In order to use SSL for TSO access follow a procedure similar to the one below.
First define a Certificate in RACF.
//* +--------------------------------------------------------------+
//* | DEFINE DIGITAL CERTIFICATES |
//* +--------------------------------------------------------------+
//GROUPS EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD DUMMY
//SYSTSIN DD *
PROF MSGID WTPMSG
/* CREATE SELF SIGNED CERTIFICATE */
RACDCERT ID(TCPSTC) -
GENCERT SUBJECTSDN(CN('some.name')) -
SIZE(1024) -
WITHLABEL('TN3270 SERVER SELF SIGNED CERT')
RACDCERT ID(TCPSTC) -
ADDRING(TN3270.SELFSIGNED.CERTIFICATE)
RACDCERT ID(TCPSTC) -
CONNECT(LABEL('TN3270 SERVER SELF SIGNED CERT') -
RING(TN3270.SELFSIGNED.CERTIFICATE) -
DEFAULT)
/* GIVE ACCESS TO NEW FACILITY CLASSES */
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.DELETE CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENREQ CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.REMOVE CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
SETR RACLIST(FACILITY) REFRESH
/*
(assumes TCPIP is running under user TCPSTC)
Amend the TCPIP profile as follows to leave port 23 for non-SSL and defining port 9923 for SSL.
Eventually switching over after testing...
; ***********************************************************
; * Use these blocks to replace TELNETPARMS and add a *
; * TELNETGLOBALS block *
; * Add the following to the PORT list: *
; * 9923 TCP INTCLIEN ; Telnet 3270 Server *
; * Change the following port after BEGINVTAM *
; * Port 23 9923 *
; * To swap SSL ports 23 <-> 9923 change the port and *
; * secureport values in the TELNETPARMS blocks *
; ***********************************************************
; ---------------------------------------------------------------------
; Configure Telnet - Telnet Global Parms
; ---------------------------------------------------------------------
;
TELNETGLOBALS
TELNETDEVICE 3278-3-E NSX32703 ; 32 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3279-3-E NSX32703 ; 32 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3278-4-E NSX32704 ; 48 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3279-4-E NSX32704 ; 48 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3278-5-E NSX32705 ; 132 column screen-
; default of NSX32702 is 80
TELNETDEVICE 3279-5-E NSX32705 ; 132 column screen -
; default of NSX32702 is 80
LUSESSIONPEND ; On termination of a Telnet server connection,
; the user will revert to the DEFAULTAPPL
; instead of having the connection dropped
MSG07 ; Sends a USS error message to the client if an
; error occurs during session establishment
; instead of dropping the connection
CodePage ISO8859-1 IBM-1047 ; Linemode ASCII, EBCDIC code pages
Inactive 0 ; Let connections stay around
PrtInactive 0 ; Let connections stay around
TimeMark 600
ScanInterval 120
; SMFinit std
; SMFterm std
; Define logon mode tables to be the defaults shipped with the
; latest level of VTAM
ENDTELNETGLOBALS
;
; ---------------------------------------------------------------------
; Configure Telnet - NO SSL
; ---------------------------------------------------------------------
TelnetParms
Port 23 ; Port number 23 (std.)
WLMClusterName
TN3270E
EndWLMClusterName
EndTelnetParms
;
; ---------------------------------------------------------------------
; Configure Telnet - SSL
; ---------------------------------------------------------------------
TelnetParms
SECUREPORT 9923 ; SSL PORT NUMBER 9923
KEYRING SAF TN3270.SELFSIGNED.CERTIFICATE
CONNTYPE SECURE
CLIENTAUTH NONE
ENCRYPT
SSL_DES_SHA
ENDENCRYPT
WLMClusterName
TN3270E
EndWLMClusterName
EndTelnetParms
;
Point your 3270 emulator at port 9923 and change encryption from "none" to "SSL v3.0" or equivalent.