Associate Printer

Use this panel to enter a new printer name to associate with a terminal device name.

This function is unique to TN3270. A terminal client first connects to the TN3270 server. A printer client then connects and request to be associated with the terminal LU name. The server understands this special request and knows to assign the printer client to the LU printer name that is associated with the terminal.

Before you begin, understand the printer name you want to associate with a terminal device.

Steps

  1. Enter a printer name, following standard naming conventions.
  2. Click OK when you are done.

You have completed this panel after you have entered a new printer name.

Fields

Printer name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Printer name

The name of the printer, 1-8 characters, following these rules:



Associate Printer Group

Use this panel to select from a list of printer group names.

This function is unique to TN3270. A terminal client first connects to the TN3270 server and is assigned an LU from a defined LU group. A printer client then connects and request to be associated with the terminal LU name. The server understands this special request and knows to assign the printer client to the LU printer name that is associated with the terminal LU within the LU terminal group.

Before you begin, ensure the a printer group you want to associate with an terminal LU group contains the same number of LUs as the terminal LU group. This association links a terminal LU group with a printer LU group. The two LU group MUST have the same number of LUs defined so the LUs can be paired.

For example, a payroll application can automatically send print data to a certain printer set up to print payroll data, based on the terminal LU processing the request. If the requested device name is already in use, the connection request is rejected.

Only printer groups that contain the same number of LUs as the number of LUs in the terminal device group appear in the pull-down list.

Steps

  1. Select a printer group name from the pull-down list.

  2. "No selection" is the default, and the only choice if:
  3. Click OK when you are done.

You have completed this panel after you selected from the list provided.

Fields

Printer group

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Printer group

This is a list of the printer groups that contain the same number of LUs as the Terminal LU group that you are editing.   Select which printer group you want to associate with the Terminal group.   If you do not want to associate a printer group, choose the No selection entry.   If there are no printer groups defined that have the same number of LUs as this terminal group, then No selection is the only available and valid choice.



Encryption Choices

Use this panel to customize cryptographic algorithms. To provide port security, the TN3270 server uses the encryption services of SSL or TLS to protect data. Your z/OS system SSL/TLS provides a defined set of encryption and data authentication algorithms we refer to as ciphers. The encryption algorithm scrambles the data so that it cannot be interpreted. The data authentication algorithm ensures that the data is delivered completely without alteration.

Before you begin, make some decisions about security.

Steps

  1. Click the button that describes what you want to do (use the defaults, not use ciphers, or select which algorithms).
  2. If you select that you want to specify algorithms, specify if this system is subject to export regulations.
  3. Put a check in the box in front of the ciphers you want to enable. You can select more than one.

You have completed this panel after you have:

You can find more detailed help on the following elements of this window:

I want to use the defaults

I do not want to use ciphers

I want to select which algorithms to use

Is this system subject to export regulations?

Select ciphers to enable

Radio Buttons
Click I want to use the defaults to use defaults.
Click I do not want to use ciphers to indicate you will not use ciphers.
Click I want to select which algorithms to use to indicate you will be selecting particular algorithms to use.
Click Yes to indicate your system is subject to export regulations.
Click No to indicate your system is not subject to export regulations.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



I want to use the defaults

Click here if you want to use the defaults of the TN3270 server, using the services of the system SSL and TLS programming interface. When using the defaults, the system SSL/TLS services determine the cipher algorithms that are installed and available on your system. These will be used to negotiate the level of cipher to use for each connect ion, with the client. The system SSL/TLS services has a set priority order it uses when negotiating with the client, which is:

  1. RC4 (128-bit) encryption, SHA authentication
  2. RC4 (128-bit) encryption, MD5 authentication
  3. AES (256-bit) encryption, SHA authentication
  4. AES (128-bit) encryption, SHA authentication
  5. Triple DES encryption, SHA authentication
  6. DES encryption, SHA authentication
  7. RC4 (40-bit) encryption, MD5 authentication
  8. RC2 (40-bit) encryption, MD5 authentication
  9. No encryption, SHA authentication
  10. No encryption, MD5 authentication



I do not want to use ciphers

Click here to indicate that you do not want any encryption or data authentication to be performed.



I want to select which algorithms to use

Click here if you want to specify which algorithms to use. If you select multiple algorithms, the TN3270 server must exchange information with the client to determine which of the algorithms to use. This is based on:

The TN3270 server uses the list of selected algorithms in the same preferred order as that appear on the panel. This order is:

  1. RC4 (128-bit) encryption, SHA authentication
  2. RC4 (128-bit) encryption, MD5 authentication
  3. AES (256-bit) encryption, SHA authentication
  4. AES (128-bit) encryption, SHA authentication
  5. Triple DES encryption, SHA authentication
  6. DES encryption, SHA authentication
  7. RC4 (40-bit) encryption, MD5 authentication
  8. RC2 (40-bit) encryption, MD5 authentication
  9. No encryption, SHA authentication
  10. No encryption, MD5 authentication

This information is passed on to the z/OS SSL/TLS programming interface. The z/OS SSL/TLS programming interface determines what ciphers are installed at this z/OS installation, and negotiates with the client about what ciphers it supports.



Is this system subject to export regulations?

Select 'yes' if you are. This disables the choices that are not available due to export restrictions. 'No' is the default. The ciphers that are not available for export are:



Select ciphers to enable

You may select the ciphers that system SSL/TLS will attempt to negotiate with the client. The TN3270 server will pass your selections the system SSL/TLS programming services and will indicate the preferred order or preference as:

  1. RC4 (128-bit) encryption, SHA authentication
  2. RC4 (128-bit) encryption, MD5 authentication
  3. AES (256-bit) encryption, SHA authentication
  4. AES (128-bit) encryption, SHA authentication
  5. Triple DES encryption, SHA authentication
  6. DES encryption, SHA authentication
  7. RC4 (40-bit) encryption, MD5 authentication
  8. RC2 (40-bit) encryption, MD5 authentication
  9. No encryption, SHA authentication
  10. No encryption, MD5 authentication



Host Name Specification

Use this panel to signify you want the client identifier to be a particular host name or that the client's host name should match an entry in a particular group.

Before you begin, you should decide whether you want the client identifier to have a particular host name or you want the client's host name to match an entry in a particular group. Depending on that decision, do one of the following:

Steps

  1. Either click on "The client must have the following host name", and fill in the host name following standard naming conventions.
  2. Or click on "The client's host name must match an entry in this group". Fill in the Group name. This is required; at least one entry must be added. Optionally add, edit or remove other host names in this group.

You have completed this panel when you have selected either radio button, and filled either the host name field or the group name.

Fields

Host name

Group name

Host names in group

Radio Buttons
Click The client must have the following host name if you want to the client to always connect using this hostname.
Click The client's host name must match an entry in this group if the client's host name can be an entry in a group.

Push buttons
Click Add to add host names to the group.
Click Edit to edit host names in the group.
Click Remove to remove host names from the group.



Host name

1 - 66 characters, one or more character strings, separated by dots (periods).

For example:

mycomputer.city.company.com



Group name

The name of the group following these rules:



Host names in group

The list of host names in this group that you can add, edit, or remove.



Host Name

Use this panel to specify a host name.

Before you begin, know the name of the host name you want to specify.

Steps

  1. Follow standard naming conventions to enter the hostname.
  2. Click OK when you are done.

You have completed this panel when you have entered a hostname meeting the requirements.

Fields

Host name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Host name

1 - 66 characters, can be one or more character strings, separated by dots (periods).

An example is:

mycomputer.city.company.com



IP Address Specification

Use this panel to signify you want the client identifier to be a particular IP address or that the client's IP address should match an entry in a particular group.

Before you begin, decide whether you want the client to have a particular IP address or you want the client's IP address to match an entry in a particular group. Depending on that decision, do one of the following:

Steps

  1. Either click on "The client must have the following IP address", and fill in the IP address following standard naming conventions.
  2. Or click on "The client's IP address must match an entry in this group". Fill in the Group name. This is required; at least one entry must be added. Optionally add, edit or remove other IP addresses in this group.

