Question & Answer
Question
Some of our Telnet server ports are defined as SECURE (TELNETPARMS contains either a SECUREPORT or TTLSPORT statement). We installed a new security certificate. How can we make our SECURE Telnet server ports learn about our new security certificate, without having to restart the Telnet server?
Answer
If you are using the native TLS that is built into the TN3270 server (TELNETPARMS contains a SECUREPORT statement) to secure your Telnet ports, you need to do the following:
Issue a VARY TCPIP,tn_procname,TELNET,STOp,POrt=Secure command to stop all SECURE Telnet server ports. Any connections currently using the SECURE ports will be dropped. You should see the following message issued for each SECURE port: EZZ6010I tn_procname SERVER ENDED FOR PORT n
Issue a VARY TCPIP,tn_procname,OBEYFILE,DSN=file command, where the file value contains the entire TN3270E server profile. The ports are restarted and the new SECURE connections will begin using the new security certificate.
If, on the other hand, you are using AT-TLS (TELNETPARMS contains a TTLSPORT statement) via the Policy Agent (PAGENT) to secure your Telnet ports, you have, in addition to the first option described above, the option to issue the MODIFY pagent_procname,UPDATE command to trigger the Policy Agent to reread configuration files, and cause the SECURE ports to use the new security certificate. You should then see the following message issued:
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR image : TTLS
For ports secured by AT-TLS via Policy Agent, the advantage of using the MODIFY pagent_procname, UPDATE command is that it is non-disruptive and picks up the new certificate with no impact to existing connections.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
15 April 2015
UID
dwa1182865