Network related material
In order to use SSL for TSO access follow a procedure similar to the one below.
First define a Certificate in RACF.
//* +--------------------------------------------------------------+
//* | DEFINE DIGITAL CERTIFICATES |
//* +--------------------------------------------------------------+
//GROUPS EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD DUMMY
//SYSTSIN DD *
PROF MSGID WTPMSG
/* CREATE SELF SIGNED CERTIFICATE */
RACDCERT ID(TCPSTC) -
GENCERT SUBJECTSDN(CN('some.name')) -
SIZE(1024) -
WITHLABEL('TN3270 SERVER SELF SIGNED CERT')
RACDCERT ID(TCPSTC) -
ADDRING(TN3270.SELFSIGNED.CERTIFICATE)
RACDCERT ID(TCPSTC) -
CONNECT(LABEL('TN3270 SERVER SELF SIGNED CERT') -
RING(TN3270.SELFSIGNED.CERTIFICATE) -
DEFAULT)
/* GIVE ACCESS TO NEW FACILITY CLASSES */
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.DELETE CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENREQ CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
PERMIT IRR.DIGTCERT.REMOVE CLASS(FACILITY) ID(TCPSTC) ACC(CONTROL)
SETR RACLIST(FACILITY) REFRESH
/*
(assumes TCPIP is running under user TCPSTC)
Amend the TCPIP profile as follows to leave port 23 for non-SSL and defining port 9923 for SSL.
Eventually switching over after testing...
; ***********************************************************
; * Use these blocks to replace TELNETPARMS and add a *
; * TELNETGLOBALS block *
; * Add the following to the PORT list: *
; * 9923 TCP INTCLIEN ; Telnet 3270 Server *
; * Change the following port after BEGINVTAM *
; * Port 23 9923 *
; * To swap SSL ports 23 <-> 9923 change the port and *
; * secureport values in the TELNETPARMS blocks *
; ***********************************************************
; ---------------------------------------------------------------------
; Configure Telnet - Telnet Global Parms
; ---------------------------------------------------------------------
;
TELNETGLOBALS
TELNETDEVICE 3278-3-E NSX32703 ; 32 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3279-3-E NSX32703 ; 32 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3278-4-E NSX32704 ; 48 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3279-4-E NSX32704 ; 48 line screen -
; default of NSX32702 is 24
TELNETDEVICE 3278-5-E NSX32705 ; 132 column screen-
; default of NSX32702 is 80
TELNETDEVICE 3279-5-E NSX32705 ; 132 column screen -
; default of NSX32702 is 80
LUSESSIONPEND ; On termination of a Telnet server connection,
; the user will revert to the DEFAULTAPPL
; instead of having the connection dropped
MSG07 ; Sends a USS error message to the client if an
; error occurs during session establishment
; instead of dropping the connection
CodePage ISO8859-1 IBM-1047 ; Linemode ASCII, EBCDIC code pages
Inactive 0 ; Let connections stay around
PrtInactive 0 ; Let connections stay around
TimeMark 600
ScanInterval 120
; SMFinit std
; SMFterm std
; Define logon mode tables to be the defaults shipped with the
; latest level of VTAM
ENDTELNETGLOBALS
;
; ---------------------------------------------------------------------
; Configure Telnet - NO SSL
; ---------------------------------------------------------------------
TelnetParms
Port 23 ; Port number 23 (std.)
WLMClusterName
TN3270E
EndWLMClusterName
EndTelnetParms
;
; ---------------------------------------------------------------------
; Configure Telnet - SSL
; ---------------------------------------------------------------------
TelnetParms
SECUREPORT 9923 ; SSL PORT NUMBER 9923
KEYRING SAF TN3270.SELFSIGNED.CERTIFICATE
CONNTYPE SECURE
CLIENTAUTH NONE
ENCRYPT
SSL_DES_SHA
ENDENCRYPT
WLMClusterName
TN3270E
EndWLMClusterName
EndTelnetParms
;
Point your 3270 emulator at port 9923 and change encryption from "none" to "SSL v3.0" or equivalent.
Documentation says:
"Ensure that the CICS region has access to the z/OS™ system SSL library SGSKLOAD by means of the STEPLIB or JOBLIB statements, or by using the system link library, as appropriate. "
This library no longer exists - don't worry.
Create RACF stuff.....
Define new FACILITY Classes as appropriate
Give access to new FACILITY Classes
Execute DFH£RING EX 'SYS1.CICSTS31.SETA.SDFHSAMP(DFH£RING)' + 'CICS GUI wuiservername FORUSER(CICSUSER)'
Create self-signed certificate
Minimum SIT parm change:
add KEYRING=Cics.Gui, (note case sensitive) TCPIPHOSTNAME(10.194.101.71) TCPIPPORT(1951) TCPIPSSL(YES) TCPIPSSLCERT(GUI-WEB-SERVER) <-- MUST be uppercase apparently remember to use https://.... when attempting to access the WUI.
In the sysplex each zOS image has an IP address for each OSA and a static VIPA address for the image.
A dynamic VIPA address will route users to either side of the plex.
To get to either image use the dynamic VIPA address - failure on either side will route the user to the other. May need to logon again.
To get to a specific side use the static VIPA - if an OSA fails it routes via the other.
To get to a specific OSA use its IP address explicitly.
OSPF via OMPROUTE should broadcast addresses throught the network ou to the switches.
EIGRP handles the addressing on the other side of the switch.