLABEL ZVMCER0 ENDINTERNALCLIENTPARMS Also: In the SYSTEM DTCPARMS ... EXEMPT LOW makes it more secure.. :parms.KEYFile /etc/gskadm/Database.kdb EXEMPT LOW MAXUSERS 200 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Wednesday, March 11, 2009 1:17 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
Sweet. The you would have to comment out or remove: ; 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER Tyler Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS 03/11/2009 12:49 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I have something like this .. INTERNALCLIENTPARMS PORT 992 SECURECONNECTION REQUIRED TLSLABEL ZVMCER0 ENDINTERNALCLIENTPARMS Also: In the SYSTEM DTCPARMS ... EXEMPT LOW makes it more secure.. :parms.KEYFile /etc/gskadm/Database.kdb EXEMPT LOW MAXUSERS 200 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Wednesday, March 11, 2009 1:17 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
Yes and add the line for 992 .. or just change your 23 to 992 .. -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Wednesday, March 11, 2009 1:52 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS Sweet. The you would have to comment out or remove: ; 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER Tyler Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS 03/11/2009 12:49 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I have something like this .. INTERNALCLIENTPARMS PORT 992 SECURECONNECTION REQUIRED TLSLABEL ZVMCER0 ENDINTERNALCLIENTPARMS Also: In the SYSTEM DTCPARMS ... EXEMPT LOW makes it more secure.. :parms.KEYFile /etc/gskadm/Database.kdb EXEMPT LOW MAXUSERS 200 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Wednesday, March 11, 2009 1:17 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? I have setup the Static SSL for Telnet by adding the following to my TCPIP Profile: AUTOLOG SSLSERV 0 FTPSERVE 0 ENDAUTOLOG PORT 20 TCP FTPSERVE NOAUTOLOG ; FTP SERVER 21 TCP FTPSERVE; FTP SERVER 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER SSLSERVERID SSLSERV TIMEOUT 60 INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS I am using a sefl-signed cert and SSL seems to be working just fine. I have tested this with x3270, c3270 and TN3270 (SDI) and I see the following in the SSLSERV Log: Client 10.254.3.81:36396 Port 23 Label ZVMCER01 Cipher RC4_128_SHA Connection established. So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
On Wednesday, 03/11/2009 at 02:17 EDT, Tyler Koyl tyler.k...@viterra.ca wrote: My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? That depends on your client capability. Some older telnet clients can't negotiate a secure connection. PORT 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Please call it in. The following are wrong: - The text should say Unable to negotiate secure connections with clients, no TLS label specified. - The explanation in Msgs Codes should be updated to say that static connections are not affected. The REQUIRED parameter means that a session must be negotiated to be secure OR it be statically protected. If a connection has been statically protected, the telnet server knows and will not negotate a secure connection. So as it is now, DTC335E is overstating the case IF there is a label present on the PORT statement. Of course, you won't really know if a static connection has a hope of working until you try it. (BTW, for those who care, static SSL is the same function that z/OS calls AT-TLS - Application Transparent TLS.) The general rule is that negotiating and non-negotating clients cannot go to the same port as, typically, the client will only connect in a single way rather than try both. I don't know of any client that will try to establish a TLS session first and then, if that fails, try to negotiate a TLS session on the same port. So to handle both static and negotiating telnet clients: - Add the same TLS label to the InternalClientParms as you have on the PORT statement - Add a second PORT entry for another INTCLIEN, e.g. 10023 - Add port 23 port 10023 to the InternalClientParms - Decide whether most of telnet client negotiate or if they require a static connection. This decides whether port 23 will require static connections. - If majority are static, leave port 23 as you have it. - If majority negotiate, move the SECURE option from port 23 to port 10023. - Assuming the telnet client software isn't smart enough to try both ways, the set of clients that lost the race for port 23 must change their configuration to go to port 10023. Wondering if I am going box myself in here when