RE: Secure Tn3270

This certainly is the basic jist of it, also the redbook is your friend.
Search TCPIP and Security on the rebokk page and you should find it.

There is also good advice over on RACF-L

-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@xxxxxxxxxxxx
Sent: Tuesday, May 29, 2007 2:18 PM
To: IBM-MAIN@xxxxxxxxxxx
Subject: Re: Secure Tn3270

Ray Prevott wrote:
Just getting started on this. Any advice out there? I am on z/OS 1.7 and
PCOM 5.8. Hope to use RACF to manage certificates, but I don't have a clue
as to what kind I might need. Any help appreciated.

You need certificates.
You can BUY them from Verisign/Thawte/whatever, or simply become your
own CA (Cert. Authority). I assume, you chose the latter option.
So, go to RACF commands and do in sequence:
a) CA cert (root).
b) Server cert, signed by your CA
c) Keyring
Then export the CA certificate to a dataset and then transmit it to a PC
file.
Then run IKEYMAN application. It is a part of PCOMM. Alternatively you
can use Windows certificate repository.

In parallel you have to change TCPIP profile parameters - specify the
keyring in SSL parms.


Other options/alternatives: self-signed certificates, client
certificate, ICSF support for certificates.


The above is not detailed, but I think it is good as a starting point.
HTH

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego,
nr rejestru przedsibiorców KRS 0000025237
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2007 r. kapita zakadowy BRE Banku SA (w caoci opacony) wynosi 118.064.140 z. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchwa XVI WZ z dnia 21.05.2003 r., kapita zakadowy BRE Banku SA moe ulec podwyszeniu do kwoty 118.760.528 z. Akcje w podwyszonym kapitale zakadowym bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

Relevant Pages

  • Re: SSL and Client Authentication
    ... First I go on my client and I do a browser request from a CA, ... After issuing a cert. ... install (where I verify that this certification was installed ... > It definitely does not sound like the right way to do client certificates. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Its Either Gonna Be
    ... Nope, stupid certificates like the Microsoft certifications, PMI, ... I worked for Oracle as a senior DBA consultant for four years. ... with a cert. ... She's working as a manager of program managers and managers about 15 to ...
    (rec.sport.football.college)
  • Re: Error issuing certificates from WS03 cert svc
    ... Your problem was the removal of the revoked certificates. ... The revocation function was unable to ... The request was for <here comes specific cert subject info>. ... All certs are likewise published on the web server ...
    (microsoft.public.windows.server.security)
  • Re: User certificate question (no AD installed)
    ... > We are able to use the VPN with computer certificates without problems, ... When opening the page to request a certificate, ... web browser cert, e-mail cert and adv cert request. ... environments involves AD and ISA server. ...
    (microsoft.public.win2000.networking)
  • Re: cert authority
    ... Any chance that you can explain the reason w2k3 white papers told me to ... automatically verified the cert, where now it can't verify it automatically. ... Open the certificates console for your user and check Trusted Root ... Now that I moved it into my 2k AD, it doesn't seem to trust the cert. ...
    (microsoft.public.win2000.active_directory)