Telnet security advanced settings
This appendix describes implementation examples of advanced TN3270 server security using client ID groups. The following scenarios are included:
•One scenario configured with native Transport Layer Security (TLS) function
•One scenario configured with Application Transparent Transport Layer Security (AT-TLS) policy
As described in Chapter 16, “Telnet security” on page 679, use AT-TLS instead of the native TLS to implement the secure connections.
This appendix includes the following topics:
B.1 Advanced native TLS configuration
In this scenario, we define client ID object groups for granular control of the connection types the clients should use with a single port (992).
We define dynamic VIPA (DVIPA) addresses that are to be associated with the client ID groups representing the departments (or user groups) with various security requirements.
The following client ID groups are defined:
•General user: Accesses port 992 on destination 10.1.8.41, requiring no SSL
•Admin: Accesses port 992 on destination 10.1.8.42, requiring plain SSL
•Payroll: Accesses port 992 on destination 10.1.8.43, requiring client authentication
•Shipping: Accesses port 992 on destination 10.1.1.40, decides at connection time
The destination addresses that belong to subnet 10.1.8.* are dynamic VIPA addresses defined by the TCP/IP stack. They are not defined as distributed dynamic VIPAs in the stack. The 10.1.1.40 address is the static VIPA address of the TCPIPD stack on SC33.
Figure B-1 shows the environment for this scenario.
Figure B-1 Advanced native TLS configuration
B.1.1 Implementation tasks
The following tasks are required to enable native TLS/SSL support for TN3270, with server authentication:
1. Generate the key ring and certificates.
2. Add a TLS-enabled port and security parameters to TN3270 profile.
3. Start the TN3270 server.
Generating the key ring and certificates
|
Tip: For information about using a shared key ring and a SITE certificate, see Chapter 3, “Certificate management in z/OS” on page 37, in which we included examples and explanations of the steps that are involved in preparing the key ring and certificates that we use in this scenario.
|
Example B-1 shows the RACF statements that are necessary to create the shared key ring, the certificate authority (CA) certificate, and the SITE certificate used by this scenario.
Example B-1 Sample RACF for key ring and certificates
racdcert certauth gencert - 1
subjectsdn( o('IBM Corporation') -
ou('ITSO Certificate Authority') -
C('US')) -
NOTBEFORE(DATE(2011-09-11)) -
NOTAFTER(DATE(2028-09-11)) -
keyusage(certsign) -
withlabel('CS ITSO CA1')
setropts raclist(facility) refresh
racdcert certauth list
racdcert site gencert subjectsdn(cn('ITSO.IBM.COM') - 2
o('IBM Corporation') -
ou('ITSO CS Shared SITE') -
C('US')) -
withlabel('CS ITSO SharedSite1') -
signwith(certauth label('CS ITSO CA1')
racdcert site list
racdcert ID(TCPIP) ADDRING(SharedRing1) 3
racdcert ID(TCPIP) CONNECT(CERTAUTH - 4
LABEL('CS ITSO CA1') -
RING(SharedRing1) -
USAGE(CERTAUTH)
racdcert ID(TCPIP) CONNECT(SITE -
LABEL('CS ITSO SharedSite1') - 5
RING(SharedRing1) -
DEFAULT -
USAGE(PERSONAL)
setropts raclist(DIGTRING) refresh
setropts raclist(DIGTCERT) refresh
racdcert listring(*) id(TCPIP)
The numbers in Example B-1 correspond to the following information:
1. Creates a self-signed CA certificate.
2. Creates a SITE certificate.
3. Creates a key ring.
4. Connects a self-signed certificate authority certificate to a key ring.
5. Connects a SITE certificate to a key ring.
Adding a TLS-enabled port and security parameters to TN3270 profile
Example B-2 shows the example of TELNETPARMS definition and the use of PARMSGROUP parameter sets mapped to client ID groups.
The client ID groups are defined by identifying the clients that access the stack using the destination IP addresses. There are several alternative mapping methods to define client ID groups. This scenario uses the DESTIPGRP method.
Any user who accesses the stack over any IP address not defined explicitly in this profile will be presented with the Network Solicitor window and be prompted for a user ID, password, and desired application. No SSL security will be implemented for that type of connection.
We use TN3270D configuration file for this test example.
Example B-2 Defining the TN3270 profile for native TLS connection security
TELNETGLOBALS
TCPIPJOBNAME TCPIPD
TELNETDEVICE IBM-3277 SNX32702,SNX32702
TELNETDEVICE IBM-3278-2-E SNX32702,SNX32702
TELNETDEVICE IBM-3278-2 SNX32702,SNX32702
TELNETDEVICE IBM-3279-2-E SNX32702,SNX32702
TELNETDEVICE IBM-3279-2 SNX32702,SNX32702
TELNETDEVICE IBM-3278-3-E SNX32703,SNX32703
TELNETDEVICE IBM-3278-3 SNX32703,SNX32703
TELNETDEVICE IBM-3279-3-E SNX32703,SNX32703
TELNETDEVICE IBM-3279-3 SNX32703,SNX32703
TELNETDEVICE IBM-3278-4-E SNX32704,SNX32704
TELNETDEVICE IBM-3278-4 SNX32704,SNX32704
TELNETDEVICE IBM-3279-4-E SNX32704,SNX32704
TELNETDEVICE IBM-3279-4 SNX32704,SNX32704
TELNETDEVICE IBM-3278-5-E SNX32705,SNX32705
TELNETDEVICE IBM-3278-5 SNX32705,SNX32705
TELNETDEVICE IBM-3279-5-E SNX32705,SNX32705
TELNETDEVICE IBM-3279-5 SNX32705,SNX32705
ENDTELNETGLOBALS
;
TELNETPARMS
SECUREPORT 992 ;Port 992 supports native TSL 1
KEYRING SAF TCPIP/SharedRing1 ;keyring shared by servers 2
INACTIVE 0
TIMEMARK 600
SCANINTERVAL 120
FULLDATATRACE
SMFINIT 0 SMFINIT NOTYPE119
SMFTERM 0 SMFTERM TYPE119
SNAEXT
MSG07
LUSESSIONPEND
ENDTELNETPARMS
;
BEGINVTAM
PORT 992
DEFAULTLUS
SC33DS01..SC33DS99
ENDDEFAULTLUS
; ----------------------------------------------------------------------
; This NOSSL group is mapped to use no SSL security. -
; ----------------------------------------------------------------------
PARMSGROUP NOSSL 3
NOLUSESSIONPEND
CONNTYPE BASIC ; support non-secure, overrides telnetparms
ENDPARMSGROUP
; ----------------------------------------------------------------------
; The SSLPLAIN group is mapped to use SSL security -
; with no Client Authentication required -
; ----------------------------------------------------------------------
PARMSGROUP SSLPLAIN 4
CONNTYPE SECURE ; says plain SSL, no client auth specified
ENDPARMSGROUP ; and negotiate all available encryption algorithms
; ----------------------------------------------------------------------
; The SSLCERTS group is mapped to use SSL security -
; and to require Client Authentication (certificates) -
; ----------------------------------------------------------------------
PARMSGROUP SSLCERTS 5
CONNTYPE SECURE ; Support SSL
CLIENTAUTH SSLCERT ; Client Certificate required
ENCRYPT SSL_DES_SHA ; use these only, do not consider any others
SSL_3DES_SHA
ENDENCRYPT
ENDPARMSGROUP
; ----------------------------------------------------------------------
; The UP2USER group is mapped to use ANY security (user's choice) -
; with no Client Authentication (no certificates) -
; ----------------------------------------------------------------------
PARMSGROUP UP2USER 6
CONNTYPE ANY ; Whatever User wants to do
ENDPARMSGROUP
DESTIPGROUP GENERALUSER 10.1.8.41 ENDDESTIPGROUP 7 ; D-VIPA
DESTIPGROUP ADMIN 10.1.8.42 ENDDESTIPGROUP 8 ; D-VIPA
DESTIPGROUP PAYROLL 10.1.8.43 ENDDESTIPGROUP 9 ; D-VIPA
DESTIPGROUP SHIPPING 10.1.1.40 ENDDESTIPGROUP 10 ; Static VIPA
PARMSMAP NOSSL DESTIPGRP,GENERALUSER 11
DEFAULTAPPL SC33N DESTIPGRP,GENERALUSER
PARMSMAP SSLPLAIN DESTIPGRP,ADMIN 12
USSTCP USSTEST1 DESTIPGRP,ADMIN
PARMSMAP SSLCERTS DESTIPGRP,PAYROLL 13
USSTCP USSTEST1 DESTIPGRP,PAYROLL
PARMSMAP UP2USER DESTIPGRP,SHIPPING 14
DEFAULTAPPL TSO DESTIPGRP,SHIPPING
ALLOWAPPL SC33N* ; Netview
ALLOWAPPL NVAS* QSESSION ; session mngr queues back upon CLSDST
ALLOWAPPL TSO* DISCONNECTABLE ; Allow all users access to TSO
ALLOWAPPL * ; Allow all applications that have not been
; previously specified to be accessed.
