Downloads |
Table Of Contents
TN3270 Server Connectivity Enhancements
Related Features and Technologies
Supported Standards, MIBs, and RFCs
Configuring a Listen-Point PU to Define DLUR PUs using Dynamic LU Naming
Configuring a Listen-Point PU to Define Direct PUs using Dynamic LU Naming
Configuring Inverse DNS Nailing
Nailing Clients to Pools by IP Address
Nailing Clients to Pools by Device Name
Nailing Clients to Pools by Device Name using a Domain ID
Nailing Clients to Pools by Domain Name
Nailing Clients to Pools by Domain Name Using a Domain ID
Configuring SSL Encryption Support
Obtaining Server Digital Certificate from Certificate Authority
Load Server Digital Certificate onto the flash of the TN3270 router
Configuring the Default Profile
Configuring a Listen Point for Security
Verifying TN3270 Server Connectivity Enhancements
Monitoring and Maintaining TN3270 Server Connectivity Enhancements
SSL Encryption Support Examples
show extended channel tn3270-server client-name
show extended channel tn3270-server nailed-domain
show extended channel tn3270-server nailed-name
show extended channel tn3270-server pu
show extended channel tn3270-server security
TN3270 Server Connectivity Enhancements
This feature module describes the TN3270 Server Connectivity Enhancements feature. It includes information on the overview and benefits of the new feature, configuration tasks, configuration examples, and new and modified commands.
This document contains the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The TN3270 Server Connectivity Enhancements feature in Cisco IOS Release 12.1(5)T contains several TN3270 server configuration enhancements, which are described in this document:
Dynamic LU Naming
The Dynamic LU Naming enhancement allows the user to configure named logical units (LUs) from the TN3270 server side. This enhancement allows the TN3270 server to pass an LU name to the Virtual Telecommunications Access Method (VTAM) software running on the mainframe and have VTAM dynamically create an LU with that name. The LU name is then sent to the mainframe as part of subvector 86 in the Reply PSID NMVT power-on frame. The TN3270 client can connect to any of the available TN3270 servers and the selected server can request a specific LU name for the client. In addition, the LU naming conventions have been modified to allow for more flexibility when specifying lu-seed names.
Inverse DNS Nailing
The Inverse DNS Nailing enhancement enables the TN3270 server to nail a pool of LUs to client machine names or to an entire domain. This enhancement allows dynamic IP addressing on the TN3270 client machines. This addressing is used in network design scenarios, for example, a Dynamic Host Configuration Protocol (DHCP) environment and in individual network configuration scenarios, for example, a machine is moved and needs a new network address.
The Cisco IOS software inverse nailing support uses the Domain Name System (DNS) in routers to look up the symbolic name associated with a client IP address. The TN3270 server uses this symbolic name to assign a predefined LU pool for the user. This eliminates the need for nailed TN3270 clients to have statically defined IP addresses. If you configure inverse DNS nailing on the TN3270 server, you do not need to modify the DNS nailing statements in the router configuration.
SSL Encryption Support
The SSL Encryption Support enhancement allows TN3270 clients and servers to negotiate authentication and encryption schemes using the Secure Socket Layer (SSL) technology. The TN3270 server uses SSL version 3.0 to establish secure sessions.
Benefits
This section describes the benefits of the TN3270 server feature enhancements introduced in Cisco IOS Release 12.1(5)T.
Dynamic LU Naming
•
•
•
•
Inverse DNS Nailing
•
•
•
•
SSL Encryption Support
Note
•
•
•
•
Restrictions
Dynamic LU Naming
•
•
•
*Apr 17 12:40:53:%CIP2-3-MSG:slot2 :%TN3270S-3-NO_DYN_ACTLU_REQ_RCVDNo ACTLU REQ received on LU JJDL1.6Inverse DNS Nailing
•
•
SSL Encryption Support
•
Related Features and Technologies
The TN3270 Server Connectivity Enhancements feature is an enhancement to the existing TN3270 server feature that is documented in the "TN3270 Server" chapters of the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1 and the Cisco IOS Bridging and IBM Networking Command Reference, Volume II, Release 12.1.
