TN3270 security

The TN3270 environment is unique and complex enough to warrant some special attention. As mentioned, the TN3270 server supports TLS. In addition, the TN3270 server makes full use of SAF-based authentication. And, if desired, TLS and SAF can be used together to force a TN3270 client to send a certificate that is associated with a SAF controlled user ID, allowing a product like RACF further control.

A sample excerpt of some related TN3270 server statements is shown in Figure 1.

Figure 1. TN3270 server security-related statements

 LUMAP TSOLU001 9.29.168.30 DEFAPPL TSO DEFONLY
 MAXREQSESS 40           ;allow max of 40 binds in 10 seconds.
 MAXRECEIVE 65535        ;no more than 65KB at a time.
 ENCRYPTION
  SSL_DES_SHA            ;for testing, keep these cipher
  SSL_RC2_MD5_EX         ;cipher statements
  SSL_RC4_MD5_EX         ;in this order
  SSL_3DES_SHA           ;export restricted?
 ENDENCRYPTION
 CONNTYPE SECURE         ; TLS required
 CLIENTAUTH NONE
 KEYRING TN3270ring

Take a closer look at these statements as they apply to security:

LU choice: TN3270 configuration statements can control the LU that a given network or IP address can access. In this case, IP address 9.29.168.30 will be assigned a VTAM LU called TSOLU001.
Application selection: The application selection can be limited based upon a network or IP address. In Figure 1, the LUMAP statement allows a connection to TSO only.
TN3270 client behavior: If a workstation TN3270 client sends too much of a certain type of data, or just too much data at a single time, the connection may be dropped (MAXREQSESS and MAXRECEIVE).
TLS: The TLS configuration statements are effectively the same as those for the FTP application.