Technical Blog Post
Abstract
How To Test TLS Encryption Without Disrupting Your SNA Connection
Body
You are working on migrating your STS nodes to SSL/TLS and digital certificates. You discover that you cannot test the connection as TCP/IP to be able to use SSL/TLS encryption protocols and not disrupt your production work with your SNA trading partner.
You can set this up to be able to test SSL/TLS over a TCP/IP connection and maintain you SNA connection until you are ready to migrate this definition to TCP/IP fully.
For this discussion we will assume the following information:
1. Local node name is CD.LOCAL with VTAM APPL of APPLOCAL and IP address of 192.168.10.10. DTF listening port is 1364 and API listening port is 1363.
2. Remote node name is CD.REMOTE with VTAM APPL of APPREMTE and IP address of 192.169.20.20. DTF listening port is 1364 and API listening port is 1363. The ADJACENT.NODE definition for CD.REMOTE should look similar to this in the CD.LOCAL NETMAP:
ADJACENT.NODE=((CD.REMOTET,1364,192.169.20.20,TCP,INT,BOTH) –
ENVIRONMENT=ZOS -
SESS.SNODE.MAX=(4) -
PARSESS=(4,1))
3. The pseudo/alias name will be CD.REMOTET.
What you have to do is create an alias of the node CD.REMOTE in the Secure+ PARMFILE to be able to have the SNA and TCP/IP definition both during testing and cutover. Any node defined in your Secure+ PARMFILE must also exist in your NETMAP. The first thing to do is to create a pseudo or alias ADJACENT.NODE in your NETMAP for the TCP/IP definition of CD.REMOTE.
1. Build a NETMAP dynamic update member in some PDS. You can name this ADJACENT.NODE anything you want because this is an alias of the real node. We will use CD.REMOTET for the alias name.
$$INSERT
ADJACENT.NODE=((CD.REMOTET,1364,192.169.20.20,TCP,INT,BOTH) –
ENVIRONMENT=ZOS -
SESS.SNODE.MAX=(4) -
PARSESS=(4,1))
2. Log onto your IUI, go to ADMIN.UNM.
3. Enter the name of the name of the PDS that you built the above member in, in the ENTER NETMAP INPUT FILE NAME: field and the member name of the member
you built in Step 1 in the ENTER MEMBER NAME:. Press enter. Ensure that this new node has been added to your NETMAP by going to the NM panels to display CD.REMOTET.
When you have completed the above then from the ADMIN menu enter SA:
1. Open your PARMFILE.
2. Place a U next to CD.REMOTE and press enter.
3. Place the cursor on Node Identification and press enter.
4. Enter CD.REMOTET in the Alias Names field.
5. Place the cursor on OK and press enter.
6. Place a U next to CD.REMOTET to display the definition. Make the necessary changes to this definition to use the SSL/TLS encryption protocol.
7. Place the cursor on OK and press enter.
8. Place the cursor on FILE and press enter to get the drop down menu.
Enter 6 - Save Active and press enter.
9. Submit the JCL that is built to update your PARMFILE.
Once you have the NETMAP and PARMFILE updated with the alias node name you can submit a process with SNODE=CD.REMOTET to communicate with CD.REMOTE.
There does not have to be a DTF with a local name of CD.REMOTET. Unless your remote trading partner will be initiating processes to you there is nothing that they will have to do their definitions for you.
You do need these definitions in your NETMAP and PARMFILE. When your local node initiates a session with CD.REMOTET the local node name of the trading partner that will be returned is CD.REMOTE. This is needed to be able to authenticate the trading partner.
Now if your remote trading partner will be initiating sessions to you they will need to follow the same procedure to build an alias in their DTF.
UID
ibm11123755