Inverse DNS Nailing
•
SSL Encryption Support
•
Related Documents
•
•
Supported Platforms
Router Requirements
The TN3270 Server Connectivity features are supported on the following router platforms:
•
•
•
You must configure the TN3270 server features on the virtual interface of a CMCC adapter. For a CIP, the virtual interface is either 2. For the CPA adapters, ECPA and PCPA, the virtual interface is port 0.
Supported Standards, MIBs, and RFCs
Standards
•
MIBs
•
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB website on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
•
Prerequisites
This section describes the prerequisites of the TN3270 server feature enhancements introduced in Cisco IOS release 12.1(5)T. These are divided into router and mainframe prerequisites and then grouped by software (for example, microcode and VTAM) or feature (for example, SSL Encryption Support).
Router Prerequisites
Microcode prerequisites
The Cisco TN3270 server consists of a system image and a microcode image virtually bundled as one combined image. The following versions of hardware microcode are supported for the TN3270 Server Connectivity Enhancements feature on the CIP and CPA in Cisco IOS Release 12.1(5)T:
•
•
For additional information about what is supported in the various releases of the Cisco IOS software and the CIP microcode, see the information on Cisco Connection Online (CCO).
Inverse DNS Nailing
•
–
–
–
SSL Encryption Support
•
•
Mainframe prerequisites
VTAM prerequisites
Mainframe hosts using Systems Network Architecture (SNA) with the TN3270 server must be running VTAM V4R2 or later.
Note
Dynamic LU Naming
•
–
–
–
•
Configuration Tasks
The following sections describe configuration tasks for the TN3270 Server Connectivity Enhancements feature:
•
•
•
See the "Configuration Examples" section for sample configurations.
For a complete description of the new or modified TN3270 Server commands in this feature module, refer to the "Command Reference" section. For a complete description of the rest of the TN3270 Server commands in this feature module, refer to the "TN3270 Server Commands" chapter in the Cisco IOS Bridging and IBM Networking Command Reference, Volume II, Release 12.1.
Configuring Dynamic LU Naming
Perform the tasks in the following sections to configure dynamic LU naming according to the type of PU:
•
•
Mainframe Configuration Notes
•
•
•
Configuring a Listen-Point PU to Define DLUR PUs using Dynamic LU Naming
To configure a listen-point PU on the internal LAN interface on the CMCC adapter, and to define DLUR PUs using dynamic LU naming, use the following commands beginning in TN3270 configuration mode.
When you use the pu command, you enter listen-point PU configuration mode and can use all other commands in this task list. Values that you enter for siftdown commands (such as the lu deletion command) in listen-point PU configuration mode will override values that you previously entered in listen-point or TN3270 server configuration mode. For more information about configuring siftdown commands, see the "Configuring TN3270 Siftdown Commands" section in the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.
Note
Configuring a Listen-Point PU to Define Direct PUs using Dynamic LU Naming
To configure a listen-point PU on the internal LAN interface on the CMCC adapter and configure direct PUs using dynamic LU naming, use the following commands beginning in listen-point configuration mode.
When you use the pu command, you enter listen-point PU configuration mode and can use all other commands in this task list. Values that you enter for siftdown commands (such as the lu deletion command) in listen-point PU configuration mode will override values that you previously entered in listen-point or TN3270 server configuration mode. For more information about configuring siftdown commands, see the "Configuring TN3270 Siftdown Commands" section in the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.
Note
Configuring Inverse DNS Nailing
Perform the tasks in the following section to configure the different methods of Inverse DNS Nailing feature:
•
•
•
•
•
Note
Note
Note
Nailing Clients to Pools by IP Address
To nail a client to a pool of LUs by IP address, use the following commands beginning in TN3270 configuration mode.
Nailing Clients to Pools by Device Name
To nail a client to a pool of LUs by device name, use the following commands beginning in TN3270 configuration mode.
Nailing Clients to Pools by Device Name using a Domain ID
To nail a client to a pool of LUs by device name using a domain id, use the following commands beginning in TN3270 configuration mode.
Nailing Clients to Pools by Domain Name
To nail a client to a pool of LUs by domain name, use the following commands beginning in TN3270 configuration mode.
Nailing Clients to Pools by Domain Name Using a Domain ID
To nail a client to a pool of LUs by domain name using a domain id, use the following commands beginning in TN3270 configuration mode.
Configuring SSL Encryption Support
Perform the tasks in the following sections to configure the SSL Encryption feature:
•
•
•
•
•
•
Obtaining Server Digital Certificate from Certificate Authority
In order to obtain a sever digital certificate, first create a Certificate Signing Request Pointer to Readme.csr file.
