Curious question. Is this something a developer could do in order to test this out, or does it require System level access?
Frank ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Denis <000001664d8ede6c-dmarc-requ...@listserv.ua.edu> Sent: Saturday, June 17, 2017 12:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: changing batch job to use SSL Hi Andrew, have a look at the following sample, where just the jobname and the outbound port specify the need to use tls. https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm Example: Configuring AT-TLS for secure communication<https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.cfzu100/step6b.htm> www.ibm.com Example: Configuring AT-TLS for secure communication This topic shows the exemplary setup of the Policy Agent to secure communication for the CIM server. Scroll down to the sample policy that says outbound. Maybe thats all you need to do, but I have not tested it. Denis. -----Original Message----- From: Andrew Rowley <and...@blackhillsoftware.com> To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> Sent: Sat, Jun 17, 2017 07:45 AM Subject: Re: changing batch job to use SSL On 17/06/2017 03:05 AM, Tony Harminc wrote: > It's validated the same way(s) any TLS client app (such as your desktop > browser) validates a server certificate. I'm not sure why you seem to think > this can't be done without client application program involvement. There are 2 things that need to be validated with the certificate: - That is is valid, i.e. has been signed by a trusted CA etc. AND - That it belongs to the entity that the client is trying to connect to. The description of AT-TLS says it takes control when the connection is opened, but at this point name resolution has already occurred, hasn't it? So how does AT-TLS know who the client is trying to connect to so it can check the name in the certificate? I guess it would have to intercept name resolution and assume that later connections to a resolved IP address must match the name. Or, maybe it is not intended for this type of general SSL connection. I have been reading the documentation, but haven't been able to find anything about how (or whether) the name in the certificate is validated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to <a href="mailto:lists...@listserv.ua.edu";>lists...@listserv.ua.edu</a> with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