You have completed this panel when you have selected either radio button, and filled either the IP address field or the Group name.

Fields

IP address

Group name

IP addresses in group

Radio buttons

Click The client must have the following IP address to indicate the client must use the IP address entered.

Click The client's IP address must match an entry in this group to indicate the client's IP address should be an entry in the specified group. You have the ability to add, edit and remove IP address in this group.

Push buttons
Click Add to add an IP address/subnet in this group.
Click Edit to modify an IP address/subnet in this group.
Click Remove to delete an IP address/subnet in this group.



IP address

The IP address must be specified in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)



Group name

The name of the group following these rules:



IP addresses in group

The list of IP addresses that you can add, edit, or remove. The IP addresses in the list consist of either an IP address or a subnet value and subnet mask.



User ID Specification

Use this panel to signify you want the client identifier to be a particular user ID or that the client's user ID should match an entry in a particular group.

The User IDs for a client identifier are not the same thing as the user IDs entered at TN3270 clients when logging on to an application. Typically, when a client logs on to the application the end user will enter the application name, user ID, and password. However, the client's log on user ID is NOT what is used to match to the User IDs in client identifiers.

To understand what the User IDs of a client identifier represent, you must first understand that User ID client identifiers are only available for connections that use the client authentication function of SSL. Client authentication can be specified to use multiple levels of authentication.

  1. Level 1 authentication is performed by system SSL. The client passes an X.509 certificate to the server. To pass authentication, the Certificate Authority that signed the client certificate must be considered trusted by the server.

  2. Level 2 authentication provides level 1 authentication and additionally requires that the client certificate be registered with RACF (or other SAF compliant security product) and mapped to a user ID. The client certificate received during the SSL handshake is used to query the security product to verify that the certificate maps to a user ID known to the system prior to connection negotiation.

Level 2 authentication must be enabled to make use of the User ID client identifiers. It is the user ID returned from RACF during level 2 authentication that is used to find matches in these client identifiers. To enable this level of authentication you should select Use security server to verify client user ID on the Advanced SSL Settings panel.

Before you begin, you should decide whether you want the client to have a particular user ID or you want the client's user ID to match an entry in a particular group. Depending on that decision, do one of the following:

Steps

  1. Either click on "The client must have the following User ID", and fill in the User ID following standard naming conventions.
  2. Or click on "The client's user ID must match an entry in this group". Fill in the Group name. This is required; at least one entry must be added. Optionally add, edit or remove other User IDs in this group.

You have completed this panel when you have selected either radio button, and filled either the User ID field or the Group name.

Fields

User ID

Group name

User IDs in group

Radio Buttons
Click The client must have the following user ID if you want to the client to always connect using this user ID.
Click The client's user ID must match an entry in this group if the client's user ID can be an entry in a group.

Push buttons
Click Add to add User IDs in this group.
Click Edit to modify User IDs in this group.
Click Remove to delete User IDs in this group.



User ID

the name of the user, following these rules:



Group name

The name of the group following these rules:



User IDs in group

The list of user IDs in the group that you can add, edit, or remove.



User ID

Use this panel to specify a user ID.

Before you begin, know the name of the user ID you want to specify.

Steps

  1. Enter the user ID
  2. Click OK when you are done.

You have completed this panel when you have entered a user ID meeting requirements.

Fields

User ID

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



User ID

The name of the user, following these rules:



Application Assignment Type

Use this panel to set the application access method for clients that match this client identifier.

When assigning applications, you must understand some characteristics of the connecting clients. The client may be a terminal or a printer. If the client is a terminal, then it is likely connecting in to an application that provides full screen TN3270 support. However, it may be connecting to a line mode application such as TSO. If the client is a printer, then it is likely that the application will initiate the session to the client and no additional application access needs to be defined. There are several ways of setting up application access based on the characteristics of the client and the application.

Before you begin, decide which of the 4 types of applications you want to assign (for printers, for terminal-full screen mode sessions, for a USS table, or line mode sessions).

Steps

  1. Click on the particular assignment you want to make.
  2. Enter the name in the field provided, ensuring the name follows standard naming conventions.
  3. Click OK to indicate you are done.

You have completed this panel when you have selected one of the 4 assignment options.

Fields

Application name

USS table name

Radio buttons

Click Assign application for printers to indicate you want to map an application for printer clients.

Click Assign application for terminal-full screen mode sessions to indicate you want to map an application for terminal-full screen mode clients.

Click Display a USSMSG10 panel to indicate you want a USS MSG10 sent to terminal client.

Click Assign application for line mode sessions to indicate you want to map an application for linemode sessions clients.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



USS table name

The name of the USS table, following these rules:



LU Group Definition

Use this panel to enter a group name, group type and group members.

Before you begin, know the group name, type and members you want to enter.

Steps

  1. If you are adding a new group:
    1. Enter the Group name.
    2. Select the group type by clicking on either Terminal or Printer.
    3. Click Add to add a group member.
      At least one entry is required
    4. Click Edit to edit a group member.
    5. Click Remove to remove a group member.
  2. If you are editing a group:
    1. You may change the name of the group, but not the type.
    2. You may add, edit or remove a group member.
      At least one entry is required
  3. If you are editing a group that has been assigned to the client id:
    1. You have the option of clicking associate printer if you want to relate this group name to a particular printer.
  4. Click OK when you are done.
  5. You may use the Move Up and Move Down buttons to reorder the entries in the list. The order of the list does not matter unless you are associating a terminal group with a printer group. See Associate Printer Group... for more information.

You have completed this panel when you have entered the group name, selected the type and added, edited or removed group member names.

Fields

Group name

Group type

Group members

Radio Buttons
Click Terminal to indicate the group type is a terminal group.
Click Printer to indicate the group type is a printer group.

Push buttons
Click Associate Printer Group... to associate this group name with a printer. This button is only available when editing an LU terminal group that has been assigned to the client identifier.
Click Add to add a group member. This button is only available when editing from the LU groups table.
Click Edit to edit a group member. This button is only available when editing from the LU groups table.
Click Remove to remove a group member. This button is only available when editing from the LU groups table.
Click Move Up to move a group member up in the list.
Click Move Down to move a group member down in the list.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Associate printer group

This button is available only when editing a terminal LU group assigned to a client identifier.

Use this button to establish a TN3270 printer association, which allows a printer to specify an active LU terminal name during connection negotiation. The server understands this special request and knows to assign a printer LU name associated with the requested terminal LU name. The association is established by linking a terminal LU group with a printer LU group. The two LU groups MUST have the same number of LUs defined. For example, once the pools are linked, the server will assign the third printer LU to a printer connection that requests association with the third terminal LU.



Group name

The name of the group following these rules:



Group type

The group can be either for terminal clients or printer clients.



Group members

The list of group members that you can add, edit, or remove. At least one entry is required.



LU Assignment Type

Use this panel to select the type of object to be mapped to the client identifier.

Before you begin, decide which of the 4 types of objects (specific terminal, terminal LU group, specific printer, printer group) you want to associate with the client.

Steps

  1. Click on the type of object you want mapped to the client.
  2. Enter the name in the field provided, ensuring the name follows standard naming conventions.
  3. If you click on Terminal LU group, select the group name from the pull down menu or click on New group to specify a new group.
  4. If you click on Printer group, select the group name from the pull down menu or click on New group to specify a new group.
  5. Click OK to indicate you are done.

You have completed this panel when you have selected one of the 4 types of objects you can map to a client.

Fields

Terminal name

Group name

Printer name

Radio buttons

Click Specific terminal to indicate you want the client identifier mapped to a particular terminal, known by an LU name

Click Terminal LU group to indicate you want the client identifier mapped to a particular terminal LU group, known by a group name

Click Specific printer to indicate you want the client identifier mapped to a particular printer, known by a printer name

Click Printer group to indicate you want the client identifier mapped to a particular printer group, known by a printer group name

Push buttons
Click New group specify a new group to associate with a terminal LU group or a printer group.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Terminal LU name




Group name

A drop down list of all currently defined terminal or printer groups. Select from the list and click OK.