The certificate must be in PEM or Base64 format.
Once you obtain the server digital certificate from a CA such as Verisign, append the private key file onto the end of the digital certificate.
Load Server Digital Certificate onto the flash of the TN3270 router
Digital Certificate must be copied to the flash card on the TN3270 router
e.g. copytftp:servercert.pem slot0:
Configuring Security
To configure security on the TN3270 server, use the following command beginning in TN3270 server configuration mode:
Router(cfg-tn3270)# security
Enables security on the TN3270 server and enters TN3270 security configuration mode.
Enabling and Disabling Security
To enable and disable security on the TN3270 server, use the following commands beginning in TN3270 security configuration mode:
Router(tn3270-security)# enable
(Optional) Enables security in the TN3270 server.
Router(tn3270-security)# disable
(Optional) Disables the security feature in the TN3270 server.
Configuring the Profile
To configure a security profile on the TN3270 server, use the following command beginning in TN3270 security configuration mode:
Router(tn3270-security)# profile profilename {ssl | none}
Specifies a name and a security protocol for a security profile.
Configuring the Profile Options
To configure the security profile options, use the following commands beginning in TN3270 profile configuration mode:
Configuring the Default Profile
To configure the default security profile name to be applied to the listen-points, use the following command beginning in TN3270 security configuration mode:
Note
Router(tn3270-security)# default-profile profilename
Specifies the name of the profile to be applied to the listen-points by default.
Configuring a Listen Point for Security
To configure a listen-point for security, use the following command beginning in TN3270 listen-point configuration mode:
Note
Note
Router(tn3270-lpoint)# sec-profile profilename
Specifies the security profile to be associated with a listen-point.
Verifying TN3270 Server Connectivity Enhancements
Verifying Dynamic LU Naming on the TN3270 server
Complete the following steps to verify the Dynamic LU Naming enhancement:
Step 1
Router# show extended channel 3/2 tn3270-server<current stats> < connection stats > <response time(ms)>server-ip:tcp lu in-use connect disconn fail host tcp172.28.1.106:23 510 1 12 11 0 54 40172.28.1.107:23 511 0 0 0 0 0 0172.28.1.108:23 255 0 0 0 0 0 0total 1276 1configured max_lu 20000idle-time 0 keepalive 1800 unbind-action disconnecttcp-port 23 generic-pool permit no timing-marklu-termination unbind lu-deletion named
Step 2
Router# show extended channel 6/2 tn3270-server pu pu1name(index) ip:tcp xid state link destination r-lsapPU1(1) 172.18.4.18:23 91903315 ACTIVE dlur NETA.SHPU1idle-time 0 keepalive 1800 unbind-act discon generic-poolpermip-preced-screen 0 ip-preced-printer 0 ip-tos-screen 0 ip-tos-printer 0Verifying Inverse DNS Nailing on the TN3270 server
Complete the following steps to verify the Inverse DNS Nailing enhancement:
Step 1
Router# show extended channel 1/2 tn3270-server nailed-domain .cisco.comCISCO.COM listen-point 172.18.4.18 pool PCPOOLStep 2
Router# show extended channel 1/2 tn3270-server nailed-name myclient.cisco.comMYCLIENT.CISCO.COM listen-point 172.18.4.18 pool PCPOOLHISCLIENT.CISCO.COM listen-point 172.18.4.18 pool UNIXPOOLHERCLIENT.CISCO.COM listen-point 172.18.4.19 pool GENERALPOOLVerifying SSL Encryption Support on the TN3270 server
Complete the following steps to verify the SSL Encryption Support enhancement:
Step 1
Router# show extended channel 3/2 tn3270-server security sec-profile cert40Step 2
Router# show extended channel 3/2 tn3270-server security listen-point 172.18.5.188
Troubleshooting Tips
Dynamic LU Naming
•
•
•
*Apr 17 12:40:53:%CIP2-3-MSG:slot2 :%TN3270S-3-NO_DYN_ACTLU_REQ_RCVDNo ACTLU REQ received on LU JJDL1.6•
Inverse DNS Nailing
•
A connection attempt from client <ip address> was refused because its DNS name could not be obtained.This action removes any potential security risk but presents potential disadvantages—the client could be denied a valid LU, and the generic-pool permit and deny settings may be ignored. For these reasons, it is strongly recommended that users configure the Inverse DNS Nailing enhancement on a PU that does not support LUs that have been assigned froma generic pool, or a PU that has the generic-pool command configured with the deny keyword specified.