ENDVTAM
;
TELNETPARMS
PORT 23 ; Port 23 supports basic (non-secure) connections
INACTIVE 0
TIMEMARK 600
SCANINTERVAL 120
FULLDATATRACE
SMFINIT 0 SMFINIT NOTYPE119
SMFTERM 0 SMFTERM TYPE119
SNAEXT
MSG07
LUSESSIONPEND
ENDTELNETPARMS
;
BEGINVTAM
PORT 23
DEFAULTLUS
SC33DB01..SC33DB99
ENDDEFAULTLUS
DEFAULTAPPL SC33TS ; All users go to TSO
ALLOWAPPL SC* ; Netview and TSO
ALLOWAPPL NVAS* QSESSION ; session mngr queues back upon CLSDST
ALLOWAPPL TSO* DISCONNECTABLE ; Allow all users access to TSO
ALLOWAPPL * ; Allow all applications that have not been
; previously specified to be accessed.
ENDVTAM
The numbers in Example B-2 on page 826 correspond to the following information:
1. The port 992 is used.
2. The name of the key ring in use.
3. PARMSGROUP NOSSL for basic (no TLS/SSL) connection.
4. PARMSGROUP SSLPLAIN for secure connection with no client authentication.
5. PARMSGROUP SSLCERTS for secure connection with client authentication.
6. PARMSGROUP UP2USER for basic or secure connection.
7. Client ID group GENERALUSER is defined for clients destined to 10.1.8.41.
8. Client ID group ADMIN is defined for clients destined to 10.1.8.42.
9. Client ID group PAYROLL is defined for clients destined to 10.1.8.43.
10. Client ID group SHIPPING is defined for clients destined to 10.1.1.40.
11. Client ID group GENERALUSER is mapped to NOSSL PARMSGROUP.
12. Client ID group ADMIN is mapped to SSLPLAIN PARMSGROUP.
13. Client ID group PAYROLL is mapped to SSLCERTS PARMSGROUP.
14. Client ID group SHIPPING is mapped to UP2USER PARMSGROUP.
Starting the TN3270 server
To apply the new definition, start or restart the TN3270 server. The OBEYFILE command can also be used, but it is effective for new connections only. Example B-3 shows the messages given at the initialization of the TN3270 server.
Example B-3 Starting the TN3270 server
S TN3270D
.....
EZZ6001I TELNET SERVER STARTED
.....
EZZ6003I TELNET LISTENING ON PORT 992 1
EZZ6003I TELNET LISTENING ON PORT 23 2
The numbers in Example B-3 correspond to the following information:
1. The native TLS port 992 is now active.
2. The basic connection port 23 is also active (the definition is not shown in this chapter).
B.1.2 Activation and verification
The following commands can be useful when validating secure port information in the Telnet server environment:
We used IBM Personal Communications V5.7 to establish the connection. Because we used self-signed certificate, we downloaded and installed the certificate of certificate authority into Personal Communications.
Using TELNET CONN displays to show TN3270 connections
The display CONN command without the CONN= parameter specified gives you a high level view of what connections exist and what they are being used for. Look for EN/TY, Encryption Type. The connection command shows current connections and associated resources such as their LU name, Logmode, and application being used, as shown in Example B-4.
Example B-4 Display Telnet CONN for connection overview information
D TCPIP,TN3270D,T,CONN,MAX=*
EZZ6064I TELNET CONNECTION DISPLAY 719
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
00002067 ::FFFF:10.1.1.30..1033 1
SC33DS09 SC33TS08 TA3 SNX32704 1
00002063 ::FFFF:10.1.1.20..1031 2
SC33DS08 SC33N008 TA3 SNX32704 2
00001FD1 4S ::FFFF:10.1.100.221..3235 3
SC33DS07 TPE 3
----- PORT: 992 ACTIVE PROF: CURR CONNS: 3
------------------------------------------------------------
8 OF 8 RECORDS DISPLAYED
The numbers in Example B-4 on page 829 correspond to the following information:
1. TSO Telnet client on SC32 is connected to 10.1.1.40, port 992 (being mapped to TSO on SC33). A LU SC33DS09 is assigned, where S indicates the LU pool for port 992. The destination address 10.1.1.40 is associated with PARMSGROUP UP2USER (SSL optional), but the TSO Telnet client does not negotiate or request SSL. Therefore, connection 2067 did not perform any SSL handshake, and thus no encryption type is indicated.
2. TSO Telnet client on SC31 is connected to 10.1.8.41 port 922 (being mapped to NetView on SC33). The destination address 10.1.8.41 is associated with PARMSGROUP NOSSL, so no SSL handshake is performed and no encryption type is indicated.
3. Connection from a Personal Communications terminal is connected to destination IP address 10.1.8.42, port 992, to request SSL without client authentication. Notice the encryption type is 4S. The connection shows pending (TPE) with no APPLID or LOGMODE assigned while the USSTEST1 MSG10 is displayed. Then the user selects an application (NVAS, in our case) and TN3270 fills in the applid name and the associated logmode as shown in Example B-7 on page 831 and Example B-8 on page 832.
Displaying CONN to show connection SSL information
Example B-5 and Example B-6 show the display of CONN command before the user selects an application. Notice APPLID and LOGMODE are not filled yet. TN3270 fills in the applid name and associated logmode, as shown in Example B-7 on page 831 and Example B-8 on page 832. Look for SSL information. An example is shown in Example B-5.
Example B-5 Display Telnet CONN for SSL information
D TCPIP,TN3270D,T,CONN
EZZ6064I TELNET CONNECTION DISPLAY 382
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
0000B23C 4S ::FFFF:10.1.100.224..2880
SC33DS01 TPE
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
4 OF 4 RECORDS DISPLAYED
The CONNECTION display command with the CONN= parameter and DETail option specified gives you a complete look at one connection. It shows all the information available regarding a single connection. Look for TLS/SSL information. An example is shown in Example B-6.
Example B-6 Telnet CONN DETAIL for SSL information, before application selection
D TCPIP,TN3270D,T,CONN,CONN=B23C,DET
EZZ6065I TELNET CONNECTION DISPLAY 384
CONNECTED: 11:36:00 09/26/2007 STATUS: SESSION PENDING 1
CLIENT IDENTIFIER FOR CONN: 0000B23C SECLABEL: **N/A**
CLIENTAUTH USERID: **N/A**
HOSTNAME: NO HOSTNAME
CLNTIP..PORT: ::FFFF:10.1.100.224..2880
DESTIP..PORT: ::FFFF:10.1.8.42..992
LINKNAME: VIPL0A01082A
PORT: 992 QUAL: NONE
AFFINITY: TCPIPD
STATUS: ACTIVE SECURE ACCESS: SECURE 4S TLSV1 2
PROTOCOL: TN3270E DEVICETYPE: IBM-3278-2-E
TYPE: TERMINAL GENERIC
INPUT ===> SCROLL ===> CSR
OPTIONS: ETET---- 3270E FUNCTIONS: BSR----
NEWENV FUNCTIONS: --
LUNAME: SC33DS01
APPL: **N/A** 3
USERIDS RESTRICTAPPL: **N/A** EXPRESSLOGON: **N/A**
LOGMODES TN REQUESTED: APPL SPECIFIED: 3
MAPPING TYPE: CONN IDENTIFIER
OBJECT ITEM SPECIFIC OPTIONS
LUMAP GEN: NL (NULL)
>*DEFLUS* --------
DEFLT APPL: **N/A**
USS TABLE: NL (NULL)
>USSTEST1 P-------
INT TABLE: **N/A**
PARMS:
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
LM----- ---S-------- --F SSS------ *---ST- S--- *TPARMS
LM***** **TSBTQ***RT ECF SSS*D**** *P**STS SDD* TP-CURR
LM***** **TSBTQ***RT ECF SSS*D**** *P**STS SDD* <-FINAL 4
35 OF 35 RECORDS DISPLAYED
The numbers in Example B-6 on page 830 correspond to the following information:
1. The connection is in pending state before the application is selected by user.
2. The connection is secure and the cipher used is 4S (SSL_RC4_SHA). See Table 16-1 on page 684 for the complete list of supported ciphers.