I go to secure FTP connections and PERFSVM web access. FTP will most likely be negotiated, though I have seen static clients. A word about static FTP clients: - Only inbound connections are secured, so 'passive' ftp is required - A special form of the PORT statement is required. See the book. - You cannot use CCC to revert the command connection to clear-text. Firewalls cannot see the PASV or PORT commands and will not open a hole. So... - You must use the PassivePortRange FTP server configuration statement and pre-define the port numbers that the FTP server will use to accept data connections, and... - You must force those same port numbers open in the firewall. This can be a death blow to the use of non-negotiating FTP clients or those that negotiate but do not support CCC. Which brings me to a point about the support for CCC (Clear Command Channel) that was added in z/VM 5.4. If you have SECURECONTROL REQUIRED in the ftp server configuration, the ftp cannot use CCC. Likewise, if you have SECUREDATA REQUIRED, the client cannot use the (new) CLEAR subcommand to in order to transfer data without encryption. [NB. The TCP/IP admin book has some unfortunate misspellings under SECURECONTROL. Where it says 'NOW allowed' it means 'NOT allowed'.] For PERFSVM, see the Performance Toolkit Guide, pp. 49-50. Static SSL is the only method available, but you must do more than just alter the PORT statement. Alan Altmark z/VM Development IBM Endicott
Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS
Thanks for the info Alan. I will open an ETR with IBM about the incorrect message tomorrow. I have Telnet setup to negotiate sessions (TLS) now so I have done the setup both ways. going to stick with negotiated for Telnet and ftp. It took me 2 days, but I got it. :). Again, Thanks for your time. D. Tyler Koyl Management Analyst (Embedded image moved to file: pic04313.gif) Viterra Tel (306) 569-6122 Fax (306) 569-4382 mailto:tyler.k...@viterra.ca http://www.viterra.ca Alan Altmark alan_altm...@us.ib m.com To Sent by: The IBMIBMVM@LISTSERV.UARK.EDU z/VM Operating cc System ib...@listserv.uarSubject K.EDU Re: SSL Server on z/VM 5.4 RSU 802 - Static SSL vs Dynamic SSL\TLS 03/11/2009 01:58 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU On Wednesday, 03/11/2009 at 02:17 EDT, Tyler Koyl tyler.k...@viterra.ca wrote: My next question is whether I should be going with Static SSL or Dynamic SSL/TLS connections? That depends on your client capability. Some older telnet clients can't negotiate a secure connection. PORT 23 TCP INTCLIEN SECURE ZVMCER01 ; TELNET SERVER INTERNALCLIENTPARMS SECURECONNECTION REQUIRED ENDINTERNALCLIENTPARMS So at this point I am assuming that my telnet sessions are secure (or more secure). However, I do get the following disturbing message in the TCPIP log at initialization: DTCSTM305I Telnet server: Secure Connections are REQUIRED DTCSTM309I Telnet server: TLS Label is none DTCSTM335E Telnet server: Unable to handle secure connections, no TLS label specified . I believe this means that the telnet server itself will not handle the secure connections (Dynamic SSL\TLS) but rather TCPIP will forward the request for the secure port to the SSLSERV (Static SSL). Please call it in. The following are wrong: - The text should say Unable to negotiate secure connections with clients, no TLS label specified. - The explanation in Msgs Codes should be updated to say that static connections are not affected. The REQUIRED parameter means that a session must be negotiated to be secure OR it be statically protected. If a connection has been statically protected, the telnet server knows and will not negotate a secure connection. So as it is now, DTC335E is overstating the case IF there is a label present on the PORT statement. Of course, you won't really know if a static connection has a hope of working until you try it. (BTW, for those who care, static SSL is the same function that z/OS calls AT-TLS - Application Transparent TLS.) The general rule is that negotiating and non-negotating clients cannot go to the same port as, typically, the client will only connect in a single way rather than try both. I don't know of any client that will try to establish a TLS session first and then, if that fails, try to negotiate a TLS session on the same port. So to handle both static and negotiating telnet clients: - Add the same TLS label to the InternalClientParms as you have on the PORT statement - Add a second PORT entry for another INTCLIEN, e.g. 10023 - Add port 23 port 10023 to the InternalClientParms - Decide whether most of telnet client negotiate or if they require a static connection. This decides whether port 23 will require static connections. - If majority are static, leave port 23 as you have it. - If majority negotiate, move the SECURE option from port 23 to port 10023. - Assuming the telnet client software isn't smart enough to try both ways, the set of clients that lost the race for port 23 must change their configuration to go to port 10023