•
Monitoring and Maintaining TN3270 Server Connectivity Enhancements
Dynamic LU Naming
To monitor the status of the Dynamic LU Naming enhancement, use the following commands in EXEC mode:
Inverse DNS Nailing
To monitor the status of the Inverse DNS Nailing enhancement, use the following commands in EXEC mode:
Configuration Examples
This section provides the following configuration examples:
•
Dynamic LU Naming Example
Router configuration
The following router configuration is an example of the TN3270 server configured with LU pooling. A listen-point PU is configured to define DLUR PUs using dynamic LU naming. Note the following lines in the configuration:
•
•
The LUs ABC01PQR through ABC32PQR and PQR100 through PQR199 are allocated to the pool SIMPLE. The LUs ABC64PQR through ABC96PQR and PQR010 through PQR035 are allocated to the pool PCPOOL. The remaining LUs are in the generic pool.
tn3270-serverpool simple cluster layout 1spool pcpool cluster layout 4s1pMainframe configuration
The following mainframe configuration is an example of the VTAM configuration that can be used if the TN3270 server is configured with the Dynamic LU Naming enhancement.
Note
Note
SWN72022 VBUILD TYPE=SWNETPU1 PU ADDR=01, XPUTYPE=2, XIDBLK=919, XIDNUM=03315, XINCLUD0E=YES, XLUGROUP=MYLUS*PU2 PU ADDR=01, XPUTYPE=2, XIDBLK=919, XIDNUM=13315, XINCLUD0E=YES, XLUGROUP=MYLUSInverse DNS Nailing Examples
Nailing Clients to Pools by Device Name, Domain Name, and Domain ID using a Domain ID
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing:
tn3270-serverdomain-id 2 .cisco.comdomain-id 20 .yahoo.compool GENERAL cluster layout 4s1ppool TEST cluster layout 4s1plisten-point 172.18.5.168pu T240CA 91922363 token-adapter 31 12 rmac 4000.4000.0001allocate lu 1 pool GENERAL clusters 1client name lucy49.cisco.com pool GENERALclient name george 20 pool TESTclient name arthur 20 pool TESTclient name tyson 20 pool TESTclient name daisy 20 pool TESTlisten-point 172.18.5.169pu T240CB 91922364 token-adapter 31 12 rmac 4000.4000.0002allocate lu 1 pool TEST clusters 50client domain-name cisco.com pool GENERALclient domain-id 20 pool TESTNailing Clients to Pools by IP Address
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example, the client pool command is configured with the ip keyword. The command nails the client at IP address 10.1.2.3 with an IP mask of 255.255.255.0 to the pool named OMAHA:
tn3270-serverpool OMAHA cluster layout 10s1plisten-point 172.18.4.18Nailing Clients to Pools by Device Name
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the name keyword. The command nails the client at device name george-isdn29.cisco.com to the pool named GENERAL:
tn3270-serverpool GENERAL cluster layout 4s1plisten-point 172.18.5.168pu T240CA 91922363 token-adapter 31 12 rmac 4000.4000.0001allocate lu 1 pool GENERAL clusters 1Nailing Clients to Pools by Device Name using a Domain ID
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the name keyword and the optional DNS-domain-identifier argument. The command nails the client at device name lucy-isdn49.cisco.com to the pool named GENERAL:
tn3270-serverNailing Clients to Pools by Domain Name
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the domain-name keyword. The command nails any client at domain name .cisco.com to the pool named GENERAL:
tn3270-serverpool GENERAL cluster layout 4s1plisten-point 172.18.5.168pu T240CA 91922363 token-adapter 31 12 rmac 4000.4000.0001allocate lu 1 pool GENERAL clusters 1Nailing Clients to Pools by Domain Name Using a Domain ID
The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the domain-id keyword . The command nails any client at domain name .cisco.com to the pool named GENERAL:
tn3270-serverSSL Encryption Support Examples
Mainframe configuration
The following mainframe configuration is an example of the VTAM configuration that can be used if the SSL Encryption Support enhancement is configured:
