IBM Support

How can we make our SECURE Telnet server ports learn about our new security certificate, without having to restart the Telnet server?

Question & Answer


Question

Some of our Telnet server ports are defined as SECURE (TELNETPARMS contains either a SECUREPORT or TTLSPORT statement). We installed a new security certificate. How can we make our SECURE Telnet server ports learn about our new security certificate, without having to restart the Telnet server?

Answer

If you are using the native TLS that is built into the TN3270 server (TELNETPARMS contains a SECUREPORT statement) to secure your Telnet ports, you need to do the following:

  1. Issue a VARY TCPIP,tn_procname,TELNET,STOp,POrt=Secure command to stop all SECURE Telnet server ports. Any connections currently using the SECURE ports will be dropped. You should see the following message issued for each SECURE port: EZZ6010I tn_procname SERVER ENDED FOR PORT n

  2. Issue a VARY TCPIP,tn_procname,OBEYFILE,DSN=file command, where the file value contains the entire TN3270E server profile. The ports are restarted and the new SECURE connections will begin using the new security certificate.

If, on the other hand, you are using AT-TLS (TELNETPARMS contains a TTLSPORT statement) via the Policy Agent (PAGENT) to secure your Telnet ports, you have, in addition to the first option described above, the option to issue the MODIFY pagent_procname,UPDATE command to trigger the Policy Agent to reread configuration files, and cause the SECURE ports to use the new security certificate. You should then see the following message issued:

EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR image : TTLS

For ports secured by AT-TLS via Policy Agent, the advantage of using the MODIFY pagent_procname, UPDATE command is that it is non-disruptive and picks up the new certificate with no impact to existing connections.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
15 April 2015

UID

dwa1182865