3. The application name and the logmode is blank before the user logs on to a specific application.
4. The security parameter is defined in the Telnet profile. Each letter of PCKLECXN2 stands for one of the SECURITY parameters listed, in the same order, in Example B-9 on page 833.
After the user selects an application, TN3270 fills in the applid name and associated logmode, as shown in Example B-7 and Example B-8 on page 832.
Example B-7 Connection summary information for SSL port 992 after application selection
D TCPIP,TN3270D,T,CONN
EZZ6064I TELNET CONNECTION DISPLAY 421
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
0000B23C 4S ::FFFF:10.1.100.224..2880
SC33DS01 SC33TS04 TAE SNX32702
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
4 OF 4 RECORDS DISPLAYED
Example B-8 shows further connection detail information.
Example B-8 Connection detail information for SSL port 992 after application selection
D TCPIP,TN3270D,T,CONN,CONN=B23C,DET
EZZ6065I TELNET CONNECTION DISPLAY 400
CONNECTED: 11:36:00 09/26/2007 STATUS: SESSION ACTIVE 1
CLIENT IDENTIFIER FOR CONN: 0000B23C SECLABEL: **N/A**
CLIENTAUTH USERID: **N/A**
HOSTNAME: NO HOSTNAME
CLNTIP..PORT: ::FFFF:10.1.100.224..2880
DESTIP..PORT: ::FFFF:10.1.8.42..992
LINKNAME: VIPL0A01082A
PORT: 992 QUAL: NONE
AFFINITY: TCPIPD
STATUS: ACTIVE SECURE ACCESS: SECURE 4S TLSV1 2
PROTOCOL: TN3270E DEVICETYPE: IBM-3278-2-E
TYPE: TERMINAL GENERIC
OPTIONS: ETET---- 3270E FUNCTIONS: BSR----
NEWENV FUNCTIONS: --
LUNAME: SC33DS01
APPL: SC33TS04 3
USERIDS RESTRICTAPPL: **N/A** EXPRESSLOGON: **N/A**
LOGMODES TN REQUESTED: SNX32702 APPL SPECIFIED: SNX32702 3
MAPPING TYPE: CONN IDENTIFIER
OBJECT ITEM SPECIFIC OPTIONS
LUMAP GEN: NL (NULL)
>*DEFLUS* --------
DEFLT APPL: **N/A**
USS TABLE: NL (NULL)
>USSTEST1 P-------
INT TABLE: **N/A**
PARMS:
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
LM----- ---S-------- --F SSS------ *---ST- S--- *TPARMS
LM***** **TSBTQ***RT ECF SSS*D**** *P**STS SDD* TP-CURR
LM***** **TSBTQ***RT ECF SSS*D**** *P**STS SDD* <-FINAL 4
35 OF 35 RECORDS DISPLAYED
The numbers in Example B-8 correspond to the following information:
1. The connection is in active state after the application is selected by user.
2. The connection is secure and the cipher used is 4S (SSL_RC4_SHA). See Table 16-1 on page 684 for the complete list of supported ciphers.
3. The application name and the logmode is filled after the user logs on to a specific application.
4. The security parameter is defined in Telnet profile. Each letter of PCKLECXN2 stands for one of the SECURITY parameters listed, in the same order, in Example B-9 on page 833.
Displaying PROF to show profile SSL information
The PROFILE display command enables you to determine what profile-wide options are in effect for each profile, including the security specifications, as shown in Example B-9.
Example B-9 Display Telnet PROFILE for SSL information, detail
D TCPIP,TN3270D,T,PROF,PORT=992,DET
EZZ6080I TELNET PROFILE DISPLAY 457
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
LM----- ---S-------- --F SSS------ *---ST- S--- *TPARMS
LM***** **TSBTQ***RT ECF SSS*D**** *P**STS SDD* CURR
.....
SECURITY
SECUREPORT 992
CONNTYPE SECURE
KEYRING SAF TCPIP/SharedRing1
CRLLDAPSERVER NONE
ENCRYPTION 4S,4M,A2,A1,3S,DS,4E,2E,NS,NM,NN (DEF)
CLIENTAUTH NONE
NOEXPRESSLOGON
NONACUSERID
NOSSLV2
TIMERS
.....
SSLTIMEOUT 5
.....
KEYRING SAF TCPIP/SharedRing1
Displaying CLIENTID to show client group SSL information
The CLIENTID display can be used to see what client IDs are defined in the profile and details about the client ID, such as a DESTIPGRP. SSL information is shown in Example B-10.
Example B-10 Display Telnet CLIENTID for SSL information, detail
D TCPIP,TN3270D,T,CLID,PORT=992,DET,MAX=*
EZZ6081I TELNET CLIENTID DISPLAY 502
CLIENT ID CONNS OBJECT OBJECT ITEM
NAME USING TYPE NAME SPECIFIC OPTIONS
------------------ ------ --------- -------- ---------- --------
DESTIPGRP
GENERALUSER
0 DEFAPPL SC31TS --------
GENERALUSER
0 PARMSGRP NOSSL --------
ADMIN
0 USS USSTEST1 P-------
ADMIN
0 PARMSGRP SSLPLAIN --------
PAYROLL
0 DEFAPPL CICSCLP0 --------
PAYROLL
0 PARMSGRP SSLCERTS --------
SHIPPING
0 USS USSTABEE,USSSNAEE PP------
SHIPPING
0 PARMSGRP UP2USER --------
NULL
NULL
1 USS USSTEST1 P-------
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
22 OF 22 RECORDS DISPLAYED
A client ID summary report can show a specific client group and the names that make it up, as shown in Example B-11.
Example B-11 Display Telnet CLIENTID for SSL information, summary
D TCPIP,TN3270D,T,CLID,PORT=992,TYPE=DESTIPGRP,SUM,MAX=*
EZZ6082I TELNET CLIENTID LIST 504
DESTIPGRP
GENERALUSER ADMIN PAYROLL
SHIPPING
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
5 OF 5 RECORDS DISPLAYED
Displaying OBJECT to show object SSL information
The OBJECT display can be used to see what objects are defined in the profile and details about the object. If you specify a TYPE that you know is related to a secure group you defined, such as DEFAPPL, PARMSGRP, or USS, you can see SSL-related information. Samples are shown in Example B-12.
Example B-12 Display Telnet OBJECT for SSL information, summary
D TCPIP,TN3270D,T,OBJ,PORT=992,SUM,MAX=*
EZZ6084I TELNET OBJECT LIST 586
ARAPPL
SC33N* NVAS* TSO* *
DEFAPPL
SC33N CICSCLP0 TSO
PRTAPPL
NO OBJECTS
LINEAPPL
NO OBJECTS
MAPAPPL
NO OBJECTS
USS
USSTEST1
INT
NO OBJECTS
LU
NO OBJECTS
LUGRP
*DEFLUS*
APPLLUG
NO OBJECTS
PRT
NO OBJECTS
PRTGRP
NO OBJECTS
PARMSGRP
NOSSL SSLPLAIN SSLCERTS UP2USER *DEFAULT *TGLOBAL
*TPARMS
MONGRP
NO OBJECTS
----- PORT: 992 ACTIVE PROF: CURR CONNS: 3
------------------------------------------------------------
31 OF 31 RECORDS DISPLAYED
The object detail report can be filtered to show a specific object type and the client IDs mapped to the type, as shown in Example B-13.
Example B-13 Display Telnet OBJECT for SSL information, DEFAPPL
D TCPIP,TN3270D,T,OBJ,PORT=992,TYPE=DEFAPPL,DET,MAX=*
EZZ6083I TELNET OBJECT DISPLAY 613
OBJECT CONNS CLIENT ID CLIENT ID ITEM
NAME USING TYPE NAME SPECIFIC OPTIONS
---------- ------ --------- ---------------- ---------- --------
DEFAPPL
SC33N 1 DESTIPGRP GENERALUSER
--------
CICSCLP0 0 DESTIPGRP PAYROLL
--------
TSO 1 DESTIPGRP SHIPPING
--------
----- PORT: 992 ACTIVE PROF: CURR CONNS: 3
------------------------------------------------------------
9 OF 9 RECORDS DISPLAYED
The object report can be used to check which PARMSGROUPs are mapped to which client IDs. The report indicates how many connections are associated with which group, as shown in Example B-14.
