Scott, I was looking at this document a little while ago: IBM z/OS V1R13 CS TCP/IP Implementation: Volume 4 Security and Policy-Based Networking
on Chapter 16 'Telnet Security' it has some good information on this. Page 680 has a Table 16-1 that details the order of the ciphers. I think you can influence the order of this in the TCPIP parameters used. I believe this command would detail the ciphers in effect for the profile and port: D TCPIP,TN3270D,T,PROF,PORT=992,DET,MAX=* EZZ6080I TN3270D PROFILE DISPLAY 631 PERSIS FUNCTION DIA SECURITY TIMERS MISC (LMTGCAK)(OPATSKTQSSHRT)(DRF)(PCKLECXN2)(IPKPSTS)(SMLT) ------- ------------- --- --------- ------- ---- ******* ***TSBTQ***RT EC* BB**D**** *P**STS *DD* *DEFAULT ------- ------------T --- --------- ------- ---- *TGLOBAL -M----- ----S-------- --F SSS-E*--- *---ST- S--- *TPARMS *M***** ***TSBTQ***RT ECF SSS*E**** *P**STS SDD* CURR SECURITY SECUREPORT 992 1 CONNTYPE SECURE 2 KEYRING SAF TCPIP/SharedRing1 3 CRLLDAPSERVER NONE/TTLS/**N/A** ENCRYPTION DS,3S 4 CLIENTAUTH NONE 5 NOEXPRESSLOGON NONACUSERID NOSSLV2 TIMERS INACTIVE 0 (OFF) PROFILEINACTIVE 1800 KEEPINACTIVE 0 (OFF) PRTINACTIVE 0 (OFF) SCANINTERVAL 120 TIMEMARK 600 SSLTIMEOUT 5 KEYRING SAF TCPIP/SharedRing1 6 ---------------------------------------------------------------------------------------------------- In this example, the numbers correspond to the following information: 1. Port 992 is used. 2. The port is for secure connection. 3. The name of the key ring in use. The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA). See Table 16-1 on page 680 for the complete list of supported ciphers. 5. The client authentication is not used. 6. The key ring used is SharedRing1, which is managed by an SAF product (RACF, in our case). 4. The list of ciphers begin used (DS for SSL_DES_SHA and 3S for SSL_3DES_SHA). See Table 16-1 on page 680 for the complete list of supported Hope this helps out. Lynn Gilson ANTM,Inc. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Scott Ford Sent: Wednesday, May 13, 2015 15:20 To: [email protected] Subject: AT-TLS question , issue All, We are running z/OS 1.13 and I have AT-TLS configured with PAGENT and SYSLOGD. We are testing a Java client inbound to a COBOL STC running CICS Sockets (ezasoket). In our testing we are seeing a EZD1287I TTLS Error RC: 402 Initial Handshake. The server is showing a socket-read errno=54 - Econnreset. Does this imply the cipher is wrong ? The Java client is sending a self-signed certificate which we generated. We know it's ok locally in the same physical office with another server. What I am not sure about is what ciphers, if this is the issue are supported on AT-TLS ..can someone be kind enough to help me out. Regards, Scott ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information or may otherwise be protected by law. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
