BSTTPRXY SSL Proxy Server
The BSTTPRXY SSL proxy server allows non-SSL server applications running in z/VSE to accept connections from SSL based client applications. Or, BSTTPRXY will allow non-SSL client applications to connect to SSL based server applications.The BSTTPRXY SSL proxy server will also proxy IPv4 connections to an IPv6 destination or IPv6 connections to an IPv4 destination.
Proxy Types
Source | Destination |
Accept clear text connection | Proxy to clear text connection |
Accept SSL connection | Proxy to SSL connection |
Accept clear text connection | Proxy to SSL connection |
Accept SSL connection | Proxy to clear text connection |
Accept IPv4 or IPv6 connection | Proxy to IPv4 or IPv6 connection |
Proxy Examples
Accept a clear text connection from BSTTMTPC on port 25 and proxy the connection to an SMTP server listening on SSL port 465. This type of connection is commonly called smtps.Accept an SSL connection on port 443 and proxy the connection to CICS TS Web Services on clear text port 80. This type of connections commonly called https.
Accept an SSL connection on port 992 and proxy the connection to the BSTTVNET TN3270E server on clear text port 23. This type of connection is commonly called telnets.
Accept a clear text connection from BSTTFTPC on port 21 and proxy the connection to an FTP server listening on SSL port 990. This type of connection is commonly called ftps.
Accept an SSL connection on port 990 and proxy the connection to the BSTTFTPS FTP server on clear text port 21. This type of connection is commonly called ftps.
BSTTPRXY Examples
BSTTVNET TN3270E Server
x3270x3270 is an IBM 3270 terminal emulator for the X Window System and Windows. It runs on most Unix-like operating systems -- e.g., Linux, Mac OS X, Solaris and Cygwin. It also runs natively on Windows.
X3270 is distributed as source code, and can be used for free. See http://x3270.bgp.nu
x3270 runs over
a TELNET connection, emulating either an IBM 3279 (color) or 3278
(monochrome). It supports:
- The full TN3270E protocol
- SSL/TLS (via the OpenSSL library) for encrypted sessions
- APL2 characters
- Non-English character sets, including Hebrew and DBCS Chinese and Japanese
- IND$FILE file transfer
- NVT mode (emulating a color xterm)
- A pop-up keypad for 3270-specific keys
- A scrollbar
- Printer session integration
- Extensive debugging and scripting facilities
Command
format:
X3270
[prefix:]...[LUname@]hostname[:port]
E.g.,
x3270
L:192.168.1.238:992 |
//
OPTION SYSPARM='66'
//
SETPARM IPTRACE='NNNNNNN'
//
LIBDEF *,SEARCH=(ssllib.slib,bsilib.slib)
//
EXEC BSTTPRXY,SIZE=BSTTPRXY
ID
66
KEYRING PRD2.CONFIG
DNAME
BSICERT
SECTYPE TLSV1 OPTION SERVER
PROXY
TCP V4 992 SSL * TO V4 23 TXT * LOCALHOST
/*
|
The above example executes the BSTTPRXY SSL proxy server in SERVER mode, accepting SSL connections on port 992 (implicit telnets) and proxies the connection in clear text to port 23. Port 23 is being used by BSTTVNET to accept connections to the TN3270E server.
The KEYRING parameter indicates the RSA key and certificate to be used by the BSTTPRXY server is located in PRD2.CONFIG and the DNAME parameter indicates BSICERT.PEM is the member name.
BSTTMTPC Mail Transport Client
The following sample JCL shows BSTTMTPC connecting to the BSTTPRXY server on port 25 (SMTP) and sending an email.
//
EXEC BSTTMTPC,SIZE=BSTTMTPC
ID
00
OPEN
127.0.0.1 25
*
EHLO
gmail.com
AUTH
LOGIN jeffrey.webmail ????????
MAIL
From:
RCPT
To:
SUBJ
Subject: Test Email
ORGA
Organization: Barnard Software, Inc.
*
DATA
*
QUIT
/*
This
is a test email text.
See
http://www.bsiopti.com
Jeff
/*
|
The following sample BSTTPRXY JCL shows the proxy server accepting connections on port 25 (SMTP) and proxying the connection to smtp.gmail.com port 465. This configuration uses SMTPS or SMTP through an SSL tunnel. Note: The KEYFILE parameter must specify an RSA key/certificate member with a valid RSA key and certificate. However, the certificate is not used.