Example B-14 Display Telnet OBJECT for SSL information, PARMSGRP
D TCPIP,TN3270D,T,OBJ,PORT=992,TYPE=PARMSGRP,DET,MAX=*
EZZ6083I TELNET OBJECT DISPLAY 511
OBJECT CONNS CLIENT ID CLIENT ID ITEM
NAME USING TYPE NAME SPECIFIC OPTIONS
---------- ------ --------- ---------------- ---------- --------
PARMSGRP
NOSSL 0 DESTIPGRP GENERALUSER
--------
SSLPLAIN 0 DESTIPGRP ADMIN
--------
SSLCERTS 0 DESTIPGRP PAYROLL
--------
UP2USER 0 DESTIPGRP SHIPPING
--------
*DEFAULT -------NO MAPPING---------
--------
*TGLOBAL -------NO MAPPING---------
--------
*TPARMS -------NO MAPPING---------
--------
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
17 OF 17 RECORDS DISPLAYED
The object report can be used to check which USS tables are mapped to which client IDs. The report indicates how many connections are associated with which table, as shown in Example B-15.
Example B-15 Display Telnet OBJECT for SSL information, USS
D TCPIP,TN3270D,T,OBJ,PORT=992,TYPE=USS,DET,MAX=*
EZZ6083I TELNET OBJECT DISPLAY 513
OBJECT CONNS CLIENT ID CLIENT ID ITEM
NAME USING TYPE NAME SPECIFIC OPTIONS
---------- ------ --------- ---------------- ---------- --------
USS
USSTEST1 1 NULL NULL
P-------
USSTEST1 0 DESTIPGRP ADMIN
P-------
USSTABEE,
USSSNAEE 0 DESTIPGRP SHIPPING
PP------
----- PORT: 992 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
10 OF 10 RECORDS DISPLAYED
For more information, see the verification steps for a Telnet stand-alone task that is described in IBM z/OS V2R2 Communications Server TCP/IP Implementation Volume 2: Standard Applications, SG24-8361.
More display commands are used to show the security settings of a secure port. For more information about available Telnet-related commands and their syntax, see z/OS Communications Server: IP System Administrator’s Commands, SC27-3661.
B.2 Advanced AT-TLS configuration using client ID groups
In this scenario, we define client ID object groups for granular control of the connection types the clients should use with a single port (4992). We use the AT-TLS policy to implement the secure connection.
We define dynamic VIPA (DVIPA) addresses that are to be associated with the client ID groups representing the departments (or user groups) with various security requirements. Certain of the client ID grouping statements (PARMSGROUP, PARMSMAP) can be integrated into the AT-TLS policy and omitted from the Telnet profile.
This scenario is similar to the scenario that is described in “Advanced native TLS configuration” on page 824. The following client ID groups are defined:
•General user: Accesses port 992 on destination 10.1.8.41, which requires no SSL.
•Admin: Accesses port 992 on destination 10.1.8.42, which requires plain SSL.
•Payroll: Accesses port 992 on destination 10.1.8.43, which requires client authentication.
•Shipping: Accesses port 992 on destination 10.1.1.40, which decides at connection time.
The destination addresses that belong to subnet 10.1.8.* are dynamic VIPA addresses defined by the TCP/IP stack. They are not defined as distributed dynamic VIPAs in the stack. The 10.1.1.40 address is the static VIPA address of the TCPIPD stack on SC33.
Figure B-2 shows the environment that we used for this scenario.
Figure B-2 TN3270 with advanced AT-TLS configuration diagram
B.2.1 Implementation tasks
Use the following tasks to configure TN3270 AT-TLS support:
1. Set up the policy agent.
2. Create a certificate.
3. Add authorization for the pasearch command in RACF.
4. Modify TCP/IP profile.
5. Define AT-TLS policies.
6. Upload the policy to z/OS.
7. Modify the policy agent configuration file.
8. Define AT-TLS port in TN3270 configuration file.
Setting up the policy agent
We set up the policy agent as described in 4.2, “Implementing PAGENT on z/OS” on page 101.
Creating a certificate
We continued to use the certificate created for native TLS connection security, as described in “Advanced native TLS configuration” on page 824. If you did not created a certificate, follow the instructions that is provided in that section.
Adding authorization for the pasearch command in RACF
If users other than superusers must issue the pasearch command, add authorization for the pasearch command in RACF. This command is a sensitive command, so make sure you restrict the access to only administrators or operators. We set up the RACF authorization as shown in 4.2, “Implementing PAGENT on z/OS” on page 101.
Modify TCP/IP profile
To enable AT-TLS to the TCP/IP stack, add the TCPCONFIG TTLS statement in the TCP/IP Profile, as shown in Example B-16. To apply the change, restart the TCP/IP stack or use the OBEYFILE command.
Example B-16 Modify TCP/IP profile
TCPCONFIG TTLS
Defining AT-TLS policies
We define AT-TLS connectivity rules for groups that have or might have secure connections, as listed in Table B-1. We do not need to define the policy for the basic (non-secure) connections.
|
Tip: The CONNTYPE statement must be defined in the TN3270 profile. There is no equivalent statement for CONNTYPE in the AT-TLS policy.
|
Table B-1 Connectivity rules in AT-TLS policy
|
Connectivity rule name
|
CONNTYPE in TN3270 profile
|
Destination IP address
|
Client
authentication |
|
ADMIN_SSLPLAIN
|
SECURE (default)
|
10.1.8.42
|
NONE
|
|
PAYROLL_SSLCERT
|
SECURE (default)
|
10.1.8.43
|
SSLCERT (Required)
|
|
SHIPPING_UP2USER
|
ANY
|
10.1.1.40
|
NONE
|
We use z/OSMF Configuration Assistant and complete the following steps to define AT-TLS policies:
1. Start the IBM Configuration Assistant for z/OS Communications Server. In the Main Perspective window, select the Add a New z/OS image option.
2. Enter the name of the z/OS image (in our case, we use SC33) and click OK.
3. In the Main Perspective window, select the Add New TCP/IP stack option, enter the name of the TCP/IP stack (in our case, we use TCPIPD), and click OK.
4. In the Main Perspective window, select AT-TLS in the z/OS Communications Server technologies list. Click Enable, and then select the Configure option.
5. In the AT-TLS Perspective window, select Reusable Objects → Traffic Descriptors in the left pane.
6. Instead of using the predefined traffic descriptors, click Add to create a traffic descriptor, name it ATTLS_TN3270D_4992, and then, click Add, as shown in Figure B-3.
Figure B-3 New Traffic Descriptor window
7. In the New Traffic Type - TCP window, set the local port number to 4992 and the job name to TN3270D. Then, click the Advanced tab, as shown in Figure B-4.
Figure B-4 New Traffic Type window
8. In the New Traffic Type - TCP, Advanced tab, toggle the Application Controlled option to On. Then, click OK.
|
Tip: The TN3270 profile SSL handshake timeout (SSLTIMEOUT) is 5 seconds by default with native TLS support. The AT-TLS handshake timeout is 10 seconds by default. If you want to make them match, specify the AT-TLS handshake timeout parameter.
|
9. In the New Traffic Descriptor window, click OK. The traffic descriptor we just created is now shown in the list in the New Traffic Descriptor window.
10. Select Reusable Objects → Security Levels on the left pane of the AT-TLS Perspective window. Create the following security levels:
– No client authentication to be applied for ADMIN_SSLPLAIN and SHIPPING_UP2USER rule.
– Requires client authentication to be applied to the PAYROLL_SSLCERT rule, which is equivalent to CLIENTAUTH SSLCERT in TN3270 profile for native TLS support.
11. Click Add to define a security level with no client authentication. In the New Security Level: Name and Type window, enter the name of the security level (we used Gold_NoClientAuth). Click Next.
12. In the New Security Level: Ciphers window, select the Use Only Selected Ciphers option and the Choose Ciphers option. We selected the ciphers 0x0A and 0x2F, which are same selections as the IBM supplied default AT-TLS_Gold that are listed in Table B-2. Then, click Next. The window configuration is shown in Figure B-5 on page 841.
Table B-2 IBM supplied security levels
|
Security level
|
Type
|
Entire TLS Version 1/ SSL Version 3 Cipher Suite in preferred order
|
|
Permit
|
No security
|
N/A
|
|
AT-TLS_Bronze
(Low level of protection)
|
AT-TLS
|
0x02 - TLS_RSA_WITH_NULL_SHA
|
|
AT-TLS_Silver
(Medium level of protection)
|
AT-TLS
|
0x09 - TLS_RSA_WITH_DES_CBC_SHA
0x0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA
0x2F - TLS_RSA_WITH_AES_128_CBC_SHA
|
|
AT-TLS_Gold
(High level of protection)
|
AT-TLS
|
0x0A - TLS_RSA_WITH_3DES_EDE_CBC_SHA
0x2F - TLS_RSA_WITH_AES_128_CBC_SHA
|
|
AT-TLS_Platinum
(Extremely high level of
protection)
|
AT-TLS
|
0x35 - TLS_RSA_WITH_AES_256_CBC_SHA
|
Figure B-5 New Security Level - Ciphers window
13. In the New Security Level - Advanced Settings window, click Advanced Settings. In the next window, click the Client Authentication tab. Ensure that No client authentication is selected, click OK to return to the New Security Level - Advanced Settings window. Click Finish.
