Can a single TN3270E port support both secure and non-secure connections?

The IP Configuration Guide points out that "A single port can be used to support a mix of secure and non-secure traffic. The port has the designation SECUREPORT or TTLSPORT. To support the configuration of various security policies for a single port, the SECUREPORT or TTLSPORT designation indicates that the port can use TLS/SSL, but the port does not have to use TLS/SSL.

"Telnet supports both negotiated and non-negotiated TLS/SSL.

"Negotiated TLS/SSL is an IETF-defined extension to the TN3270 protocol. With negotiated TLS/SSL, the decision to use TLS/SSL for a connection is based on the outcome of a negotiation between the Telnet client and server using TN3270 protocols. This negotiation is performed after the Telnet connection is established, and if TLS/SSL is negotiated, the TLS/SSL handshake is performed.

"With non-negotiated TLS/SSL, a TLS/SSL handshake is required immediately after the connection is established.

"A single port can concurrently use both negotiated and non-negotiated TLS/SSL connections."

Use the SECUREPORT parameter statement to define the port that Telnet listens on for secure connection requests from a client using the SSL protocol.

Use the TTLSPORT parameter statement to define the port that Telnet listens on for secure connection requests from a client that uses the TCP/IP AT-TLS interface.

The IP Configuration Guide also points out that " You can use the CONNTYPE statement to modify connection types on a single port. Allowing a port to support both basic [non-secure] and secure connections assumes that either of the following are true:

• The installation allows the client to determine the connection type.

• A subset of the connections that should use a particular connection security type can be identified by Client Identifier.

"In the first case, specify CONNTYPE ANY. If the port was defined as a secure port but the client wants a basic connection, there is a slight delay before connection negotiation begins. This is because when CONNTYPE ANY is coded, Telnet first attempts a TLS handshake to ensure that the client is not requesting TLS support. It is only after the handshake times out and negotiated security is rejected that the basic connection negotiation begins.

"In the second case, the TELNETPARMS block should specify the default connection security type (see the CONNTYPE statement). For connections with different connection security requirements, do the following:

• Identify the clients by Client Identifier.

• Create a group using the PARMSGROUP statement with the alternate CONNTYPE definitions.

• Map the group created with the PARMSGROUP statement to the clients using the PARMSMAP statement."

The following Telnet profile statements define Port 1023 to allow both basic and secure connections.

 TELNETPARMS            ; port that allows secure and BASIC connections.
       TTLSPORT 1023         ; note: BEGINVTAM block has PARMSGROUP that may override CONNTYPE
       CONNTYPE SECURE       ; SECURE is default
      ENDTELNETPARMS
      BEGINVTAM
       Port 1023
       ...                    ; Mapping statements
       IPGROUP LocalIP
         255.255.255.0:10.1.1.0
         255.255.255.0:10.1.2.0
       ENDIPGROUP
       PARMSGROUP BasicPG     ; override default ConnType
         CONNTYPE BASIC       ; support basic connections mapped to this group
       ENDPARMSGROUP
       PARMSGROUP AdminPG
         CONNTYPE ANY         ; connections mapped to this group allow any type of connection
       ENDPARMSGROUP
       PARMSMAP AdminPG 10.1.3.3 ; this ip address can use secure or basic connections
       PARMSMAP BasicPG localIP  ; hosts defined in IPGROUP localIP,
                                 ; will use basic connections as defined in PARMSGROUP BasicPG
      ENDVTAM