Printer name

The name of the printer, following these rules:



LU and Application Assignments

Client identifiers are used to match clients to VTAM LUs and to connect the clients to applications. Use this panel to indicate which LUs will be assigned to this client identifier and to specify how the clients get assigned to applications.

When a client connects to the TN3270 server, the server searches the client identifiers to find a match. For example, if this client identifier is an IP address group and a client connects to the server, the server looks to see if the clients IP address is one of the IP addresses in the IP address group. If a match is found, the server determines which LUs are assigned to the client identifier and in turn assigns the client's connection to one of these LUs. Likewise, the server determines the application access method that has been assigned to the client identifier and uses the assigned method to allow the client to access the correct application.

You assign LUs to the client identifier for clients that connect as terminals and separate ones for clients that connect as printers. You may not have clients that are printers and you are not required to assign LUs for clients that are printers. There are no LUs assigned by default. For both printers and terminals, you can assign either individual LUs or groups of LUs. This panel is also used to create and manage all LU groups.

When assigning applications to the client identifier, you must understand some characteristics of the connecting clients. If the client is a terminal, then it is likely connecting in to an application that provides full screen TN3270 support. However, it may be connecting to a line mode application such as TSO. There are several ways of setting up application access based on the characteristics of the client and the application.

It is recommended that you assign all desired application access and enough LUs for all clients that match this client identifier. However, such assignments are not required. It is possible that you define multiple client identifiers that match a specific client. One of the client identifiers may be assigned LUs, but no application access. The other client identifier may be assigned application access, but no LUs. In this case the TN3270 server will use an LU from one client identifier and the application access from the other client identifier to setup the client's session. You are required to assign at least one LU or application access to the client identifier, otherwise the client identifier does not provide any function. If you do not assign all necessary LUs or all application access to this client identifier, you should must be cautious that you understand the interaction between multiple client identifiers.

Before you begin, decide whether you want to make application assignments and how you want to make LU assignments.

Steps

  1. You must assign at least one LU for either terminal clients or printer clients or at least one application/USS table. Use the Assign LUs... button to make your LU assignments. This will allow you to assign either individual LUs or LU groups for both terminal clients and printer clients.
  2. You may assign as many individual LUs or groups as needed using the Assign LUs... button.
  3. You may want to override the application access defaults. To do this, use the Assign application... button.
  4. If you want to edit or remove an LU or an application assignment in the left window, select it and click on the edit button or the remove button. If an individual terminal LU or terminal LU group is assigned, you may edit the assignment and associate a printer.
  5. If you want to add, edit or delete LU groups, click on Add and you can specify a new LU group name and group type. You can also edit and delete LU groups by selecting them and clicking on the action you want to perform.

You have completed this panel after you have assigned at least one LU.

Fields

LU and application assignments

LU groups currently defined

Push buttons for LU and application assignments
Click Assign LUs to assign terminal and printer LUs and LU groups to clients.
Click Assign application to set the applications for the clients.
Click Edit to edit an LU or application assignment.
Click Remove to remove an LU or application assignment.

Push buttons for LU groups currently defined
Click Add to add a terminal or printer LU group name.
Click Edit to edit a terminal or printer LU group name.
Click Remove to remove a group name.



LU and application assignments

These are the LU and application assignments already available. The client id tree shows the five types of assignments that may be made:

Use the tree structure to see what assignments have been made. If no assignment has been made for one of the types, the default setting is displayed.

Use the Assign LUs... and Assign application... buttons to make assignments. Once an assignment has been made, you can select it and use the Edit or Remove buttons. If the assignments are removed you will see the default assignment displayed. You cannot edit or remove the default assignments.



LU groups currently defined

These are the LU groups previously defined. You can add, edit, or delete them here. These groups define terminal clients or printer clients. When you add a new group, specify whether its for terminal or printers. When you edit a group, you can change its name and also modify the entries in the group. However, you cannot change the group type that indicates whether the group is for terminals or printers.



Client Identifier Type

Use this panel to select which type of client identifier you want to define.

When clients connect, the TN3270 server searches the defined client identifiers looking for a match. A match tells the server how to assign the client to the correct VTAM LU and application. There are five basic types of client identifiers you can define.

It is possible that a client would match multiple client identifiers. For example, a client's host name may be in one client identifier and its IP address in another. If this is the case, TN3270 server uses the same priority order as the order the types appear in the list above and on the panel.

Before you begin, decide how you want the client to be identified.

Click on the identification you want to use. The Client user ID option is available and valid only for ports using security.

You have completed this panel after you have selected the identification you want to use.

Radio buttons

Click Client user ID to define a client identifier that matches clients' user ids.

Click Client host name to define a client identifier that matches clients' host names.

Click Client IP address to define a client identifier that matches clients' IP addresses.

Click Destination link IP address to define a client identifier for clients that connect in through specific links identified by the link IP address.

Click Destination link name to define a client identifier for clients that connect in through specific links identified by the link name.



Client Identifiers

This panel allows you to either define a new client identifier or modify an existing one. The TN3270 server uses Client identifiers to match clients as they connect. For example, a client identifier may be a client's IP address. When the client connects to the server, the server sees this client's IP address matches the one defined in the client identifier. The server then uses this client identifier to know which VTAM LU to assign to the client and to which application to connect the client.

Tasks

When you are defining a new client identifiers, you perform several tasks.

  1. You will decide what type of client identifier you are defining. The possible types are:
  2. Once you decide on the type, you will next decide whether the client identifier should be a group or an individual. For example, you may select the type as a client's IP address. You can then either define the client identifier to be a individual IP address or a group of IP addresses. If it is an individual IP address, then a client with that exact IP address must connect for the TN3270 server to find a match. If you define an IP address group, you can populate the group with a collection of IP addresses and/or subnets. This allows for a large number of clients to connect that will match the client identifier.
  3. You will assign LUs to the client identifier. The server uses the client identifiers to match clients when they connect. Once a match is found, the server sees which LUs you have assigned to the client identifier and then uses one of these LUs for the client's connection.
  4. You may assign applications to the client identifier. Once the server has matched a client identifier, the server sees which application you have assigned to the client identifier and connects the client accordingly.

Client identifiers search order

When a client connects in, the server may find that the client matches multiple client identifiers. The server uses the following search order priority to determine the match:

  1. Individual client user ID
  2. Individual client hostname
  3. Individual client IP address
  4. Group of client user IDs
  5. Group of client host names
  6. Group of client IP addresses
  7. Individual link IP addresses
  8. Individual link name
  9. Group of link IP addresses
  10. Group of link names

Tree structure

This panel shows a tree of all the currently defined client identifiers. You can expand a client identifier in the tree and see the applications and LUs that are assigned. Each client id shows the five types of assignments that may be made:

Use the tree structure to see what assignments have been made. If no assignment has been made for one of the types, the default setting is displayed.

Steps

Before you begin, know whether you are defining a new client identifier or modifying an existing one.

  1. If you are defining a new client identifier, click New and you see the Object Type panel, where you will need to specify the type of object you are mapping to this client identifier.
  2. Select a client identifier in the tree and click Edit to change an existing definition.
  3. Select a client identifier in the tree and click Delete to delete an existing definition.

You have completed this panel after you have defined, edited or deleted client identifiers. You are not required to define any client identifiers. However, if no client identifiers are defined, you must use at least one of the default LU pools.

Push buttons
Click New to add a new client identifier.
Click Edit to edit a client identifier you've selected.
Click Delete to delete a client identifier you've selected.



Telnet 3270 Server Configuration: Application Routing

Use this panel to set the application access method when a client connects to a server.

When assigning applications, you must understand some characteristics of the clients connecting. If the client is a terminal, then it is likely connecting to an application that provides full screen TN3270 support. However, it may be connecting to a line mode application such as TSO. There are several ways of setting up application access based on the characteristics of the client and the application.