14. Define another security level with client authentication required by following the same instructions (step 11 on page 840 - step 13). This time, enter the name Gold_ClientAuthSSLCert for the security level (see step 11 on page 840) and select the Use client authentication option as Required in the Advanced AT-TLS Settings window (see step 13). The window configuration is shown in Figure B-6.
Figure B-6 Advanced AT-TLS Settings window
15. Back in the AT-TLS Perspective window, select Reusable Objects → Requirement Maps in the left pane. You will create two requirement maps that map the traffic descriptors and the security levels.
16. For the first requirement map, click the Add button, and enter a name for the requirement map (we used SSLPLAIN_ReqMap). Then, map the ATTLS_TN3270D_4992 traffic descriptor and the Gold_NoClientAuth security level together. Click OK.
17. For the second requirement map, click the Add button, and enter a name for the requirement map (we used SSLCERT_ReqMap). Then, map the ATTLS_TN3270D_4992 traffic descriptor and the Gold_ClientAuthSSLCert security level together. Click OK.
18. Place all of the defined objects into the connectivity rules. In the AT-TLS Perspective window, select the TCP/IP stack name (TCPIPD, in our case) in the left pane.
19. For the first connectivity rule, click Add. In the New Connectivity Rule: Data Endpoints window, enter the name of the rule (we used ADMIN_SSLPLAIN). Then, define 10.1.8.42 on Local data endpoint, and select All_IPv4_Addresses for the Remote data endpoint. The configuration window is shown in Figure B-7. After you complete the configuration, click Next.
Figure B-7 New Connectivity Rule - Data Endpoints window
20. In the New Connectivity Rule - Select Requirement Map window, click Select an existing requirement map, select what you defined previously (in our case, SSLPLAIN_ReqMap). Click Next. In the next window, click Finish.
21. For the second connectivity rule, use the same procedure as described in step 19 and step 20, with the following parameter differences:
– Connectivity rule name: PAYROLL_SSLCERT
– Local data endpoint: 10.1.8.43
– Remote data endpoint: All_IPv4_Addresses
– Requirement map: SSLCERT_ReqMap
22. For the third connectivity rule, use the same procedure as described in step 19 on page 842 and step 20 on page 842, with the following parameter differences:
– Connectivity rule name: SHIPPING_UP2USER
– Local data endpoint: 10.1.1.40
– Remote data endpoint: All_IPv4_Addresses
– Requirement map: SSLPLAIN_ReqMap
23. The AT-TLS Perspective window displays the defined connectivity rule, but it is still Incomplete because the Key Ring is not defined yet. Click the Apply Changes option to save the configuration.
24. In the left pane, select the image name (SC33, in our case). The required AT-TLS Image Level Settings should be displayed.
If they are not displayed, select the Image Level Settings tab in the right pane. Specify the key ring name or the key database name that you created in “Creating a certificate” on page 837.
We specified TCPIP/SharedRing1 in the Key ring is in SAF product field for our example, and clicked OK.
The policy definition was now complete. The connectivity rules defined in the AT-TLS Perspective window are shown in Figure B-8.
Figure B-8 AT-TLS Perspective window with newly defined connectivity rules
The configuration file that is generated by the IBM Configuration Assistant for z/OS Communications Server is shown in Example B-17 on page 844.
Example B-17 AT-TLS policy configuration file
##
## AT-TLS Policy Agent Configuration file for:
## Image: SC33
## Stack: TCPIPD
##
................................................................... Lines deleted
## End of IBM Configuration Assistant information
TTLSRule ADMIN_SSLPLAIN~1
{
LocalAddrRef addr1
RemoteAddrSetRef addr2
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Jobname TN3270D
Direction Both
Priority 255
TTLSGroupActionRef gAct1~ATTLS_TN3270D_4992
TTLSEnvironmentActionRef eAct1~ATTLS_TN3270D_4992
TTLSConnectionActionRef cAct1~ATTLS_TN3270D_4992
}
TTLSRule PAYROLL_SSLCERT~2
{
LocalAddrRef addr3
RemoteAddrSetRef addr2
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Jobname TN3270D
Direction Both
Priority 254
TTLSGroupActionRef gAct1~ATTLS_TN3270D_4992
TTLSEnvironmentActionRef eAct2~ATTLS_TN3270D_4992
TTLSConnectionActionRef cAct2~ATTLS_TN3270D_4992
}
TTLSRule SHIPPING_UP2USER~3
{
LocalAddrRef addr4
RemoteAddrSetRef addr2
LocalPortRangeRef portR1
RemotePortRangeRef portR2
Jobname TN3270D
Direction Both
Priority 253
TTLSGroupActionRef gAct1~ATTLS_TN3270D_4992
TTLSEnvironmentActionRef eAct1~ATTLS_TN3270D_4992
TTLSConnectionActionRef cAct1~ATTLS_TN3270D_4992
}
TTLSGroupAction gAct1~ATTLS_TN3270D_4992
{
TTLSEnabled On
}
TTLSEnvironmentAction eAct1~ATTLS_TN3270D_4992
{
HandshakeRole Server
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~SC33
}
TTLSEnvironmentAction eAct2~ATTLS_TN3270D_4992
{
HandshakeRole ServerWithClientAuth
EnvironmentUserInstance 0
TTLSKeyringParmsRef keyR~SC33
}
TTLSConnectionAction cAct1~ATTLS_TN3270D_4992
{
HandshakeRole Server
TTLSCipherParmsRef cipher1~Gold_NoClientAuth
TTLSConnectionAdvancedParmsRef cAdv1~ATTLS_TN3270D_4992
CtraceClearText Off
Trace 2
}
TTLSConnectionAction cAct2~ATTLS_TN3270D_4992
{
HandshakeRole ServerWithClientAuth
TTLSCipherParmsRef cipher2~Gold_ClientAuthSSLCert
TTLSConnectionAdvancedParmsRef cAdv1~ATTLS_TN3270D_4992
CtraceClearText Off
Trace 2
}
TTLSConnectionAdvancedParms cAdv1~ATTLS_TN3270D_4992
{
ApplicationControlled On
SecondaryMap Off
}
TTLSKeyringParms keyR~SC33
{
Keyring TCPIP/SharedRing1
}
TTLSCipherParms cipher1~Gold_NoClientAuth
{
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
}
TTLSCipherParms cipher2~Gold_ClientAuthSSLCert
{
V3CipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
}
IpAddr addr1
{
Addr 10.1.8.42
}
IpAddrSet addr2
{
Prefix 0.0.0.0/0
}
IpAddr addr3
{
Addr 10.1.8.43
}
IpAddr addr4
{
Addr 10.1.1.40
}
PortRange portR1
{
Port 4992
}
PortRange portR2
{
Port 1024-65535
}
Uploading the policy to z/OS
To upload the policy to z/OS, complete the following steps:
1. In the IBM Configuration Assistant Navigation Tree pane, AT-TLS perspective, click the small arrow in front of the Stack-TCPIPD, and click Install Configuration Files. Select the TCPIPD policy, and click Select Action → Show Configuration File to view the policy file created. Click Close. Click Select Action → Install.
2. Click Save to disk and specify the following installation file name:
/etc/cfgasst/v1r13/SC33/TCPIPD/tlsPol_client_id_groups
3. Click Go. The following message is displayed
The save to the file system was successful
Modifying the policy agent configuration file
Example B-18 shows the main configuration file of the policy agent. It defines the stack-specific configuration file name for the TCPIPD stack.
Example B-18 Main configuration file of policy agent
# *****************************************************************
# /SC33/etc/pagent.sc33.conf
# *****************************************************************
TcpImage TCPIPD /etc/pagent.sc33.tcpipd.conf FLUSH PURGE 600
Example B-19 shows the stack-specific configuration file for the TCPIPD stack. Add the TTLSConfig statement that points to the policy configuration file we created.
Example B-19 Stack-specific configuration file of policy agent
# *****************************************************************
# /SC33/etc/pagent.sc33.tcpipd.conf
# *****************************************************************
TTLSConfig TTLSConfig /etc/cfgasst/v1r13/SC33/TCPIPD/tlsPol_client_id_groups
Defining AT-TLS port in TN3270 configuration file
To enable AT-TLS security, specify the TTLSPORT statement. In Example B-20, TCP port 4992 is used for accepting the secure connections with AT-TLS.