example PU definition:*BMPU4 PU ADDR=01,PUTYPE=2,LOGAPPL=NETTMVSD,LUGROUP=BMCL13,LUSEED=BMPU4###,PACING=8,VPACING=8,IDBLK=919,IDNUM=36821*BMPU5 PU ADDR=01,PUTYPE=2,LOGAPPL=NETTMVSD,LUGROUP=BMCL13,LUSEED=BMPU5###,PACING=8,VPACING=8,IDBLK=919,IDNUM=46821**BMPU6 PU ADDR=01,PUTYPE=2,LOGAPPL=NETTMVSD,USSTAB=USSTCPMF,DLOGMOD=D4C32782,PACING=8,VPACING=8,IDBLK=919,IDNUM=56821*BMPU6001 LU LOCADDR=01BMPU6002 LU LOCADDR=02BMPU6003 LU LOCADDR=03BMPU6004 LU LOCADDR=04BMPU6005 LU LOCADDR=05BMPU6006 LU LOCADDR=06BMPU6007 LU LOCADDR=07BMPU6008 LU LOCADDR=08BMPU6009 LU LOCADDR=09BMPU6010 LU LOCADDR=10..BMPU6255 LU LOCADDR=255*Simple SSL Encryption Support Example
The following router configuration shows an example of commands used to define a simple configuration of the SSL Encryption Support enhancement. In this configuration, listen-point 172.18.5.187 is a secured listen-point using security profile cert40. Note that the security profile is using all of the default parameters.
interface Channel3/2ip address 172.18.5.185 255.255.255.248no keepalivelan TokenRing 15source-bridge 15 1 500adapter 15 4000.b0ca.0015lan TokenRing 16source-bridge 16 1 500adapter 16 4000.b0ca.0016tn3270-serversecurityprofile CERT40 SSLservercert slot0:verisign187.pemlisten-point 172.18.5.187sec-profile CERT40pu BMPU5 91946821 token-adapter 15 08 rmac 4000.b0ca.0016Complex SSL Encryption Support Example
The following router configuration shows an example of commands used to define a more complex configuration of the SSL Encryption Support enhancement:
•
•
•
interface Channel3/2ip address 172.18.5.185 255.255.255.248no keepalivelan TokenRing 15source-bridge 15 1 500adapter 15 4000.b0ca.0015lan TokenRing 16source-bridge 16 1 500adapter 16 4000.b0ca.0016tn3270-serversecurityprofile CERT128 SSLservercert slot0:verisign128.pemencryptorder RC4 RC2 DESkeylen 128profile CERT40 SSLservercert slot0:coach188.pemlisten-point 172.18.5.186pu BMPU4 91946821 token-adapter 15 04 rmac 4000.b0ca.0016listen-point 172.18.5.187sec-profile CERT128pu BMPU5 91956821 token-adapter 15 08 rmac 4000.b0ca.0016listen-point 172.18.5.188sec-profile CERT40pu BMPU6 91966821 token-adapter 15 0C rmac 4000.b0ca.0016Command Reference
This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
•
•
•
•
•
certificate reload
To load the X.509 digital certificate from the file specified in the servercert command, use the certificate reload profile command.
certificate reload
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Profile configuration
Command History
Usage Guidelines
There is not a no form for this command.
The TN3270 server must be configured for security.
Examples
The following example configures the TN3270 server with SSL Encryption Support to read the profile security certificate from the file specified in the servercert command:
certificate reloadRelated Commands
servercert
Specifies the location of the TN3270 server's X.509 digital certificate in the flash memory.
client pool
To nail clients to pools, use the client pool listen-point configuration command. Use the no form of this command to remove clients from pools.
client {[ip ip-address [ip-mask]] | [name DNS-name [DNS-domain-identifier]] | [domain-name DNS-domain] | [domain-id DNS-domain-identifier]} pool poolname
no client {[ip ip-address [ip-mask]] | [name DNS-name [DNS-domain-identifier]] | [domain-name DNS-domain] | [domain-id DNS-domain-identifier]} pool poolname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Listen-point configuration
Command History
Usage Guidelines
If the pool is configured while LUs are in use, existing clients are allowed to complete their sessions. A pool name can be identical to an LU name. When assigning an LU, the TN3270 server searches the LU name space first for specific requests, such as connections that specify a device name on CONNECT or LU name in the terminal type negotiation. The request is assumed to be directed to the specific LU rather than to the pool. Make sure the LU names do not conflict.
