SSL without SSL/TLS Programming
We often hear customers asking to be able to use SSL/TLS sockets without having to change their applications. Since converting their applications is a lot of work and requires at least a basic understanding of SSL/TLS programming, the conversion of plain text applications to SSL/TLS applications can be daunting to say the least.
IPv6/VSE provides an answer to this problem.
ATLS Automatic Transport Layer Security
Automatic Transport Layer Security is a facility that is similar to the z/OS AT-TLS (Application Transparent - Transport Layer Security) facility. When a socket is established, the BSTTATLS application automatically determines if SSL/TLS is needed (based on your configuration) and converts the socket to SSL/TLS transparently to the application.For example, the BSTTFTPS FTP server is running and listening for connections on port 21. If a clear text FTP client wishes to connect, they use port 21. The BSTTATLS application is also listening on port 990 (the FTP over SSL port) and when an SSL/TLS connection arrives on port 990 it is automatically converted to clear text and passed to the BSTTFTPS FTP server on port 21. This effectively this means that the BSTTFTPS FTP server is supporting both clear text and implicit-ftps connections.
At the same time, when BSTTMTPC batch Email client attempts to connect to SMTP.GMAIL.COM on port 25 (SMTP), the BSTTATLS application automatically converts the outbound socket to a connection to SMTP.GMAIL.COM on SSL/TLS port 465 (Implicit-SMTPS).
In both examples, no changes were made to the BSTTFTPS or BSTTMTPC applications or the JCL used to run these applications.
BSTTATLS works for both client and server applications and its operation is completely transparent to the application. The BSTTALTS application supports both batch and CICS applications written in any supported API including applications using the ASM SOCKET macro, EZASMI, EZASOKET and LE/C APIs.
Using BSTTATLS is very useful if you want to use SSL/TLS to securely transfer data but do not want to re-code or change your batch or CICS applications. Your batch or CICS socket applications continue to run unchanged even though they are now transferring data using SSL/TLS to remote hosts.
Design
The IPv6/VSE TCP/IP stacks run in separate partitions. The IPv4 stack (BSTTINET) runs in one partition and the IPv6 stack (BSTT6NET) runs in another. The TCP/IP stacks are then coupled together acting as a single stack. The BSTTATLS application is associated with a specific stack (BSTTINET or BSTT6NET). When running a typical dual stack configuration there will be two BSTTATLS application partitions. One for each TCP/IP stack.The reasons for this design are performance, reliability and robustness. Since the BSTTATLS application is performing SSL/TLS functionality, the overhead of this functionality is offloaded from both the TCP/IP stack and the applications BSTTATLS is servicing.
Operation
The BSTTATLS application must be started before any of the applications it is servicing. And, the applications BSTTATLS is servicing should be shutdown/terminated before terminating the BSTTATLS application. If the BSTTATLS application is terminated using the TERMINATE console command, all active sockets will be abnormally closed before BSTTATLS goes to EOJ.To allow jobs to wait for the BSTTATLS application to start up, use the BSTTWTLS application.
// LIBDEF
PHASE,SEARCH=(bsilib.slib)
// OPTION SYSPARM='00' // EXEC BSTTWTLS,SIZE=BSTTWTLS /* |
The BSTTWTLS application will attempt to verify the BSTTATLS application is available every 30 seconds. BSTTWTLS will go to EOJ when the BSTTATLS application is detected. The BSTTWTLS application can be terminated early by issuing a MSG BSTTWTLS command on the console. No data needs to be entered with the MSG command.
ATLS Types
Source |
Destination |
Server
|
Accept SSL connection Convert to clear text for local server application |
Client
|
Accept clear text local client connection Convert to SSL/TLS connection for destination |
|
|
IPv4 socket |
To IPv4 socket
|
IPv6 socket |
To IPv6 socket |
ATLS Examples
Accept a clear text connection from BSTTMTPC and convert the connection to SSL/TLS on port 465. This type of connection is commonly called smtps.Accept an SSL connection on port 443 and convert the connection to CICS TS Web Services on clear text port 80. This type of connections commonly called https.