Example B-20 TELNETPARMS definition for AT-TLS port in TN3270 configuration file
TELNETGLOBALS
TCPIPJOBNAME TCPIPD
TELNETDEVICE IBM-3277 SNX32702,SNX32702
TELNETDEVICE IBM-3278-2-E SNX32702,SNX32702
TELNETDEVICE IBM-3278-2 SNX32702,SNX32702
TELNETDEVICE IBM-3279-2-E SNX32702,SNX32702
TELNETDEVICE IBM-3279-2 SNX32702,SNX32702
TELNETDEVICE IBM-3278-3-E SNX32703,SNX32703
TELNETDEVICE IBM-3278-3 SNX32703,SNX32703
TELNETDEVICE IBM-3279-3-E SNX32703,SNX32703
TELNETDEVICE IBM-3279-3 SNX32703,SNX32703
TELNETDEVICE IBM-3278-4-E SNX32704,SNX32704
TELNETDEVICE IBM-3278-4 SNX32704,SNX32704
TELNETDEVICE IBM-3279-4-E SNX32704,SNX32704
TELNETDEVICE IBM-3279-4 SNX32704,SNX32704
TELNETDEVICE IBM-3278-5-E SNX32705,SNX32705
TELNETDEVICE IBM-3278-5 SNX32705,SNX32705
TELNETDEVICE IBM-3279-5-E SNX32705,SNX32705
TELNETDEVICE IBM-3279-5 SNX32705,SNX32705
ENDTELNETGLOBALS
;
TELNETPARMS
TTLSPORT 4992 1 ;Port 4992 supports AT-TLS secure connections
; KEYRING SAF TCPIP/SharedRing1 2 ; omit - defined in AT-TLS policy
CONNTYPE SECURE 3 ; Default conntype
INACTIVE 0
TIMEMARK 600
SCANINTERVAL 120
FULLDATATRACE
SMFINIT 0 SMFINIT NOTYPE119
SMFTERM 0 SMFTERM TYPE119
SNAEXT
MSG07
LUSESSIONPEND
ENDTELNETPARMS
;
BEGINVTAM
PORT 4992 1
DEFAULTLUS
SC33DT01..SC33DT99
ENDDEFAULTLUS
; ----------------------------------------------------------------------
; This NOSSL group is mapped to use no SSL security. -
; ----------------------------------------------------------------------
PARMSGROUP NOSSL
NOLUSESSIONPEND
CONNTYPE BASIC ; support non-secure, overrides telnetparms
ENDPARMSGROUP
; ----------------------------------------------------------------------
; The SSLPLAIN group is mapped to use SSL security -
; with no Client Authentication required -
; ----------------------------------------------------------------------
; PARMSGROUP SSLPLAIN 4 ; omit - defined in AT-TLS policy
; CONNTYPE SECURE
; ENDPARMSGROUP
; ----------------------------------------------------------------------
; The SSLCERTS group is mapped to use SSL security -
; and to require Client Authentication (certificates) -
; ----------------------------------------------------------------------
; PARMSGROUP SSLCERTS 4 ; omit - defined in AT-TLS policy
; CONNTYPE SECURE
; CLIENTAUTH SSLCERT 2
; ENCRYPT SSL_DES_SHA 2
; SSL_3DES_SHA
; ENDENCRYPT
; ENDPARMSGROUP
; ----------------------------------------------------------------------
; The UP2USER group is mapped to use ANY security (user's choice) -
; with no Client Authentication (no certificates) -
; ----------------------------------------------------------------------
PARMSGROUP UP2USER 5
CONNTYPE ANY ; User choose secure or non-secure connection
ENDPARMSGROUP
DESTIPGROUP GENERALUSER 10.1.8.41 ENDDESTIPGROUP
; DESTIPGROUP ADMIN 10.1.8.42 ENDDESTIPGROUP ; omit - defined in AT-TLS policy
; DESTIPGROUP PAYROLL 10.1.8.43 ENDDESTIPGROUP ; omit - defined in AT-TLS policy
DESTIPGROUP SHIPPING 10.1.1.40 ENDDESTIPGROUP
PARMSMAP NOSSL DESTIPGRP,GENERALUSER
DEFAULTAPPL SC33TS DESTIPGRP,GENERALUSER
; PARMSMAP SSLPLAIN DESTIPGRP,ADMIN ; omit - defined in AT-TLS policy 4
; USSTCP USSTEST1 DESTIPGRP,ADMIN ; omit - defined in AT-TLS policy
; PARMSMAP SSLCERTS DESTIPGRP,PAYROLL ; omit - defined in AT-TLS policy 4
; DEFAULTAPPL CICSCLP0 DESTIPGRP,PAYROLL ; omit - defined in AT-TLS policy
PARMSMAP UP2USER DESTIPGRP,SHIPPING 5
USSTCP USSTABEE,USSSNAEE DESTIPGRP,SHIPPING
USSTCP USSTEST1 ; Default USSTAB
ALLOWAPPL SC3* ; Netview and TSO
ALLOWAPPL NVAS* QSESSION ; session mngr queues back upon CLSDST
ALLOWAPPL TSO* DISCONNECTABLE ; Allow all users access to TSO
ALLOWAPPL * ; Allow all applications that have not been
; previously specified to be accessed.
ENDVTAM
;
TELNETPARMS
PORT 23 ; Port 23 supports basic (non-secure) connections
INACTIVE 0
TIMEMARK 600
SCANINTERVAL 120
FULLDATATRACE
SMFINIT 0 SMFINIT NOTYPE119
SMFTERM 0 SMFTERM TYPE119
SNAEXT
MSG07
LUSESSIONPEND
ENDTELNETPARMS
;
BEGINVTAM
PORT 23
DEFAULTLUS
SC33DB01..SC33DB99
ENDDEFAULTLUS
DEFAULTAPPL SC33TS ; All users go to TSO
ALLOWAPPL SC* ; Netview and TSO
ALLOWAPPL NVAS* QSESSION ; session mngr queues back upon CLSDST
ALLOWAPPL TSO* DISCONNECTABLE ; Allow all users access to TSO
ALLOWAPPL * ; Allow all applications that have not been
; previously specified to be accessed.
ENDVTAM
The numbers in Example B-20 on page 846 correspond to the following information:
1. Port 4992 is used for the AT-TLS secure connection.
2. These security parameters are omitted from the TN3270 profile because they are defined in the policy agent.
3. Default connection type is secure.
4. The PARMSGROUP and PARMSMAP statements for ADMIN and PAYROLL are omitted because they are defined in the policy agent.
5. The PARMSGROUP and PARMSMAP statements for SHIPPING are specified to override the CONNTYPE to ANY.
B.2.2 Activation and verification
Complete the following tasks to activate and verify TN3270 AT-TLS support:
1. Start the policy agent.
2. Start the TN3270 server.
3. Display PROF to show profile AT-TLS information.
4. Display the AT-TLS profile using the pasearch command.
5. Display CONN to show connection AT-TLS information.
Starting the policy agent
Start the policy agent to enable the policy-based routing, as shown in Example B-21. The message (1) shows the AT-TLS policy is processed and now in effect.
Example B-21 Starting the policy agent
S PAGENT
$HASP100 PAGENT ON STCINRDR
IEF695I START PAGENT WITH JOBNAME PAGENT IS ASSIGNED TO USER
PAGENT , GROUP TCPGRP
$HASP373 PAGENT STARTED
EZZ8431I PAGENT STARTING
EZZ8432I PAGENT INITIALIZATION COMPLETE
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIPD : TTLS 1
If the policy agent is started, use the F jobname,REFRESH command, as shown in Example B-22. The message at 2 informs you that the AT-TLS policy is loaded (or reloaded).
Example B-22 Refreshing the policy agent
F PAGENT,REFRESH
EZZ8443I PAGENT MODIFY COMMAND ACCEPTED
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIPD : TTLS 2
Starting the TN3270 server
Start the TN3270 server, as shown in Example B-23. Ensure that TN3270 server starts listening on the TTLS port (1).
Example B-23 Starting the TN3270 Server
S TN3270D
$HASP100 TN3270D ON STCINRDR
.....
EZZ6001I TELNET SERVER STARTED
.....
EZZ6003I TELNET LISTENING ON PORT 4992 1
EZZ6003I TELNET LISTENING ON PORT 992
EZZ6003I TELNET LISTENING ON PORT 23
Displaying PROF to show profile AT-TLS information
Verify that the profile is set up correctly, as shown in Example B-24. Use the Display Telnet,Profile command to display the profile.
