Author Topic: ARSSOCKD and TLS v1.2 - proof of concept  (Read 2515 times)

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1199
    • View Profile
ARSSOCKD and TLS v1.2 - proof of concept
« on: May 17, 2018, 07:02:16 AM »
How to set up ARSSOCKD so that it's only accessible via TLS v1.2?

1. Get SSL up and running as per this thread:

http://www.odusergroup.org/forums/index.php?topic=1938.0

2. Disable the non-SSL connections:

SSL_CLNT_USE_SSL=1

3. Add the following ENVAR to ARSSOCKD:

XXARSSOC95 EXEC PGM=ARSSOCKD,REGION=0M,TIME=NOLIMIT,
XX  PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)
XX              /-S -I ARCH950 -v'                           


4. At this point you should be able to logon with the Windows client and load from Windows as well.  You can verify that the connection is TLS v1.2 via your favorite TCP/IP utility.

5. For batch on the same LPAR verification you need to add the ENVAR to each batch job, for example to run the validate utility:

//STEP1     EXEC PGM=ARSMAINT,REGION=0M,                         
// PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)     
//              /-I ARCH950 -o   -v'                             
//STEPLIB    DD DISP=SHR,DSN=ARS.ARSV950.SARSLOAD               
//ARSBIN     DD PATH='/usr/lpp/ars/V9R5M0/bin'                   
//SYSPRINT   DD SYSOUT=*,DCB=(RECFM=FBA,LRECL=134,BLKSIZE=134)   


6. For security, the certificate is checked.  In the batch job's JOB card I had to add the USER= parm as per this thread:

www.odusergroup.org/forums/index.php?topic=2296

Ed



#zOS #ODF

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1199
    • View Profile
Re: ARSSOCKD and TLS v1.2 - proof of concept
« Reply #1 on: June 20, 2019, 11:43:28 AM »
I had a question about running ARSEXOAM via TLS 1.2 as on the EXEC line it has no parms.

We accomplished this via an inline CEEOPTS parameter.                           
                                                               
Specifically                                                   
                                                               
//CEEOPTS DD *                                                 
RPTOPTS(ON)                                                   
ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)           
/*   
                                                         
                                                               
You'll see what CEEOPT parameters are in effect if you have a 
//SYSOUT  DD *                                                 
in the JCL.   

Ed                                               
#zOS #ODF

Ed_Arnold

  • Hero Member
  • *****
  • Posts: 1199
    • View Profile
Re: ARSSOCKD and TLS v1.2 - proof of concept
« Reply #2 on: January 06, 2022, 07:33:41 PM »
I was informed today that TLS V1.2 is the default starting at CMOD V10.1.

Ed
#zOS #ODF