Accept an SSL connection on port 992 and convert the connection to clear text on port 23. This type of connection is commonly called telnets.
Accept a clear text connection from BSTTFTPC and convert the connection to SSL/TLS on port 990. This type of connection is commonly called ftps.
Accept an SSL connection on port 990 and convert the connection to clear text on port 21. This type of connection is commonly called ftps.
Sample ATTLS Commands
Command |
Description |
OPTION CLIENT ATTLS 25 TO SMTP.GOOGLE.COM AS 465 SSL |
Intercept outbound CLIENT connections made to SMTP.GMAIL.COM on
port 25, convert them to SSL connections on port 465
(Implicit-SMTPS). |
OPTION CLIENT OPTION FTP ATTLS 21 TO FTPS.BSIOPTI.COM AS 990 SSL |
Intercept outbound FTP CLIENT connections made to
FTPS.BSIOPTI.COM on port 21, convert them to SSL connections on
port 990 (Implicit-FTPS). |
OPTION SERVER ATTLS 23 AS 992 SSL |
Intercept inbound SERVER connections made on SSL port 992
(Implicit-TELNETS), convert them to clear text connections on port
23. |
OPTION SERVER
ATTLS 80 AS 443 SSL |
Intercept inbound SERVER connections made on SSL port 443
(Implicit-HTTPS), convert them to clear text connections on port
80. |
OPTION SERVER
OPTION FTP ATTLS 21 AS 990 SSL |
Intercept inbound SERVER connections made on SSL port 990
(Implicit-FTPS), convert them to clear text connections on port
21. |
BSTTATLS JCL
The following shows sample JCL for using the BSTTATLS proxy server.
//
OPTION SYSPARM='66'
//
SETPARM IPTRACE='NNNNNNN'
//
SETPARM LRGBUF=YES
//
LIBDEF *,SEARCH=(ssllib.slib,bsilib.slib)
//
EXEC BSTTATLS,SIZE=BSTTATLS
ID
66
*
KEYRING
PRD2.CONFIG
/*
DNAME MYCERT SECTYPE TLSV1 * OPTION SERVER ATTLS 23 AS 992 SSL |
Partition Size
The BSTTATLS server application requires a minimum 20M partition plus 72K for each possible socket to be handled by the BSTTATLS server.For example, to support 600 TELNETS sessions, 4 FTPS sessions and 100 HTTPS sessions you will need a 20MB + 51MB = 71MB partition.
Partition Priority
The BSTTATLS server is very CPU intensive due to SSL encryption and decryption processing. The BSTTATLS partition priority should always be lower than the TCP/IP stack partition.BSTTATLS Sample Configuration
//
OPTION SYSPARM='00'
//
SETPARM IPTRACE='NNNNNNN'
//
SETPARM LRGBUF=YES
//
LIBDEF *,SEARCH=(ssllib.slib,bsilib.slib)
//
EXEC BSTTWAIT,SIZE=BSTTWAIT
/*
//
EXEC BSTTATLS,SIZE=BSTTATLS
ID
00
*
KEYRING
PRD2.CONFIG
DNAME MYCERT SECTYPE TLSV1 *
*
Convert outbound SMTP connections to Implicit-SMTPS
*
but only connections to SMTP.GOOGLE.COM
OPTION CLIENT
ATTLS
25 TO SMTP.GOOGLE.COM AS 465 SSL
*
*
Convert Implicit-TELNETS connections to TELNET
OPTION SERVERATTLS 23 AS 992 SSL * * Convert Implicit-HTTPS connections for CICS TS CWI OPTION SERVER ATTLS 80 AS 443 SSL * * Convert outbound FTP connections to Implicit-FTPS OPTION CLIENT OPTION FTP ATTLS 21 TO FTPS.BSIOPTI.COM AS 990 SSL * * Convert inbound Implicit-FTPS connections to FTP OPTION SERVER OPTION FTP ATTLS 21 AS 990 SSL /* |
No comments:
Post a Comment