Tuesday, June 12, 2012

IPv6/VSE Automatic SSL/TLS Sockets


SSL without SSL/TLS Programming

We often hear customers asking to be able to use SSL/TLS sockets without having to change their applications. Since converting their applications is a lot of work and requires at least a basic understanding of SSL/TLS programming, the conversion of plain text applications to SSL/TLS applications can be daunting to say the least.

IPv6/VSE provides an answer to this problem.

ATLS Automatic Transport Layer Security

Automatic Transport Layer Security is a facility that is similar to the z/OS AT-TLS (Application Transparent - Transport Layer Security) facility. When a socket is established, the BSTTATLS application automatically determines if SSL/TLS is needed (based on your configuration) and converts the socket to SSL/TLS transparently to the application.

For example, the BSTTFTPS FTP server is running and listening for connections on port 21. If a clear text FTP client wishes to connect, they use port 21. The BSTTATLS application is also listening on port 990 (the FTP over SSL port) and when an SSL/TLS connection arrives on port 990 it is automatically converted to clear text and passed to the BSTTFTPS FTP server on port 21. This effectively this means that the BSTTFTPS FTP server is supporting both clear text and implicit-ftps connections.

At the same time, when BSTTMTPC batch Email client attempts to connect to SMTP.GMAIL.COM on port 25 (SMTP), the BSTTATLS application automatically converts the outbound socket to a connection to SMTP.GMAIL.COM on SSL/TLS port 465 (Implicit-SMTPS).

In both examples, no changes were made to the BSTTFTPS or BSTTMTPC applications or the JCL used to run these applications.

BSTTATLS works for both client and server applications and its operation is completely transparent to the application. The BSTTALTS application supports both batch and CICS applications written in any supported API including applications using the ASM SOCKET macro, EZASMI, EZASOKET and LE/C APIs.

Using BSTTATLS is very useful if you want to use SSL/TLS to securely transfer data but do not want to re-code or change your batch or CICS applications. Your batch or CICS socket applications continue to run unchanged even though they are now transferring data using SSL/TLS to remote hosts.

Design

The IPv6/VSE TCP/IP stacks run in separate partitions. The IPv4 stack (BSTTINET) runs in one partition and the IPv6 stack (BSTT6NET) runs in another. The TCP/IP stacks are then coupled together acting as a single stack. The BSTTATLS application is associated with a specific stack (BSTTINET or BSTT6NET). When running a typical dual stack configuration there will be two BSTTATLS application partitions. One for each TCP/IP stack.

The reasons for this design are performance, reliability and robustness. Since the BSTTATLS application is performing SSL/TLS functionality, the overhead of this functionality is offloaded from both the TCP/IP stack and the applications BSTTATLS is servicing.


Operation

The BSTTATLS application must be started before any of the applications it is servicing. And, the applications BSTTATLS is servicing should be shutdown/terminated before terminating the BSTTATLS application. If the BSTTATLS application is terminated using the TERMINATE console command, all active sockets will be abnormally closed before BSTTATLS goes to EOJ.

To allow jobs to wait for the BSTTATLS application to start up, use the BSTTWTLS application.


// LIBDEF PHASE,SEARCH=(bsilib.slib)
// OPTION SYSPARM='00'
// EXEC BSTTWTLS,SIZE=BSTTWTLS
/*



The BSTTWTLS application will attempt to verify the BSTTATLS application is available every 30 seconds. BSTTWTLS will go to EOJ when the BSTTATLS application is detected. The BSTTWTLS application can be terminated early by issuing a MSG BSTTWTLS command on the console. No data needs to be entered with the MSG command.