Before you begin, decide the application access method you want for a client connecting to the TN3270 server.

Steps

  1. Click Open an application, if you want to always use the same application. The TN3270 server will connect the client directly with the application.
  2. Click Display a USSMSG10 panel, if you have an existing USS (Unformatted System Services) table. Specify the USS table name.

    An assembled and linked USS table can be used directly by Telnet.

  3. Click Display the Telnet Solicitor panel if you want the default. The client will need to supply a user ID, password and application name.
  4. Enter a application name for line mode sessions if you want to override the default.

You have completed this panel if you have clicked a button to indicate a selection under either 3270 full screen mode sessions or line mode sessions.

Fields

Application name

USS table name

Radio buttons

Click Open an application to indicate you always want to connect to the same application

Click Display a USSMSG10 panel to indicate you want to connect to an existing USS table

Click Display the Telnet Solicitor panel to indicate you want the default



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



USS table name

The name of the USS table, following these rules:



Telnet 3270 Server Configuration: LU Pool

Use this panel to establish a set of logical units (LUs) for the default pool. When clients connect to the TN3270 server, each client must be assigned to a VTAM LU. This LU will be activated and used for SNA connectivity to the SNA application.

The TN3270 server uses VTAM application LUs to represent clients. The TN3270 server activates one SNA application minor node LU to represent each Telnet IP client. These Telnet application LUs establish sessions with VTAM host applications (for example, CICS), simulating terminals (LU0 or LU2) or printers (LU1 or LU3).

You are required to add at least one LU. You may enter multiple individual LUs using the Add... button. You may also define an LU range using the Add... button.

Before you begin, have ready the list of terminal LUs you want to specify in the default pool.

Steps

  1. Click Add if you want to add a new LU or LU range to the default pool.
  2. The new LU name will appear in the list.
  3. Click Edit to change an existing LU or LU range.
  4. Click Remove to remove an existing LU or LU range.

You have completed this panel after you have added, edited, or removed an LU or LU range. At least one LU must be added.

Push buttons
Click Add to add a new LU or LU range to the default pool.
Click Edit to change an existing LU or LU range.
Click Remove to remove an existing LU or LU range.



Destination Link IP Address

Use this panel to signify you want the client identifier to match clients that connect to a particular link or that connect to any in a group of links. The links are identified by the link's IP address.

Before you begin, you should decide whether you want the client identifier to match clients connecting to a particular link IP address or to just any link within a group of links. Depending on that decision, do one of the following:

Steps

  1. Either click on "The client must connect to the following link", and fill in the IP address following standard naming conventions. You may click on the Show links... button to see a display of links currently defined and you may choose one. Optionally, you can type in the link address directly.
  2. Or click on "The client must connect to a link in this group". Fill in the Group name and optionally add, edit or remove links in this group by manipulating the IP addresses/subnets in this group. Note that entire subnets can be added to the group. At least one link must be added to the group.

You have completed this panel when you have selected either radio button, and filled in either the IP address field or the Group name and added at least one link to the group.

Fields

IP address

Group name

Links in group

Radio buttons

Click The client must connect to a specific link to indicate the client must connect to the a specific link.

Click The client must connect to a link in a group to indicate the client must connect to one of the links in the link group. You have the ability to add, edit and remove IP addresses and subnets in this group.

Push buttons
Click Show Links... to display the available links from which to choose an IP address.
Click Add to add IP address or subnet in this group.
Click Edit to modify IP address in this group.
Click Remove to delete IP address in this group.



Show links...

Click here to see a list of existing links from which to choose. This is optional. You may type in a link IP address directly and not use the Show links... button.



Links in group

The links established in this group that you can add, edit, or remove.



IP address

The IP address must be specified in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)



Group name

The name of the group following these rules:




Destination Link Name

Use this panel to signify you want the client identifier to match to clients that connect a particular link or that connect to any in a group of links. The links are identified by the link name.

Before you begin, decide whether you want the client identifier to match clients connecting to a particular link or to just any link within a group of links. Depending on that decision, do one of the following:

Steps

  1. Either click on "The client must connect to the following link", and fill in the link name following standard naming conventions. You may click on the Show links... button to see a display of links currently defined and you may choose one. Optionally, you can type in the link name directly.
  2. Or click on "The client must connect to a link in this group". Fill in the Group name and optionally add, edit or remove links in this group by manipulating the link names in this group. Link names defined in groups can also be wildcarded. At least one link must be added to the group.

You have completed this panel when you have selected either radio button, and filled in either the IP address field or the Group name and added at least one link to the group.

Fields

Link name

Group name

Links in group

Radio buttons

Click The client must connect to a specific link to indicate the client must use connect to the a specific link.

Click The client must connect to a link a group to indicate the client must connect to one of the links in the link group. You have the ability to add, edit and remove IP addresses and subnets in this group.

Push buttons
Click Show Links... to display the available links from which to choose a link.
Click Add to add a link name to this group.
Click Edit to modify a link name in this group.
Click Remove to delete a link name from this group.



Link name

The name of the link, following these requirements:




Show links...

Click here to see a list of existing links from which to choose. This is optional. You may type in a link name directly and not use the Show links... button.



Group name

The name of the group following these rules:




Links in group

The list of established links that you can add, edit, or remove.



Terminal LU Full Screen Application

Use this panel to edit the application name for clients that connect as full screen terminals.

Before you begin, know the application name you want to modify.

Steps

  1. Modify the application name.
  2. Click Ok when you are done.

You have completed this panel when you have edited an application name.

Fields

Application name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



Terminal LU Linemode Application

Use this panel to edit the application name for clients that connect as linemode terminals.

Before you begin, know the linemode application name you want to modify.

Steps

  1. Modify the application name.
  2. Click OK when you are done.

You have completed this panel when you have edited an application name.

Fields

Application name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



Printer

Use this panel to edit the printer name that has been assigned to the client identifier.

Before you begin, know the printer name you want to modify.

Steps

  1. Modify the printer name.
  2. Click OK when you are done.

You have completed this panel when you have edited a printer name.

Fields

Printer name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Printer name

The name of the printer, following these rules:



Printer LU Application

Use this panel to edit the application name for clients that connect as printers.

Before you begin, know the application name you want to modify.

Steps

  1. Modify the application name.
  2. Click OK when you are done.

You have completed this panel when you have edited an application name.

Fields

Application name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



Terminal LU

Use this panel to edit the terminal LU name that has been assigned to the client identifier.

Before you begin, know the terminal LU name you want to modify.

Steps

  1. Modify the terminal LU name.
  2. To associate a printer with this terminal, select Associate printer.
  3. Click OK when you are done.

You have completed this panel when you have modified the terminal LU name.

Fields

LU name

Push buttons
Click Associate Printer... to associate a printer with this terminal LU.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



LU name

The name of the terminal LU, following these rules:




Associate printer...

Use this button to setup up a TN3270 printer association, which allows a printer to specify an active LU terminal name during connection negotiation. The server understands this special request and knows to assign the printer LU name associated with the requested terminal LU name.



Terminal LU USS Table

Use this panel to edit the USS table name that has been assigned to the client identifier.

Before you begin, know the USS table name you want to modify.

Steps

  1. Modify the USS table name.
  2. Click OK when you are done.

You have completed this panel when you have edited a USS table name.

Fields

USS table name

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



USS table name

The name of the USS table, following these rules:


Telnet 3270 Server Configuration: Finish

You have completed the z/OS Telnet 3270 server configuration. Click Finish to save your settings.

After clicking Finish:



Session Parameters

This panel allows you to obtain SMF information during initialization and termination, and/or specify the reuse of inactive sessions.

Before you begin, make decisions about SMF recording, and the reuse of inactive sessions. To complete this panel:

Steps

  1. For SMF -- If you want the server to write SMF records, select yes.
  2. For inactive session reuse -- Click yes if you want to reuse inactive sessions for clients that connect with predefined LU names.

You have completed this panel after you have clicked yes or no to answer the questions about SMF, and inactive session reuse.

You can find more detailed help on the following elements of this window:

Should the server write SMF records for initialization and termination?

Reuse of inactive sessions is allowed for clients that connect with predefined LU names. Do you want to enable this function?

Radio buttons

For SMF:

For reuse of inactive sessions:

Should the server write SMF records for initialization and termination?

If you select Yes, the server will write format 119 SMF records. Session Initiation (or LOGON, subtype 20) will be generated when a client connects and Session Termination (or LOGOFF, subtype 21) SMF records will be generated when the client disconnects or is otherwise disconnected. If you Click Yes, ensure SMF is up and running and will accept these SMF record types.



Reuse of inactive sessions is allowed for clients that connect with predefined LU names. Do you want to enable this function?

This function is applicable only for clients that connect using a specific LU name. When the client connects and the TN3270 server finds that the LU specified on the client's connection request is already active then the server will initiate the take over processing. The server sends a TIMEMARK request to the original client that was using this LU. The server waits 5 seconds for a response from the client. If a response is not received within 5 seconds, the server terminates the old connection and the new client is connected.



IP Address

Use this panel to specify an IP address or subnet to assign to the group.

Before you begin, decide if you want to specify an individual IP address or an IP subnet.

Steps

  1. If you decide to enter an IP address, enter it in the field provided. For example, 9.67.97.103
  2. If you decide to enter an IP subnet, enter it in 2 parts; the subnet value and the subnet mask.
  3. Click OK when you are done.

You have completed this panel when you have entered an IP address or IP subnet mask and value meeting the requirements.

Fields

Individual IP address

Subnet value

Subnet mask

Radio Buttons
Click Individual IP address to specify an individual IP address.
Click IP subnet to specify and IP address in the form of a subnet and mask.

Push buttons
Click Show Links... to see the defined links.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Individual IP address

The IP address must be specified in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)



Subnet value

The IP address, specified in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)

This value will be logically ANDed with the subnet mask to determine the subnet.



Subnet mask

The 32-bit subnet mask must be one or more one-bits followed by one or more zero-bits. The subnet mask cannot have any one-bits to the right of any zero-bits. Therefore, a mask of 255.255.192.0 is valid because 255 is 11111111 and 192 is 11000000, but a mask of 255.255.208.0 is not valid because 208 is 11010000.

However, the special subnet mask 0.0.0.0 is valid. This subnet mask is a wildcard that accepts all subnets.

The subnet value will be logically ANDed with the subnet mask to determine the subnet.



Show links...

Clicking this button takes you to a panel that displays the currently defined set of links. If you have selected an Individual IP address you can select from the set of links and the value will be added back to this panel. If you have selected an IP subnet, the defined links can only be used for your reference. Use of the Show links... button is optional.



Link Name

Use the link name panel to specify link names to be added to the link group.

Before you begin, know the name of the link name you want to specify.

Steps

  1. Enter the link name.
  2. Click OK when you are done.

You have completed this panel when you have entered a link name meeting the requirements.

Fields

Link name

Push buttons
Click Show Links... to display the available links from which to choose a link.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Link name

The name of the link, following these requirements:




Show links...

Clicking this button takes you to a panel that displays currently defined links. You can select from the set of links and the value will be added back to this panel. Use of the Show links... button is optional.



Logmodes

Use this panel to alter logmode names used for Telnet device types. A logmode is the SNA logon mode entry used to select a set of session parameters such as screen size for the session being established. Telnet 3270 defines a set of device types that a client may specify when connecting. For each device type, you can modify the suggested logmode by clicking on that entry and typing in the new name.

The defaults are already available and predefined in VTAM and the TN3270 server can access these.

Before you begin, know what device types your clients are using and the logmodes you want to associate with those device types.

Steps

  1. Double click on a logmode to edit it.
  2. Type in your modifications.

You have completed this panel if you have made desired changes to logmodes.

Fields

Logmodes



Logmodes



LU Group Entry

Use this panel to add LUs to a group. Select either an Individual LU or an LU range using fixed base.

Before you begin, decide whether you want to add an Individual LU or an LU range.

If you decide on an Individual LU, click on Individual LU and:

  1. Enter an LU name. You can also enter a system symbolic (begin with an ampersand, include at least one character and end with a period, as in LU&MVS1.01).
  2. Click OK

If you decide on an LU range, click on LU range using fixed base, and keep in mind these rules as you enter numbers:

After understanding these rules, you can proceed to:

  1. Enter the fixed base number.
  2. Enter the lower range.
  3. Enter the upper range.
  4. Click OK to complete the specification.

You have completed this panel when you have selected either an Individual LU or an LU range using fixed base, and entered an LU name or the values required for the range.

Fields

LU name

Fixed base

Lower range extension

Upper range extension

Radio buttons
Click Individual LU to select a single terminal LU.
Click LU range using fixed base to select a range of LU terminals.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



LU name



Fixed base

The base value of the range.

The length of the base value plus the length of the lower range cannot exceed 8 characters.



Lower range extension

The lowest number in this LU terminal range. This must be either all numeric or all alphabetic characters.

The length of the base value plus the length of the lower range cannot exceed 8 characters.

If this value is numeric, the upper range must be numeric and have the same number of digits.

If this value is alphabetic, the upper range must be alphabetic and have the same number of digits.

The upper range must be greater than the lower range.



Upper range extension

The highest number in this LU terminal range. This must be either all numeric or all alphabetic characters.

The length of the base value plus the length of the upper range cannot exceed 8 characters.

If this value is numeric, the lower range must be numeric and have the same number of digits.

If this value is alphabetic, the lower range must be alphabetic and have the same number of digits.

The upper range must be greater than the lower range.



Copy a Port Definition

Use this panel to configure a new port when you want to base its configuration on an existing port. All settings for the new port will be identical to the old port except for the port number and link association.

Before you begin, verify the existing port from which you want to copy.

Steps

  1. Enter the new port number in the New port field.
  2. You may optionally choose to associate this port with a network link.

  3. Enter the link name in the field provided, ensuring that the link name adheres to standard naming conventions.
  4. Click OK when you are done.

You have completed this panel after you have entered a new port number.

Fields

New port

Link name

Push buttons
Click Show Links... to see a display of existing links, from which to choose.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



New port

An integer from 1 - 65535.



Link name

You can enter either an IP address or a link name. If specifying a link name should follow these requirements:

If specifying a link's IP address, it must be in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)



Show links...

Clicking this button takes you to a panel that displays the currently defined links. You can select from the set of links and the link name will be added back to this panel. Use of the Show links... button is optional.



Port Information

This panel allows you to specify a port number on which the TN3270 server will listen for client connections. Optionally, you can specify an associated link, which causes the TN3270 server to listen on the specified port, but only for connections that come in over the associated link.

You can indicate if the connections for the port should be secured using SSL or TLS technology. Typically, clients are within a secure intranet and additional security is not required. However, if your clients connect in from the internet outside of your firewall, you will likely want to protect your connections using SSL or TLS security. This includes encrypting and authenticating data delivery and possibly using client certificates to authenticate the clients.

Before you begin, know the port number, any desired link association, and whether security services are needed.

Steps

  1. Enter the port number
  2. Indicate if security functions are desired.
  3. Optionally, specify a network link for this port. Specify the link in the form of a link name or an IP address. Clicking Show links will display all currently defined links.

You have completed this panel after you have entered a port number and selected a connection type.

Fields

Port number

Use SSL or TLS security

Link name

Push buttons
Click Security Settings... to specify more security information. This button is only available when editing a port definition.
Click Show Links... to see a display of existing links so you can select from the display.



Use SSL or TLS security

Check this box if you want this port to use TLS and SSL technology to secure connections and transaction. If this is the first defined port to use security functions, you are required to enter a key ring database name on the security settings panel. All other security settings have defaults.



Security settings...

This button is only available if you are editing a previously defined TN3270 port and if you have indicated the port should use security services. If the port is defined to use security, you are required to enter a key ring database. This is done by clicking on the Security settings... button.