Example B-24 Telnet Profile Display
D TCPIP,TN3270D,T,PROF,PORT=4992,DET
EZZ6080I TELNET PROFILE DISPLAY 042
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
-M----- ---S-------- --F TSTTTT--T *---STT S--- *TPARMS
*M***** **TSBTQ***RT ECF TSTTTT**T *P**STT SDD* CURR
SECURITY
TTLSPORT 4992
CONNTYPE SECURE
KEYRING TTLS 1
CRLLDAPSERVER TTLS 1
ENCRYPTION TTLS 1
CLIENTAUTH TTLS 1
NOEXPRESSLOGON
NONACUSERID
SSLV2 TTLS 1
TIMERS
.....
SSLTIMEOUT TTLS 1
.....
KEYRING SAF TCPIP/SharedRing1 2
The numbers in Example B-24 correspond to the following information:
1. The AT-TLS policy is used for security parameters.
2. The key ring name specified in the AT-TLS policy configuration file is applied.
Displaying the AT-TLS profile using the pasearch command
The pasearch command can be used to display the AT-TLS policy configuration, as shown in Example B-25.
Example B-25 pasearch -t display
TCP/IP pasearch CS Image Name: TCPIPD
TTLS Instance Id: 1227199614
policyRule: sc33_to_world~1
Rule Type: TTLS
Version: 3 Status: Active
Weight: 255 ForLoadDist: False
Priority: 255 Sequence Actions: Don't Care
No. Policy Action: 3
policyAction: gAct1
ActionType: TTLS Group
ActionType: TTLS Group
Action Sequence: 0
policyAction: eAct1
ActionType: TTLS Environment
Action Sequence: 0
........................................................................ Lines deleted
TTLS Action: gAct1
Version: 3
Status: Active
Scope: Group
TTLSEnabled: On
CtraceClearText: Off
CtraceClearText: Off
Trace: 2
TTLSGroupAdvancedParms:
SecondaryMap: Off
SyslogFacility: Daemon
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
........................................................................ Lines deleted
TTLS Action: eAct1
Version: 3
Status: Active
Scope: Environment
HandshakeRole: Server
TTLSKeyringParms:
Keyring: TCPIP/SharedRing1
TTLSEnvironmentAdvancedParms:
SSLv2: Off
SSLv3: On
TLSv1: On
ApplicationControlled: Off
ApplicationControlled: Off
HandshakeTimeout: 10
ClientAuthType: Required
ResetCipherTimer: 0
EnvironmentUserInstance: 0
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
........................................................................ Lines deleted
policyRule: ADMIN_SSLPLAIN~2
Rule Type: TTLS
Version: 3 Status: Active
Weight: 254 ForLoadDist: False
Priority: 254 Sequence Actions: Don't Care
No. Policy Action: 3
policyAction: gAct1
ActionType: TTLS Group
Action Sequence: 0
policyAction: eAct1
ActionType: TTLS Environment
Action Sequence: 0
policyAction: cAct2~ATTLS_TN3270D_4992
ActionType: TTLS Connection
Action Sequence: 0
........................................................................ Lines deleted
TTLS Condition Summary: NegativeIndicator: Off
Local Address:
FromAddr: 10.1.8.42
ToAddr: 10.1.8.42
Remote Address:
FromAddr: All
ToAddr: All
LocalPortFrom: 4992 LocalPortTo: 4992
RemotePortFrom: 1024 RemotePortTo: 65535
RemotePortFrom: 1024 RemotePortTo: 65535
JobName: TN3270D UserId:
ServiceDirection: Both
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
........................................................................ Lines deleted
policyRule: PAYROLL_SSLCERT~3
Rule Type: TTLS
Version: 3 Status: Active
Weight: 253 ForLoadDist: False
Priority: 253 Sequence Actions: Don't Care
No. Policy Action: 3
policyAction: gAct1
ActionType: TTLS Group
Action Sequence: 0
policyAction: eAct2~ATTLS_TN3270D_4992
ActionType: TTLS Environment
Action Sequence: 0
policyAction: cAct3~ATTLS_TN3270D_4992
ActionType: TTLS Connection
Action Sequence: 0
........................................................................ Lines deleted
TTLS Condition Summary: NegativeIndicator: Off
Local Address:
FromAddr: 10.1.8.43
ToAddr: 10.1.8.43
Remote Address:
FromAddr: All
ToAddr: All
LocalPortFrom: 4992 LocalPortTo: 4992
RemotePortFrom: 1024 RemotePortTo: 65535
JobName: TN3270D UserId:
ServiceDirection: Both
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
........................................................................ Lines deleted
TTLS Action: eAct2~ATTLS_TN3270D_4992
Version: 3
Status: Active
Scope: Environment
HandshakeRole: ServerWithClientAuth
HandshakeRole: ServerWithClientAuth
TTLSKeyringParms:
Keyring: TCPIP/SharedRing1
TTLSEnvironmentAdvancedParms:
SSLv2: Off
SSLv3: On
TLSv1: On
ApplicationControlled: Off
HandshakeTimeout: 10
ClientAuthType: Required
ResetCipherTimer: 0
EnvironmentUserInstance: 0
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
TTLS Action: cAct3~ATTLS_TN3270D_4992
Version: 3
Status: Active
Scope: Connection
HandshakeRole: ServerWithClientAuth
HandshakeRole: ServerWithClientAuth
CtraceClearText: Off
Trace: 2
TTLSConnectionAdvancedParms:
SecondaryMap: Off
ApplicationControlled: On
HandshakeTimeout: 10
ResetCipherTimer: 0
TTLSCipherParms:
v3CipherSuites:
0A TLS_RSA_WITH_3DES_EDE_CBC_SHA
2F TLS_RSA_WITH_AES_128_CBC_SHA
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
policyRule: SHIPPING_UP2USER~4
Rule Type: TTLS
Version: 3 Status: Active
Weight: 252 ForLoadDist: False
Priority: 252 Sequence Actions: Don't Care
Priority: 252 Sequence Actions: Don't Care
No. Policy Action: 3
policyAction: gAct1
ActionType: TTLS Group
Action Sequence: 0
policyAction: eAct1
ActionType: TTLS Environment
Action Sequence: 0
policyAction: cAct2~ATTLS_TN3270D_4992
ActionType: TTLS Connection
Action Sequence: 0
........................................................................ Lines deleted
Local Address:
FromAddr: 10.1.1.40
ToAddr: 10.1.1.40
Remote Address:
FromAddr: All
ToAddr: All
LocalPortFrom: 4992 LocalPortTo: 4992
RemotePortFrom: 1024 RemotePortTo: 65535
JobName: TN3270D UserId:
ServiceDirection: Both
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
........................................................................ Lines deleted
TTLS Action: cAct2~ATTLS_TN3270D_4992
Version: 3
Status: Active
Scope: Connection
HandshakeRole: Server
CtraceClearText: Off
Trace: 2
TTLSConnectionAdvancedParms:
SecondaryMap: Off
SecondaryMap: Off
ApplicationControlled: On
HandshakeTimeout: 10
ResetCipherTimer: 0
TTLSCipherParms:
v3CipherSuites:
0A TLS_RSA_WITH_3DES_EDE_CBC_SHA
2F TLS_RSA_WITH_AES_128_CBC_SHA
Policy created: Thu Nov 20 11:46:54 2008
Policy updated: Thu Nov 20 11:46:54 2008
Displaying CONN to show connection AT-TLS information
We used IBM Personal Communications V5.7 to establish a secure session. Because we used self-signed certificate, we downloaded and installed the certificate of the certificate authority into Personal Communications. We defined a Personal Communications connection profile for the AT-TLS connection with exactly same security parameters that we defined for the TN3270 native TLS secure connection.
The client group with destination IP address 10.1.8.42 was defined as CONNTYPE SECURE (default) and supported only secure connections. Example B-26 shows a secure connection using destination IP address 10.1.8.42.