ATLS Types

Source
Destination
Server
Accept SSL connection
Convert to clear text for local server application
Client
Accept clear text local client connection
Convert to SSL/TLS connection for destination




IPv4 socket
To IPv4 socket
IPv6 socket
To IPv6 socket



ATLS Examples

Accept a clear text connection from BSTTMTPC and convert the connection to SSL/TLS on port 465. This type of connection is commonly called smtps.
Accept an SSL connection on port 443 and convert the connection to CICS TS Web Services on clear text port 80. This type of connections commonly called https.
Accept an SSL connection on port 992 and convert the connection to clear text on port 23. This type of connection is commonly called telnets.
Accept a clear text connection from BSTTFTPC and convert the connection to SSL/TLS on port 990. This type of connection is commonly called ftps.
Accept an SSL connection on port 990 and convert the connection to clear text on port 21. This type of connection is commonly called ftps.


Sample ATTLS Commands

Command
Description
OPTION CLIENT
ATTLS 25 TO SMTP.GOOGLE.COM AS 465 SSL
Intercept outbound CLIENT connections made to SMTP.GMAIL.COM on port 25, convert them to SSL connections on port 465 (Implicit-SMTPS).
OPTION CLIENT
OPTION FTP
ATTLS 21 TO FTPS.BSIOPTI.COM AS 990 SSL
Intercept outbound FTP CLIENT connections made to FTPS.BSIOPTI.COM on port 21, convert them to SSL connections on port 990 (Implicit-FTPS).
OPTION SERVER
ATTLS 23 AS 992 SSL
Intercept inbound SERVER connections made on SSL port 992 (Implicit-TELNETS), convert them to clear text connections on port 23.
OPTION SERVER
ATTLS 80 AS 443 SSL
Intercept inbound SERVER connections made on SSL port 443 (Implicit-HTTPS), convert them to clear text connections on port 80.
OPTION SERVER
OPTION FTP
ATTLS 21 AS 990 SSL
Intercept inbound SERVER connections made on SSL port 990 (Implicit-FTPS), convert them to clear text connections on port 21.





BSTTATLS JCL

The following shows sample JCL for using the BSTTATLS proxy server.
// OPTION SYSPARM='66'
// SETPARM IPTRACE='NNNNNNN'
// SETPARM LRGBUF=YES
// LIBDEF *,SEARCH=(ssllib.slib,bsilib.slib)
// EXEC BSTTATLS,SIZE=BSTTATLS
ID 66
*
KEYRING PRD2.CONFIG
DNAME MYCERT
SECTYPE TLSV1
*
OPTION SERVER
ATTLS 23 AS 992 SSL
/*



Partition Size

The BSTTATLS server application requires a minimum 20M partition plus 72K for each possible socket to be handled by the BSTTATLS server.
For example, to support 600 TELNETS sessions, 4 FTPS sessions and 100 HTTPS sessions you will need a 20MB + 51MB = 71MB partition.

Partition Priority

The BSTTATLS server is very CPU intensive due to SSL encryption and decryption processing. The BSTTATLS partition priority should always be lower than the TCP/IP stack partition.


BSTTATLS Sample Configuration



// OPTION SYSPARM='00'
// SETPARM IPTRACE='NNNNNNN'
// SETPARM LRGBUF=YES
// LIBDEF *,SEARCH=(ssllib.slib,bsilib.slib)
// EXEC BSTTWAIT,SIZE=BSTTWAIT
/*
// EXEC BSTTATLS,SIZE=BSTTATLS
ID 00
*
KEYRING PRD2.CONFIG
DNAME MYCERT
SECTYPE TLSV1
*
* Convert outbound SMTP connections to Implicit-SMTPS
* but only connections to SMTP.GOOGLE.COM
OPTION CLIENT
ATTLS 25 TO SMTP.GOOGLE.COM AS 465 SSL
*
* Convert Implicit-TELNETS connections to TELNET
OPTION SERVER
ATTLS 23 AS 992 SSL
*
* Convert Implicit-HTTPS connections for CICS TS CWI
OPTION SERVER
ATTLS 80 AS 443 SSL
*
* Convert outbound FTP connections to Implicit-FTPS
OPTION CLIENT
OPTION FTP
ATTLS 21 TO FTPS.BSIOPTI.COM AS 990 SSL

*
* Convert inbound Implicit-FTPS connections to FTP
OPTION SERVER
OPTION FTP
ATTLS 21 AS 990 SSL
/*








No comments: