Re: TLS - and HTTP download

2023-05-01 Thread Colin Paice
I wrote Using AT-TLS and PAGENT on z/OS which covers setting up ATTLS, and gives an example or two Colin On Mon, 1 May 2023 at 22:17, Keith Gooding < 034af3894af4-dmarc-requ...@listserv.ua.edu> wrote: > Bill. >

Re: TLS - and HTTP download

2023-05-01 Thread Keith Gooding
Bill. A AT-TLS rule consists of a number of tests and pointers to actions which are performed if all of the tests are true. One of the actions specifies if TLS is to be enabled or not. You can test on local and remote port numbers , local and remote IP addresses, connection direction (inbound

Re: TLS - and HTTP download

2023-05-01 Thread Michael Babcock
Here's our simple DB2 Secure port definition in AT-TLS: TTLSRule DBRTSecureServer    # Secure DBRT {   LocalPortRange   4450    # DBRT Secure Port   Direction    Inbound     # Inbound Only   Priority 1

Re: TLS - and HTTP download

2023-05-01 Thread Kurt J. Quackenbush
My understand is that ATTLS allows you to encrypt network traffic for clients/servers which do not implement TLS themselves. It sounds like your Db2 traffic was formerly not encrypted with TLS, but your ATTLS rule now encrypts that Db2 traffic without the client or server being any wiser. Unfo

Re: TLS - and HTTP download

2023-05-01 Thread Keith Gooding
Do you mean that you have an ATTLS rule which ‘converts’ your SMP/E job to an SSL client ?. Ie ATTLS acts as an SSL proxy, converting the data stream into and out of your SMP/E step to SSL ? But SMP/E implements SS itself so you must not convert that to SL using an AT-TLS rule. > On 1 May 2023

Re: TLS - and HTTP download

2023-05-01 Thread Bill Giannelli
I am confused myself! we originally "reconfigured" TLS to provide for encrypted data transfer for Db2 thru secured ports. part of that work (I do not know why) was specifying a rule for HTTPS. Now the only way we can download on this LPAR is when the HTTPS - TLS rule is disabled. Does that make s

Re: TLS - and HTTP download

2023-05-01 Thread Kurt J. Quackenbush
I'm confused by your question. Can you be more specific what you mean by "we have locked down HTTPS via TLS"? Are you not allowing any HTTPS traffic at all? That feels extreme. Kurt Quackenbush IBM  |  z/OS SMP/E and z/OSMF Software Management  |  ku...@us.ibm.com Chuck Norris never uses CHE

TLS - and HTTP download

2023-05-01 Thread Bill Giannelli
we download IBM software maintenance via HTTPS. Now, we have locked down HTTPS via TLS. This prevents us from downloading. One detail, we are going thru a proxy server. How do we need to configure so we can still download using HTTPS with TLS locking it down? thanks Bill -