ARSSOCKD and TLS v1.2 - proof of concept

Ed_Arnold · May 17, 2018, 02:02:16 PM

How to set up ARSSOCKD so that it's only accessible via TLS v1.2?

1. Get SSL up and running as per this thread:

http://ODUG.net/index.php?topic=1938.0

2. Disable the non-SSL connections:

SSL_CLNT_USE_SSL=1

3. Add the following ENVAR to ARSSOCKD:

XXARSSOC95 EXEC PGM=ARSSOCKD,REGION=0M,TIME=NOLIMIT,
XX PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)
XX /-S -I ARCH950 -v'

4. At this point you should be able to logon with the Windows client and load from Windows as well. You can verify that the connection is TLS v1.2 via your favorite TCP/IP utility.

5. For batch on the same LPAR verification you need to add the ENVAR to each batch job, for example to run the validate utility:

//STEP1 EXEC PGM=ARSMAINT,REGION=0M,
// PARM='ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)
// /-I ARCH950 -o -v'
//STEPLIB DD DISP=SHR,DSN=ARS.ARSV950.SARSLOAD
//ARSBIN DD PATH='/usr/lpp/ars/V9R5M0/bin'
//SYSPRINT DD SYSOUT=*,DCB=(RECFM=FBA,LRECL=134,BLKSIZE=134)

6. For security, the certificate is checked. In the batch job's JOB card I had to add the USER= parm as per this thread:

ODUG.net/index.php?topic=2296

Ed

Ed_Arnold · June 20, 2019, 06:43:28 PM

I had a question about running ARSEXOAM via TLS 1.2 as on the EXEC line it has no parms.

We accomplished this via an inline CEEOPTS parameter.

Specifically

//CEEOPTS DD *
RPTOPTS(ON)
ENVAR(GSK_PROTOCOL_TLSV1_2=ON,GSK_PROTOCOL_TLSV1=0)
/*

You'll see what CEEOPT parameters are in effect if you have a
//SYSOUT DD *
in the JCL.

Ed

Ed_Arnold · January 07, 2022, 02:33:41 AM

I was informed today that TLS V1.2 is the default starting at CMOD V10.1.

Ed

ARSSOCKD and TLS v1.2 - proof of concept

Ed_Arnold

Ed_Arnold

Ed_Arnold