You may also further customize your security settings by clicking on this button. You can customize functions such as client certificate authentication, express logon, and choosing specific cipher algorithms.



Show links...

Clicking this button takes you to a panel that displays the currently defined links. You can select from the set of links and the link name will be added back to this panel. Use of the Show links... button is optional.



Port number

Any number from 1 - 65535.


Link name

You can enter either an IP address or a link name. If specifying a link name should follow these requirements:

If specifying a link's IP address, it must be in dotted decimal notation, in which a 32-bit IP address is represented as four decimal numbers, one for each 8 bits, separated by dots (periods). Each of the four decimal numbers is greater than or equal to 0 and less than or equal to 255. For example:

00001010  00000001  10110100  11111110  a 32-bit address
10              1                180            254            dotted decimal notation (10.1.180.254)



Telnet 3270 Ports

The TN3270 server requires at least one port to listen for client connections. This panel allows you to manipulate existing ports as well as add new ports for the TN3270 server to use. The standard port reserved by the IETF for TN3270 server use is port number 23. This is the default when you define your first TN3270 port and it is the default for all TN3270 clients.

Before you begin, you need to know the port number of the port you want to define, edit or remove. Here are steps to complete everything available through this panel. Your steps will be limited by the tasks you chose to accomplish:

Steps

  1. Click Add to launch the a wizard, which enables you to add a new port for TN3270 to listen on.
  2. Fill in the required fields on the wizard.
  3. Return to this panel.
  4. Click Edit to edit a port you've selected. (If you haven't selected a port in the list, the Edit button is disabled.)
  5. Click Copy to copy an existing port definition you've selected into a new one. (If you haven't selected a port in the list, the Copy button is disabled.)
  6. Click Remove to delete a port definition you've selected. (If you haven't selected a port in the list, the Remove button is disabled.)
  7. Click Report to display a snapshot of what the configuration file would look like if you save all your input at this point and ask the GUI to create the file.
  8. Once the first listening port is configured, you can select whether Telnet should be started as part of the TCP/IP stack, or started separately in its own address space.

You have completed this panel after you have added, edited, copied or removed defined ports, or viewed a report, and selected how Telnet should start.

Fields

Ports table

Indicate how the TN3270 server should get started

Push buttons
Click Add to launch a wizard, which enables you to add a new TN3270 port.
Click Edit to edit a port you've selected.
Click Copy to copy an existing port definition you've selected.
Click Remove to delete a port definition you've selected.
Click Report... to display a snapshot of what the configuration file would look like if you save all your input at this point and ask the configuration demo to create the file.
Click Close to return to the IBM TCP/IP Configuration Demo for z/OS main customization panel.



Indicate how the TN3270 server should get started

Telnet can be started as part of the TCP/IP stack, or, beginning with z/OS V1R6, it can run in its own address space separate from the stack. Typically, it will be started as part of the TCP/IP stack. However, you may consider running it in its own address space for one of the following reasons:

If you decide to start the Telnet server it its own address space, there are special considerations for operator command processing, CTRACE set up, Resolver search order, SNMP, and RACF (or other security product) setup. These are described in z/OS Communications Server IP Configuration Guide (SC31-8775) in the "Accessing remote hosts using Telnet" chapter.



Ports table

This table shows all the ports defined for TN3270 servers use. Each entry indicates the port number, whether security services are to be used, and if there is a link associated with the port. You can add new ports, edit an exiting port definition, remove an existing port definition, or copy an existing port's settings to a new port.



Report...

Once the first port has been defined, you can use this button at any time to see a snapshot of the TN3270 profile configuration statements and keywords that the GUI would produce.



Printer Defaults

Use this panel to assign LUs to either default generic pools or default specific pools. When printer clients connect to the TN3270 server, each client must be assigned to a VTAM LU. This LU will be activated and used for SNA connectivity to the SNA application.

TN3270 server uses VTAM application LUs to represent clients. The TN3270 server activates one SNA application minor node LU to represent each Telnet IP client. These Telnet application LUs establish sessions with VTAM host applications (for example, CICS).

When a printer client connects, the TN3270 server searches for a client identifier that matches this client connection. If no match is found, then the server will use the default printer pools to assign an LU for the client's use.

The client's workstation can be configured to assign the TN3270 client to a specific LU when the connection is established. By default, clients are not defined to use a specific LU. Clients that do NOT specify assignment to a specific LU will be assigned an LU from the Default generic pool. Client's that DO specify assignment to a specific LU will be assigned that LU if it is defined in the Default specific pool.

You may also specify an application that printer clients should be connected to if the client is assigned one of the LUs from the default printer pools. Typically a printer client connects to the TN3270 server and then waits for the application to initiate the session to the client. However, you can specify the application and TN3270 server will connect the client directly to the application.

Before you begin, decide which printer pools you want to manipulate and which actions you want to perform on them.

Steps

  1. Click Add to add a new LU or range of LUs to a Default Generic Pool or to the Default Specific Pool.
  2. Click Edit to change an existing LU name or range of LUs within a Default Generic Pool or Default Specific Pool.
  3. Click Remove to remove an existing LU name or range of LUs from a Default Generic Pool or Default Specific Pool.
  4. If you want to specify a default application name, enter it in the field following standard naming rules.

You have completed this panel after you have added, edited or removed LUs to and from the default generic or default specific pools, and specified the application name for printer clients. You are not required to use the default printer pools at all.

Fields

Default generic pool

Default specific pool

Application name

Push buttons
Click Add to add an LU or a range of LUs to either a default generic pool or a default specific pool.
Click Edit to edit an LU or a range of LUs to either a default generic pool or a default specific pool.
Click Remove to delete an LU or range of LUs from either a default generic pool or a default specific pool.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



Default generic pool

The list of LU and/or ranges of LUs defined for the default generic pool for printer clients. You can add, edit or remove LUs and LU ranges from this list.

The TN3270 client's workstation can be configured to assign a TN3270 client to a specific LU when the connection is established. By default, the clients are not defined to use a specific LU. Clients that do NOT specify assignment to a specific LU will be assigned an LU from the Default generic pool.



Default specific pool

The list of LU and/or ranges of LUs defined for the default specific pool for printer clients. You can add, edit or remove LUs and LU ranges from this list.

TN3270 clients can be administered on the client's workstation to specify to be assigned to a specific LU when the connection is established. By default, the client's are not defined to use a specific LU. Client's that DO specify to be assigned to a specific LU will be assigned that LU if it is defined in the Default specific pool.



SSL Security Settings

Use this panel to specify the certificate location required for SSL/TLS security functions. The server certificate authentication process defined in the SSL protocol requires a certificate location. This location can be either:

Before you begin, decide:

Steps

  1. Specify the certificate ring location by entering the key ring name or file name.
  2. If desired, enable certificate authentication by clicking in the check box.
  3. Click on the Ciphers button to select ciphers.
  4. Click on the Advanced button to specify more security settings.
  5. Click OK to indicate you are done.

You have completed this panel when you have:

Fields

Certificate (key ring) location

Key ring name

Key database name

Radio Buttons
Click Key ring in security server to specify a key ring name within a security server.
Click Key database in HFS to specify an HFS file name.

Push buttons
Click Ciphers... to specify cryptographic algorithms.
Click Advanced... to specify additional security settings.



Key ring name



Key database name

Create this file using the z/OS shell-based program, gskkyman. When running gskkyman:

Enter the key database name and extension on the panel. The TN3270 server can locate the stash file since it has the same file name.

When you are done, ensure you have created 2 files:



Certificate (key ring) location

SSL requires server and optionally client authentication. Such authentication requires the server certificate location. Client authentication certificates reside in the same data base.

System SSL supports the following two methods for managing PKI private keys and certificates.



Ciphers...

Use this button if you want to modify your choice of cipher algorithms.



Advanced...

Use this button if you want to modify additional security settings. These include:


Advanced SSL Settings

Use this panel to specify more security information.

