Re: Who is using SYSTEM SSL -- Update --

Thu, 29 Jan 2015 09:06:07 -0800 

Thanks to all that responded both on and off list. Although I have not 
completed a through process that could be used by any system I have concluded 
with reasonable assurances that SSL is not being used by my system. The best 
way in my opinion for those interested, is to utilize the SMF 119 records.

Understand that there are various sub types of this record. Since we run the 
MXG product (and with the help of their excellent support) I quickly ensured 
that TCPIP was requesting that the 119 records be generated and that we were 
only seeing sub types 2,10,20 & 21 being produced. As mention other systems may 
have additional sub types being generated based on TCPIP settings and system 
usage.

But for our system the 02 subtype provided via MXG field TTTTLSSP shows the 
protocol that was used for the TCP connection (SSLV2, SSLV3, TLSV1.0, TLSV1.1 
or TLSV1.2). In our case this field was x'4040' indicating no SSL usage. Also 
the 21 subtype provides via the MXG field NTSSL indicates if an SSL session 
exist. In our case this field was 0 indicating NO SSL SESSION.

Sub type 10 and 20 provided no additional information on SSL usage.

Again thanks to all.


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of R.S.
Sent: Friday, January 23, 2015 4:15 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Who is using SYSTEM SSL

I dare to disagree.
CSFSERV is iCSF SERVcices.
Yes, ICSF services (liek encrypt, decrypt) are protected using CSFSERV
class, but it's not System SSL. Obviously the components are related.

Dennis: I would bet the only candidates using System SSL are TN3270 for
secure emulator connections, FTP (FTPS or FTP/SSL )and possibly HTTPs.
Nothing more. Of course each application should use some port and ports
in use should be know to network folks...

--
Radoslaw Skorupka
Lodz, Poland






W dniu 2015-01-23 o 00:04, Charles Mills pisze:
> At least some System SSL functions are protected by RACF classes --
>
> "In order for System SSL to use cryptographic support provided through ICSF,
> the
> ICSF started task must be running and the application user ID must be
> authorized
> for the appropriate resources in the RACFR CSFSERV class (when the class is
> active), either explicitly or through a generic resource profile."
>
> Secure Sockets Layer is designed to be used over TCP (or similar) but System
> SSL is not an "add-on to TCP." It could more correctly be described as "a
> software front-end to z/OS Crypto Services."
>
> The use of SSL does not imply the use of any particular ports or similar, so
> it is largely transparent to TCP administrators.
>
> Charles
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of R.S.
> Sent: Thursday, January 22, 2015 2:22 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: Who is using SYSTEM SSL
>
> Charles: there is no such class and IMHO no such reason.
>
> Dennis: System SSL is add-on to TCPIP and it is used by TCPIP and its
> protocols like TN3270 or ftp.
> IMHO it's up to TCPIP administrators to know what ports, protocols, services
> are in use.
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, 
www.mBank.pl, e-mail: kont...@mbank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru 
Sdowego, nr rejestru przedsibiorców KRS 0000025237, NIP: 526-021-50-88. 
Wedug stanu na dzie 01.01.2015 r. kapita zakadowy mBanku S.A. (w caoci 
wpacony) wynosi 168.840.228 zotych.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
CNA SURETY voted the #1 Carrier for Surety Bonds by PROPERTYCASUALTY360 Survey


NOTICE:  This e-mail message, including any attachments and appended messages, 
is for the sole use of the intended recipients and may contain confidential and 
legally privileged information.
If you are not the intended recipient, any review, dissemination, distribution, 
copying, storage or other use of all or any portion of this message is strictly 
prohibited.
If you received this message in error, please immediately notify the sender by 
reply e-mail and delete this message in its entirety.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to