The initial implementation and configuring of Policy Agent is not simple, requiring work with RACF (or other SAF security), TCPIP and TN#@&) servers and the agent itself.
But once in place, it looks to be well worth the effort. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Denis > Sent: Monday, June 19, 2017 11:42 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: changing batch job to use SSL > > Hi Frank, > > since policy agent belongs to Communication Server and used to have some > requirements to be started before TCPIP, I would guess that in most shops a > developer cannot do that. > Except maybe for play LPARs and zPDT. > > Denis. > > -----Original Message----- > From: Frank Swarbrick <frank.swarbr...@outlook.com> > To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> > Sent: Mon, Jun 19, 2017 8:30 pm > Subject: Re: changing batch job to use SSL > > Curious question. Is this something a developer could do in order to test > this > out, or does it require System level access? > > Frank > ________________________________ > From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on > behalf of Denis <000001664d8ede6c-dmarc-requ...@listserv.ua.edu> > Sent: Saturday, June 17, 2017 12:29 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: changing batch job to use SSL > > Hi Andrew, > > have a look at the following sample, where just the jobname and the > outbound port specify the need to use tls. > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ibm.com_support_knowledgecenter_en_SSLTBW- > 5F2.1.0_com.ibm.zos.v2r1.cfzu100_step6b.htm&d=DwICaQ&c=C3yme8gMkx > g_ihJNXS06ZyWk4EJm8LdrrvxQb- > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=gh6FgP3V357QxzOEXUhmT7moTJ > WgSm0uq0SfZovGNEQ&s=fgTqcS8a8iRRVlBRO1zFVGheUUHbS3smGu2FKfxcF > 8k&e= > Example: Configuring AT-TLS for secure > communication<https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ibm.com_support_knowledgecenter_en_SSLTBW- > 5F2.1.0_com.ibm.zos.v2r1.cfzu100_step6b.htm&d=DwICaQ&c=C3yme8gMkx > g_ihJNXS06ZyWk4EJm8LdrrvxQb- > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=gh6FgP3V357QxzOEXUhmT7moTJ > WgSm0uq0SfZovGNEQ&s=fgTqcS8a8iRRVlBRO1zFVGheUUHbS3smGu2FKfxcF > 8k&e= > www.ibm.com > Example: Configuring AT-TLS for secure communication This topic shows the > exemplary setup of the Policy Agent to secure communication for the CIM > server. > > > Scroll down to the sample policy that says outbound. > Maybe thats all you need to do, but I have not tested it. > > Denis. > > -----Original Message----- > From: Andrew Rowley <and...@blackhillsoftware.com> > To: IBM-MAIN <IBM-MAIN@LISTSERV.UA.EDU> > Sent: Sat, Jun 17, 2017 07:45 AM > Subject: Re: changing batch job to use SSL > > > On 17/06/2017 03:05 AM, Tony Harminc wrote: > > It's validated the same way(s) any TLS client app (such as your desktop > > browser) validates a server certificate. I'm not sure why you seem to think > > this can't be done without client application program involvement. > > There are 2 things that need to be validated with the certificate: > - That is is valid, i.e. has been signed by a trusted CA etc. AND > > - That it belongs to the entity that the client is trying to connect to. > > The description of AT-TLS says it takes control when the connection is > opened, but at this point name resolution has already occurred, hasn't it? > > So how does AT-TLS know who the client is trying to connect to so it can > check the name in the certificate? I guess it would have to intercept > name resolution and assume that later connections to a resolved IP > address must match the name. > > Or, maybe it is not intended for this type of general SSL connection. > > I have been reading the documentation, but haven't been able to find > anything about how (or whether) the name in the certificate is validated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to <a > href="mailto:lists...@listserv.ua.edu";>lists...@listserv.ua.edu</a> with the > message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