Before you begin, decide:

Steps

  1. Select one of the 3 SSL protocol types.
  2. Select the level of client certificate authentication you desire.
  3. Activate express logon, if you desire.
  4. Click OK to indicate you are done.

You have completed this panel when you have selected one of the three SSL protocol types, optionally selected a level of client certificate authentication, and optionally activated SSL.

You can find more detailed help on the following elements of this window:

SSL / TLS protocol

Client certificate authentication

Enable client certificate authentication

Use security server to verify client user ID

Enable express logon

Radio buttons

Click Assume client is using SSL to indicate the server should use standard SLL handshake.

Click Use TLS to initiate SSL to indicate the server should use TLS to initiate the SSL handshake.

Click Use TLS to allow client to decide if connection is secure to indicate the server should use TLS to determine if the client is willing to use SSL.

Push buttons

Click OK to complete the specification.

Click Cancel to negate any entries you have made on this page.

Click Help to understand more about this panel.



SSL / TLS protocol

The TN3270 server provides several choices for negotiating SSL usage with the client.

Assume client is using SSL indicates the SSL handshake will be used to start the SSL connection. If the client does not start the handshake within 5 seconds, then an attempt is made to do a negotiated SSL handshake using the IETF TLS-based Telnet Security specifications. If the client rejects SSL, the connection is closed.

Use TLS to initiate SSL indicates the client supports the IETF TLS-based Telnet Security Draft. A TN3270 negotiation with the client first determines if the client is willing to enter into a secure connection. If the client agrees, an SSL handshake is started and SSL protocols will be used for communication. If the client rejects SSL, the connection is closed.

Use TLS to allow client to decide if connection is secure indicates that the security protocol defined in the IETF TLS-based Telnet Security Draft is used to initiate the SSL connection. If the client agrees to enter into the secure connection, then SSL protocols will be used. If the client is NOT willing to enter into the secure connection, the connection is still allowed, but no SSL is used.



Client certificate authentication

Client authentication provides additional verification and access control by checking client certificates at the server. This prevents a client from obtaining a connection without an installation approved certificate.

The server authenticates the client by receiving the client's certificate during the SSL handshake and verifying the certificate is valid. System SSL at the server decrypts the signature using the public key of the client certificate issuer found in the server key database file. The server then creates a new message digest using the certificate's Distinguished Names and public key and compares the new message digest with the decrypted one. If they match, the server can be assured the client is authentic.

There are multiple levels of client authentication possible:

  1. Level 1 authentication is performed by system SSL. The client passes an X.509 certificate to the server. To pass authentication, the Certificate Authority that signed the client certificate must be considered trusted by the server. Selecting Enable client certificate authentication provides level 1 authentication.

  2. Level 2 authentication provides level 1 authentication and additionally requires that the client certificate be registered with RACF (or other SAF compliant security product) and mapped to a user ID. The client certificate received during the SSL handshake is used to query the security product to verify that the certificate maps to a user ID known to the system prior to connection negotiation. Selecting Use security server to verify client user ID provides level 2 authentication.

  3. Level 3 authentication provides level 1 and 2 authentication. In addition, it provides the capability to restrict access to the server based on the user ID returned from RACF. If the SERVAUTH class of RACF is active and the server profile is defined, a connection is accepted only if the requester's user ID associated with the client certificate is in the profile. Selecting Use security server to verify client user ID provides level 3 authentication if the SERVAUTH class of RACF is active.



Enable client certificate authentication

Check to indicate you want the server to authenticate client certificates during the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server. This means a certificate for the CA that issued the client certificate is listed as trusted in the server's keyring.



Use security server to verify client user ID

Check to indicate that in addition to client certificate certification, the server will verify the certificate has been registered with your SAF compliant security product, such as RACF, and has an associated user ID. Additionally, if the SERVAUTH RACF class is active and a RACF resource has been defined for the port, the connection is allowed only if the user ID associated with the client certificate has READ access to the RACF resource.



Enable express logon

Users of TN3270 clients are generally required to know the user ID and password for the application they want to access. Users may forget their IDs and passwords or they may write down their IDs and password creating a security risk. A solution for this problem is the Express Logon Feature (ELF), which allows a TN3270 client with a x.509 certificate to log on to an SNA application without entering an ID or password. The client's certificate must be associated with a valid user ID in RACF. When the client connects, the TN3270 server uses RACF Secured Sign on services to obtain a user ID and PassTicket, which the server passes on to the SNA application to complete the logon.



Telnet 3270 Configuration

This is a snapshot of your configuration file containing your TN3270 server definitions. If you configured the TN3270 server to start automatically with the TCP/IP stack, then this file is pointed to by an INCLUDE statement in file PROFILE.TCPIP. Otherwise, the TN3270 server is configured to start in its own address space and this file is pointed to by the PROFILE DD statement in the TN3270 start procedure.

Push buttons
Click Save to save this configuration file to your local disk.
Click Print to print this configuration file.
Click Close to end this panel.
Click Help to understand more about this panel.



Configured links

Use this panel to see and select from a list of configured links. You may double click on an entry or select an entry and click OK. If this panel is shown when defining an IP subnet for a group, this panel can only be used for reference; no selection can be made.

Before you begin, know the link name or IP address you want to select.

Steps

  1. Highlight one of the link names or IP addresses in the list.
  2. Click OK when you are done.

You have completed this panel when you have selected a configured link or an IP address from the list displayed.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Telnet 3270 Server Configuration: Welcome

Currently you do not have a TN3270 server configured. Use the TN3270 Wizard to initially setup your TN3270 server. After you have completed the TN3270 Wizard, use the Advanced Setup... button to edit your configuration settings and expand them to use more advanced settings as necessary.

Before you begin, you should know a few basics.

For more information on the differences between the TN3270 Wizard and the Advanced Setup, see the Push buttons below.

Push buttons
Click TN3270 Wizard... to start the TN3270 Wizard.
Click Advanced Setup... to use the advanced setup.
Click Close to return to the TCP/IP configuration console without configuring a TN3270 server.



TN3270 Wizard...

Click here if you want to establish your first and basic TN3270 server.

The TN3270 Wizard will configure the TN3270 server to listen on the well-known IETF port number 23, without SSL security protocols.

The wizard will help you:



Advanced Setup...

Click here if you want to configure a server that uses advanced features. These advanced features include:

Multiple TN3270 ports

IETF defines port 23 as the well-known TN3270 port. This is the default setting for TN3270 clients. You may want to use other ports. It is a common practice to use port 23 as a basic non-SSL port and define an additional port for clients connecting across the internet, who require SSL security protection.

SSL security

If you have clients that connect over the internet, you may need to use the SSL security. This provides encryption, data authentication and client certificate authentication functions.

TN3270 printer support

If you have TN3270 clients that are printers you can configure the server to support them.

Default specific pools

You can configure the server to allow TN3270 clients to be assigned to a specific LU, when they connect to the server. Clients must be configured to request assignment to a specific LU.

Client identifiers

The TN3270 server provides sophisticated and flexible settings to allow certain clients assignment to specific LUs and applications, while other groups of clients are assigned to other specific LUs and applications. You define a client identifier to match specific client characteristics and you assign the SNA LUs and application access to the client identifier. When a client connects, the server matches the client to a client identifier and applies the client identifier's LUs and application to the connecting client.
For example, you can define a client identifier as a group of client IP addresses. You then assign specific LUs and specific application access to this client identifier. When a client connects, the server understands the client's IP address and determines that it matches one of the addresses in the defined group of client IP addresses. The server then uses one of the LUs and the application access assigned to this client identifier when establishing the connection for the client.



Terminal Defaults

Use this panel to assign LUs to either default generic pools or default specific pools. When clients that are terminals connect to the TN3270 server, each client must be assigned to a VTAM LU. This LU will be activated and used for SNA connectivity to the SNA application.

TN3270 server uses VTAM application LUs to represent clients. The TN3270 server activates one SNA application minor node LU to represent each Telnet IP client. These Telnet application LUs establish sessions with VTAM host applications (for example, CICS).