SSL Server on z/VM 5.4 RSU 802
Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802
I don't know.. do you have the SSL enabling PTF's on? -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Tuesday, March 10, 2009 4:31 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSL Server on z/VM 5.4 RSU 802 Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
Re: SSL Server on z/VM 5.4 RSU 802
Thanks. Thats was it. I found the enablement PTFs and installed them. This is a real PITA. From having to figure out that ssl needed to be enabled to finally getting SSLSERV to initialize properly only after storing the database password in a friggin stash file with the right permissions; made for a long day. I feel cooked. Tyler Koyl Viterra Inc. Huegel, Thomas thue...@kable.com Sent by: The IBMTo z/VM Operating IBMVM@LISTSERV.UARK.EDU System cc ib...@listserv.uar K.EDU Subject Re: SSL Server on z/VM 5.4 RSU 802 03/10/2009 03:34 PM Please respond to The IBM z/VM Operating System ib...@listserv.uar K.EDU I don't know.. do you have the SSL enabling PTF's on? -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu]on Behalf Of Tyler Koyl Sent: Tuesday, March 10, 2009 4:31 PM To: IBMVM@LISTSERV.UARK.EDU Subject: SSL Server on z/VM 5.4 RSU 802 Testing out z/VM 5.4 and would like to implement secure telnet, ftp etc using the SSL server. I have gone through the TCPIP configuration and certificate database creation of the SSL server but I get the following from SSLSERV when the server is autologged by TCPIP: DTCRUN1022I Console log will be sent to default owner ID: TCPMAINT DTCRUN1011I Server started at 14:14:16 on 10 Mar 2009 (Tuesday) DTCRUN1011I Running server command: VMSSL DTCRUN1011I Parameters in use: DTCRUN1011I keyfile /etc/gskadm/Database.kdb VMSSL program functions are not available 14:14:16 * MSG FROM SSLSERV : VMSSL PROGRAM FUNCTIONS ARE NOT AVAILABLE HCPMFS057I SSLSERV not receiving; disconnected DTCRUN1015I Server ended with RC=8 at 14:14:16 on 10 Mar 2009 (Tuesday) I seem to not be able to find out WHY 'VMSSL program functions are not available'. I can only guess that it might be because we don't have any crypto processors enabled but I am pretty dazed and confused at this point. Any help is appreciated. Tyler Koyl Viterra Inc. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it. This e-mail and any attachment(s) are confidential and may be privileged. If you are not the intended recipient please notify me immediately by return e-mail, delete this e-mail and do not copy, use or disclose it.
SSL Server on z/VM 5.4 RSU 802
Tyler: Did you check the PSP bucket? Rule no. 1, always check the PSP bucket. http://www.vm.ibm.com/related/tcpip/psp-540.html Jim
Re: SSL Server for z/VM
Chocolates!! What Chocolates? Comes with the paid support option. You have to settle for cinnamon rolls if you just mooch the free version... -- db
SSL Server for z/VM
Folks, Anybody have any suggestions as to the distro to use for the SSL server for TCPIP? We are going to be setting up SSL servers, and are thinkig about what bas e Linux to use, obviously it should be a small one, but does anybody on the list have a suggestion? Thanks, Brian Ferguson EDS VM Capability
Re: SSL Server for z/VM
Hi Brian. I'm just testing SSL for a client and I used SSLSERV Debian from Sine Nomine Associates. Very small foot print. All tailored. DDR restore and go. Also recovers well after someone forced it off. Hans Rempel -- Original Message -- From: Brian Ferguson [EMAIL PROTECTED] Reply-To: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU Date: Thu, 1 Feb 2007 11:22:08 -0600 Folks, Anybody have any suggestions as to the distro to use for the SSL server for TCPIP? We are going to be setting up SSL servers, and are thinkig about what base Linux to use, obviously it should be a small one, but does anybody on the list have a suggestion? Thanks, Brian Ferguson EDS VM Capability Sent via the WebMail system at hmrconsultants.com
Re: SSL Server for z/VM
Only SuSE and RH are officially supported by IBM. Both are not particularly small. We provide a small appliance configuration that seems to meet some people's needs.