//
EXEC BSTTPRXY,SIZE=BSTTPRXY,PARM='TRAP(OFF)/'
ID
00
*
KEYRING
PRD2.CONFIG
KEYFILE
ZVSE51
SECTYPE
TLSV1
*
OPTION
CLIENT
*
74.125.157.108 IS SMTP.GMAIL.COM
PROXY
TCP V4 25 TXT * TO V4 465 SSL * 74.125.157.108
/*
|
CICS TS Web Interface
The following sample BSTTPRXY JCL shows the proxy server accepting connections on port 443 (HTTPS) and proxying the connection to the CICS TS Web Server on port 8080.
//
EXEC BSTTPRXY,SIZE=BSTTPRXY,PARM='TRAP(OFF)/'
ID
00
*
KEYRING
PRD2.CONFIG
KEYFILE
CICSTS
SECTYPE
TLSV1
*
OPTION SERVER
*
PROXY
TCP V4 443 SSL * TO V4 8080 TXT * 127.0.0.1
/*
|
BSTTFTPC Batch FTP Client
The following sample JCL shows BSTTFTPC connecting to the BSTTPRXY server on port 2121 (FTP) and sending commands to a remote host FTP server on port 990(FTPS). BSTTPRXY supports Implicit-FTPS where the command connection is automatically encrypted using TLS.
//
EXEC BSTTFTPC,SIZE=BSTTFTPC,OS390,TASKS=ANY
ID
00
OPEN
127.0.0.1 2121
PBSZ
0
PROT
P
USER
jcb
PASS
bsi
PWD
STAT
QUIT
/*
|
The BSTTFTPC JCL/commands looks pretty typical but notice the PBSZ 0 and PROT P commands that immediately follow the OPEN command. These two commands, exactly as shown, must immediately follow the OPEN command. When using an Implicit-FTPS connection the command connection is automatically encrypted. The PBSZ 0 and PROT P commands tell the remote host FTP server that any data transfer done should also be encrypted. If these two commands are missing any data transfer will be done in clear text mode.
The following sample BSTTPRXY JCL shows the proxy server accepting connections on port 2121 (FTP) and proxying the connection to 192.168.1.60 port 990. This configuration uses FTPS or FTP through an implicit SSL tunnel. Note: The KEYFILE parameter must specify an RSA key/certificate member with a valid RSA key and certificate. Port mapping, for the FTP data connection, is handled automatically by BSTTPRXY.
//
EXEC BSTTPRXY,SIZE=BSTTPRXY,PARM='TRAP(OFF)/'
ID
00
*
KEYRING
PRD2.CONFIG
KEYFILE
BSICERT
SECTYPE
TLSV1
*
OPTION FTP OPTION CLIENT *
PROXY
TCP V4 2121 TXT * TO V4 990 SSL * 192.168.1.60
/*
|
BSTTFTPS FTP Server
The following sample BSTTPRXY JCL shows the proxy server accepting connections on port 990 (Implicit-FTPS) and proxying the connection to 192.168.1.60 port 21 (FTP). This configuration uses FTPS or FTP through an implicit SSL tunnel. Note: The KEYFILE parameter must specify an RSA key/certificate member with a valid RSA key and certificate. Port mapping, for the FTP data connection, is handled automatically by BSTTPRXY.
//
EXEC BSTTPRXY,SIZE=BSTTPRXY,PARM='TRAP(OFF)/'
ID
00
*
KEYRING
PRD2.CONFIG
KEYFILE
BSICERT
SECTYPE
TLSV1
*
OPTION SERVER *
PROXY
TCP V4 990 SSL * TO V4 21 TXT * 127.0.0.1
/*
|
This example assumes you also are running the BSTTFTPS FTP server listening on port 21.
To test this function of BSTTPRXY we used the Linux LFTP FTP client. The LFTP client connected to BSTTPRXY using the 'lftp -d -u userid,password -p 990 ftps://192.168.1.238' command. The LFTP client connected to the BSTTPRXY server using an SSL connection on port 990. BSTTPRXY then proxied the connection to the BSTTFTPS FTP server on port 21.
The IPv6/VSE SSL proxy server is simple and easy to use. In addition to the examples shown in this post, many other types of connections can be proxied including MQSeries, DB2 UDB connections, etc.
No comments:
Post a Comment