When a terminal client connects, the TN3270 server searches for a client identifier that matches this client connection. If no match is found, then the server will use the default terminal pools to assign an LU for the client's use.

The client's workstation can be configured to assign the TN3270 client to a specific LU when the connection is established. By default, clients are not defined to use a specific LU. Clients that do NOT specify assignment to a specific LU will be assigned an LU from the Default generic pool. Client's that DO specify assignment to a specific LU will be assigned that LU if it is defined in the Default specific pool.

This panel is also used to set the application access method when a client is assigned to an LU from one of these default pools.

When assigning applications you must understand some characteristics of the clients connecting. If the client is a terminal, then it is likely connecting in to an application that provides full screen TN3270 support. However, it may be connecting to a line mode application such as TSO. There are several ways of setting up application access based on the characteristics of the client and the application.

Before you begin, decide which terminal pools you want to manipulate and which actions you want to perform on them.

Steps

  1. Click Add to add a new LU or range of LUs to a Default Generic Pool or to a Default Specific Pool.
  2. Click Edit to change an existing LU or range of LUs you've selected.
  3. Click Remove to remove an existing LU or range of LUs you've selected.
  4. Specify the default application for terminal sessions.

  5. If you have 3270 full screen mode sessions, choose among 3 options when a client connects to a server.
    1. Click Open an application if you always want to use the same application. The TN3270 server will connect the client directly with the application. Ensure the application name follows the standard naming conventions.
    2. Click Display a USSMSG10 panel if you have an existing USS table. Ensure the application name follows the standard naming conventions. An assembled and linked USS table can be used directly by Telnet. Unsupported statements are ignored and do not interfere with the processing of the command.
    3. Click Display the Telnet Solicitor panel if you want the default. The client will need to supply a user ID, password and application name.
    4. For linemode clients, enter an application name if you want to override the use of the default solicitor panel.

You have completed this panel after you have:

You are not required to use either of the default pools.

Fields

Default generic pool

Default specific pool

3270 full screen mode sessions

Application name

USS table name

Linemode sessions

Radio buttons
Click Open an application to specify an application name for 3270 full screen mode sessions.
Click Display a USSMSG10 panel to specify a USS table name for 3270 full screen mode sessions.
Click Display the Telnet solicitor panel to use the default.

Push buttons
Click Add to add a LU or range of LUs in either a default generic pool or a default specific pool.
Click Edit to edit an LU or range of LUs in either a default generic pool or a default specific pool.
Click Remove delete an LU or range of LUs from either a default generic pool or a default specific pool.



Application name

The name of the application, following these rules:

The application name may be network qualified. A network qualified application name consists of a 1-8 character network ID followed by an application name, with the names separated by a period.



USS table name

The name of the USS table, following these rules:



3270 full screen mode sessions

When assigning applications, you must understand some characteristics of the connecting clients. If the client is a terminal, then it is likely connecting to an application that provides full screen TN3270 support. The default is to use the TN3270 server's solicitor panel, which is sent to the client to query which application to connect to, along with the logon id and password. You may override the default by assigning an application and the TN3270 server will connect the client directly to the application. Or you may also override the default by assigning a USS table, and the TN3270 server will send a USS MSG10 to the client.



Linemode sessions

When assigning applications, you must understand some characteristics of the connecting clients. If the client is a terminal, then it is likely connecting to an application that provides full screen TN3270 support. However, it may be connecting to a line mode application such as TSO. The default is to use the TN3270 server's solicitor panel, which is sent to the client in linemode to query which application to connect to, along with the logon id and password. You may override the default by assigning an application for linemode clients, and the TN3270 server will connect directly to the application.



Default generic pool

The list of LU and/or ranges of LUs defined for the default generic pool for clients that are terminals. You can add, edit or remove LUs and LU ranges from this list.

The client's workstation can be configured to assign the TN3270 client to a specific LU when the connection is established. By default, the client's are not defined to use a specific LU. Clients that do NOT specify assignment to a specific LU will be assigned an LU from the Default generic pool.



Default specific pool

The list of LU and/or ranges of LUs defined for the default specific pool for clients that are terminals. You can add, edit or remove LUs and LU ranges from this list.

The client's workstation can be configured to assign the TN3270 client to a specific LU when the connection is established. By default, clients are not defined to use a specific LU. Clients that do NOT specify assignment to a specific LU will be assigned an LU from the Default generic pool. Client's that DO specify assignment to a specific LU will be assigned that LU if it is defined in the Default specific pool.



Inactivity Timers

Use this panel to specify when to disconnect idle clients. There are two methods used to handle idle clients. With both methods, you define a period of inactivity that is allowed before labeling the client as "idle".

Before you begin, understand the timing mark intervals you desire and whether you want to use the inactivity timer to disconnect clients.

Steps

  1. Enter the Timing mark interval in number of seconds.
  2. Enter the Timing mark scan interval.
  3. Decide if you want an inactivity timer. If you do, click Yes and specify the seconds the connection can be inactive before it is dropped.

You have completed this panel after you have filled in the 2 timing mark fields and made a decision about the inactivity timer.

Fields

Timing mark

Timing mark interval

Timing mark scan interval

Inactivity timer

Inactivity timeout interval

Radio buttons
Click Yes to indicate you want to use an inactivity timer.
Click No to indicate you Do NOT want to use an inactivity timer.



Timing mark interval

An integer in the range 1-99 999 999 seconds.

If this value is less than, the scan interval value, it will be set equal to the scan interval value.



Timing mark scan interval

An integer in the range 1-99 999 999 seconds.



Inactivity timeout interval

An integer in the range 1-99 999 999 seconds



Timing mark

The Timing mark scan interval and the Timing mark interval are used together to determine if a connection has been lost. Whenever data is received from the client, the TN3270 server records the time. The server checks all connections at regular intervals defined by the scan interval value. Each connection is checked to see if any data has been received from the client in the past timing mark period of time. If no data has been received, the server sends a TN3270 TIMEMARK command to the client, which acts as an "are you there?" and the server remembers that it sent this TIMEMARK. During the next check at the scan interval, each connection is again checked to see if any data has been received from the client. If not, and a TIMEMARK had been sent on the previous scan interval check, then the connection is dropped.

For example, assume the values for scan interval and timing mark interval are 1800 and 10800, respectively. That means every 30 minutes, all connections are checked to see if any data has been received in the last 3 hours. If not, a TIMEMARK is sent to the client. Thirty minutes later, the server checks the connections again. If the client responded to the TIMEMARK or sent in actual data, the server leaves the connection active. If nothing has been received the server drops the connection.

Caution must be used in setting these timers.

For example, these timers should take into account extended breaks such as lunch. If the timing mark interval is smaller than the lunch break time, the network may be flooded with TIMEMARK commands around the lunch hour.



Inactivity timer

Indicates how long a terminal connection can be idle with no SNA data traffic before the connection is dropped. The TN3270 server records the time at which data is received from VTAM or sent to VTAM per connection. The server periodically scans the connections and checks if the connection has had any data sent or received within the inactivity interval. If not, the connection is dropped.

Caution must be used in setting this timer. Setting it too low could cause excessive CPU usage.



Telnet 3270 Server Configuration: Welcome

A TN3270 server is an interface between IP and SNA networks. End users in an IP network connect to the server, which is also a VTAM application. The TN3270 Telnet server runs in the TCP/IP address space as part of TCP/IP, and is started as part of the TCP/IP startup procedure.

As you proceed through the TN3270 Wizard, you will use the Next, Back and Finish buttons to proceed through a few basic panels where you will configure:

This configuration will provide:




Telnet 3270 Start Procedure

Use this panel to see a display of the Telnet 3270 start procedure. This start procedure can be used to start the Telnet 3270 Server in its own address space.

Push buttons
Click Save to save this file to your local disk.
Click Print to print this file.
Click Close to end this panel.
Click Help to understand more about this panel.