Example B-26 TLS secure connection using port 4992 and destination IP address 10.1.8.42
D TCPIP,TN3270D,T,CONN
EZZ6064I TELNET CONNECTION DISPLAY 002
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
000099CB 0A ::FFFF:10.1.100.224..1555
SC33DT02 SC33TS06 TAE SNX32702
----- PORT: 4992 1 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
4 OF 4 RECORDS DISPLAYED
D TCPIP,TN3270D,T,CONN,CONN=99CB,DET
EZZ6065I TELNET CONNECTION DISPLAY 004
CLIENT IDENTIFIER FOR CONN: 000099CB SECLABEL: **N/A**
CLIENTAUTH USERID: **N/A**
HOSTNAME: NO HOSTNAME
CLNTIP..PORT: ::FFFF:10.1.100.224..1555
DESTIP..PORT: ::FFFF:10.1.8.42..4992 1
LINKNAME: VIPL0A01082A
PORT: 4992 QUAL: NONE
AFFINITY: TCPIPD
STATUS: ACTIVE TTLSSECURE ACCESS: SECURE 0A TLSV1 2
TTLSRULE: ADMIN_SSLPLAIN~1 3
TTLSGRPACTION: gAct1~ATTLS_TN3270D_4992
TTLSENVACTION: eAct1~ATTLS_TN3270D_4992
TTLSCONNACTION: cAct1~ATTLS_TN3270D_4992
PROTOCOL: TN3270E DEVICETYPE: IBM-3278-2-E
TYPE: TERMINAL GENERIC
OPTIONS: ETET---- 3270E FUNCTIONS: BSR----
NEWENV FUNCTIONS: --
LUNAME: SC33DT02
APPL: SC33TS06
USERIDS RESTRICTAPPL: **N/A** EXPRESSLOGON: **N/A**
LOGMODES TN REQUESTED: SNX32702 APPL SPECIFIED: SNX32702
MAPPING TYPE: CONN IDENTIFIER
OBJECT ITEM SPECIFIC OPTIONS
LUMAP GEN: NL (NULL)
>*DEFLUS* --------
DEFLT APPL: **N/A**
USS TABLE: NL (NULL)
>USSTEST1 P-------
INT TABLE: **N/A**
PARMS:
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
-M----- ---S-------- --F TSTTTT--T *---STT S--- *TPARMS
*M***** **TSBTQ***RT ECF TSTTTT**T *P**STT SDD* TP-CURR
*M***** **TSBTQ***RT ECF TSTTTT**T *P**STT SDD* <-FINAL 4
39 OF 39 RECORDS DISPLAYED
The numbers in Example B-26 on page 854 correspond to the following information:
1. AT-TLS port 4992 is used.
2. The connection is secure and uses cipher 0A (TLS_RSA_WITH_3DES_EDE_CBC_SHA).
3. The connection used the ADMIN_SSLPLAIN connectivity rule.
4. The security parameters were specified in the AT-TLS policy.
The client ID group with destination IP address 10.1.1.40 was defined CONNTYPE ANY and can support both secure and non-secure connections. Example B-27 shows a secure connection with a client requesting TLS that is destined to IP address 10.1.1.40.
Example B-27 TLS secure connection using port 4992, destination IP address 10.1.1.40
D TCPIP,TN3270D,T,CONN
EZZ6064I TELNET CONNECTION DISPLAY 017
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
000099D8 0A ::FFFF:10.1.100.224..1672
SC33DT03 SC33TS06 TAE SNX32702
----- PORT: 4992 1 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
4 OF 4 RECORDS DISPLAYED
D TCPIP,TN3270D,T,CONN,CONN=99D8,DET
EZZ6065I TELNET CONNECTION DISPLAY 025
CLIENT IDENTIFIER FOR CONN: 000099D8 SECLABEL: **N/A**
CLIENTAUTH USERID: **N/A**
HOSTNAME: NO HOSTNAME
CLNTIP..PORT: ::FFFF:10.1.100.224..1672
DESTIP..PORT: ::FFFF:10.1.1.40..4992 1
LINKNAME: VIPA1L
PORT: 4992 QUAL: NONE
AFFINITY: TCPIPD
STATUS: ACTIVE TTLSSECURE ACCESS: SECURE 0A TLSV1 2
TTLSRULE: SHIPPING_UP2USER~3 3
TTLSGRPACTION: gAct1~ATTLS_TN3270D_4992
TTLSENVACTION: eAct1~ATTLS_TN3270D_4992
TTLSCONNACTION: cAct1~ATTLS_TN3270D_4992
PROTOCOL: TN3270E DEVICETYPE: IBM-3278-2-E
TYPE: TERMINAL GENERIC
OPTIONS: ETET---- 3270E FUNCTIONS: BSR----
NEWENV FUNCTIONS: --
LUNAME: SC33DT03
APPL: SC33TS06
USERIDS RESTRICTAPPL: **N/A** EXPRESSLOGON: **N/A**
LOGMODES TN REQUESTED: SNX32702 APPL SPECIFIED: SNX32702
MAPPING TYPE: CONN IDENTIFIER
OBJECT ITEM SPECIFIC OPTIONS
LUMAP GEN: NL (NULL)
>*DEFLUS* --------
DEFLT APPL: **N/A**
USS TABLE: DG SHIPPING
USSTABEE,>USSSNAEE PP------
INT TABLE: **N/A**
PARMS:
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
-M----- ---S-------- --F TSTTTT--T *---STT S--- *TPARMS
*M***** **TSBTQ***RT ECF TSTTTT**T *P**STT SDD* TP-CURR
PARMSGROUP: DG SHIPPING
L------ ------------ --- -A------- ------- ---- UP2USER
LM***** **TSBTQ***RT ECF TATTTT**T *P**STT SDD* <-FINAL 4
41 OF 41 RECORDS DISPLAYED
The numbers in Example B-27 on page 855 correspond to the following information:
1. AT-TLS port 4992 is used.
2. The connection is secure and uses cipher 0A (TLS_RSA_WITH_3DES_EDE_CBC_SHA).
3. The connection used the SHIPPING_UP2USER connectivity rule.
4. The security parameters were specified in the AT-TLS policy.
Example B-28 shows a non-secure connection with a client requesting no security that is destined to IP address 10.1.1.40.
Example B-28 TLS non-secure connection using port 4992, destination IP address 10.1.1.40
D TCPIP,TN3270D,T,CONN
EZZ6064I TELNET CONNECTION DISPLAY 031
EN TSP
CONN TY IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- -- ---------------------- -------- -------- --- --------
000099E6 ::FFFF:10.1.100.224..1777
SC33DT04 SC33TS06 TAE SNX32702
----- PORT: 4992 1 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
4 OF 4 RECORDS DISPLAYED
D TCPIP,TN3270D,T,CONN,CONN=99E6,DET
EZZ6065I TELNET CONNECTION DISPLAY 033
CLIENT IDENTIFIER FOR CONN: 000099E6 SECLABEL: **N/A**
CLIENTAUTH USERID: **N/A**
HOSTNAME: NO HOSTNAME
CLNTIP..PORT: ::FFFF:10.1.100.224..1777
DESTIP..PORT: ::FFFF:10.1.1.40..4992 1
LINKNAME: VIPA1L
PORT: 4992 QUAL: NONE
AFFINITY: TCPIPD
STATUS: ACTIVE TTLSSECURE ACCESS: NON-SECURE 2
TTLSRULE: SHIPPING_UP2USER~3 3
TTLSGRPACTION: gAct1~ATTLS_TN3270D_4992
TTLSENVACTION: eAct1~ATTLS_TN3270D_4992
TTLSCONNACTION: cAct1~ATTLS_TN3270D_4992
PROTOCOL: TN3270E DEVICETYPE: IBM-3278-2-E
TYPE: TERMINAL GENERIC
OPTIONS: ETET---- 3270E FUNCTIONS: BSR----
NEWENV FUNCTIONS: --
LUNAME: SC33DT04
APPL: SC33TS06
USERIDS RESTRICTAPPL: **N/A** EXPRESSLOGON: **N/A**
LOGMODES TN REQUESTED: SNX32702 APPL SPECIFIED: SNX32702
MAPPING TYPE: CONN IDENTIFIER
OBJECT ITEM SPECIFIC OPTIONS
LUMAP GEN: NL (NULL)
>*DEFLUS* --------
DEFLT APPL: **N/A**
USS TABLE: DG SHIPPING
USSTABEE,>USSSNAEE PP------
INT TABLE: **N/A**
PARMS:
PERSIS FUNCTION DIA SECURITY TIMERS MISC
(LMTGCAK)(OATSKTQSWHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT)
------- ------------ --- --------- ------- ----
******* **TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT
------- -----------T --- --------- ------- ---- *TGLOBAL
-M----- ---S-------- --F TSTTTT--T *---STT S--- *TPARMS
*M***** **TSBTQ***RT ECF TSTTTT**T *P**STT SDD* TP-CURR
PARMSGROUP: DG SHIPPING
L------ ------------ --- -A------- ------- ---- UP2USER
LM***** **TSBTQ***RT ECF TATTTT**T *P**STT SDD* <-FINAL 4
41 OF 41 RECORDS DISPLAYED
The numbers in Example B-28 correspond to the following information:
1. AT-TLS port 4992 was used.
2. The connection was non-secure.
3. The connection used the SHIPPING_UP2USER connectivity rule.
4. The security parameters were specified in the AT-TLS policy (not applicable in this case).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.