Re: SSL Server for z/VM
I second this recommendation. Sine Nomine's SSLSERV has worked wonderfull y since I put it in. As indicated, this is a DDR restore and run distributi on. No package selection, no maintenance needed for the linux operating syste m. Then you have to add the IBM VMSSL stuff on top and then add a certificat e and then customize your TCPIP stack to use it. /Tom Kern On Thu, 1 Feb 2007 12:56:30 -0500, Hans Rempel [EMAIL PROTECTED] wrote: Hi Brian. I'm just testing SSL for a client and I used SSLSERV Debian fr om Sine Nomine Associates. Very small foot print. All tailored. DDR restore and go. Also recovers well after someone forced it off. Hans Rempel
Re: SSL Server for z/VM
I can recommend the SSL appliance thingy that Sine Nomine Associates offers...it works well, installs easily via DDR, and comes with a nice box of assorted chocolates. DJ Brian Ferguson wrote: Folks, Anybody have any suggestions as to the distro to use for the SSL server for TCPIP? We are going to be setting up SSL servers, and are thinkig about what base Linux to use, obviously it should be a small one, but does anybody on the list have a suggestion? Thanks, Brian Ferguson EDS VM Capability
Re: SSL Server for z/VM
Tom, Did you get chocolates too? Thomas Kern wrote: I second this recommendation. Sine Nomine's SSLSERV has worked wonderfull y since I put it in. As indicated, this is a DDR restore and run distributi on. No package selection, no maintenance needed for the linux operating syste m. Then you have to add the IBM VMSSL stuff on top and then add a certificat e and then customize your TCPIP stack to use it. /Tom Kern -- Rich Smrcina VM Assist, Inc. Phone: 414-491-6001 Ans Service: 360-715-2467 rich.smrcina at vmassist.com Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
Re: SSL Server for z/VM
Did you get chocolates too? You can also choose the coupon for cinnamon rolls. Personally, I recommend the rolls. Chocolate is so yesterday. 8-) -- db
Re: SSL Server for z/VM
I didn't know I was supposed to get chocolates with SSLSERV. They might h ave made my certificate problems more bareable. /Tom On Thu, 1 Feb 2007 12:57:27 -0600, Rich Smrcina [EMAIL PROTECTED] wrot e: Tom, Did you get chocolates too? Thomas Kern wrote: I second this recommendation. Sine Nomine's SSLSERV has worked wonderful ly since I put it in. As indicated, this is a DDR restore and run distribut ion. No package selection, no maintenance needed for the linux operating syst em. Then you have to add the IBM VMSSL stuff on top and then add a certifica te and then customize your TCPIP stack to use it. /Tom Kern
Re: SSL Server for z/VM
Chocolates!! What Chocolates? I too had a lot of problems with the certificates but once HummingBird provided me with the SSL code for 2006 and Patch 14 it worked well. Hans Rempel -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Kern Sent: February 1, 2007 2:56 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: SSL Server for z/VM I didn't know I was supposed to get chocolates with SSLSERV. They might h= ave made my certificate problems more bareable. /Tom On Thu, 1 Feb 2007 12:57:27 -0600, Rich Smrcina [EMAIL PROTECTED] wrot= e: Tom, Did you get chocolates too? Thomas Kern wrote: I second this recommendation. Sine Nomine's SSLSERV has worked wonderful= ly since I put it in. As indicated, this is a DDR restore and run distribut= ion. No package selection, no maintenance needed for the linux operating syst= em. Then you have to add the IBM VMSSL stuff on top and then add a certifica= te and then customize your TCPIP stack to use it. /Tom Kern