Examples
Nailing Clients to Pools by IP Address
The following is an example of the client pool command with the ip keyword configured. The command nails the client at IP address 10.1.2.3 with an IP mask of 255.255.255.0 to the pool named OMAHA:
tn3270-serverpool OMAHA cluster layout 10s1plisten-point 172.18.4.18Nailing Clients to Pools by Device Name
The following is an example of the client pool command with the name keyword configured. The command nails the client at device name george-isdn29.cisco.com to the pool named GENERAL:
tn3270-serverpool GENERAL cluster layout 4s1plisten-point 172.18.5.168pu T240CA 91922363 token-adapter 31 12 rmac 4000.4000.0001allocate lu 1 pool GENERAL clusters 1Nailing Clients to Pools by Device Name using a Domain ID
The following is an example of the client pool command with the name keyword and the optional DNS-domain-identifier argument configured. The command nails the client at device name lucy-isdn49.cisco.com to the pool named GENERAL:
tn3270-serverNailing Clients to Pools by Domain Name
The following is an example of the client pool command with the domain-name keyword configured. The command nails any client at domain name .cisco.com to the pool named GENERAL:
tn3270-serverpool GENERAL cluster layout 4s1plisten-point 172.18.5.168pu T240CA 91922363 token-adapter 31 12 rmac 4000.4000.0001allocate lu 1 pool GENERAL clusters 1Nailing Clients to Pools by Domain Name Using a Domain ID
The following is an example of the client pool command with the domain-id keyword configured. The command nails any client at domain name cisco.com to the pool named GENERAL:
tn3270-serverRelated Commands
default-profile
To specify the name of the profile to be applied as a default to all the listening points, use the default-profile security command. To disable the default profile specification, use the no form of this command.
default-profile profilename
no default-profile profilename
Syntax Description
Defaults
No default profile.
Command Modes
Security configuration
Command History
Usage Guidelines
If this command is configured, this profile name and all of its attributes will be associated with all listen-points that do not specify an individual profile with the sec-profile command.
Profile names cannot be duplicated.
Entering the no form of this command removes the default specification and any listen-points that do not have the sec-profile command specified will revert to a non-secure mode.
This command has no retroactive effect. If a listen-point is specified using the listen-point command, and the sec-profile command was already configured for that listen-point then all client connections to that listen-point will be secure.
If a listen-point is specified using the listen-point command, and the default-profile command is not configured, then all client connections to that listen-point will not be secure. However, if the default-profile command is later configured, then all now connections to that listen-point will be secure using the specified default-profile. This will not affect the non-secure connections.
The following example specifies DOMESTIC as the default profile name for all clients connecting to listen-point 10.10.10.1 until the default-profile FOO command is configured. Once the default-profile FOO command is configured. Once the default-profile FOO command is configured, all new client connections will use FOO as the default profile.
tn3270securityprofile NOSECURITY nonedefault-profile DOMESTICpu DIRECT 012ABCDE tok 0 04default-profile FOOlisten-point 10.10.10.1Related Commands
sec-profile
Specifies the security profile to be associated with a listen-point.
profile
Specifies a name and a security protocol for a security profile.
disable (TN3270)
Todisable the security feature in the TN3270 server, use the disable (TN3270) security configuration command.
disable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Security configuration
Command History
Usage Guidelines
Configuring the disable (TN3270) command does not terminate any active secure or non-secure connections. This command specifies that all new connections established with the TN3270 server will be non-secure. If a client initiates a change cipher specification for an existing secure connection then the TN3270 server will process the request.
There is not a no form for this command. The enable command is equivalent to the no form of this command.
Examples
The following example turns off the security feature in the TN3270 server so that all new connections established with the TN3270 server will be non-secure:
disableRelated Commands
domain-id
To specify a domain name suffix that the TN3270 server appends to a configured machine name to form a fully-qualified name when configuring inverse DNS nailing, use the domain-id TN3270 server configuration command. To disable this specification, use the no form of this command.
domain-id DNS-domain-identifier DNS-domain
no domain-id DNS-domain-identifier DNS-domain
Syntax Description
Defaults
No default behavior or values.
Command Modes
TN3270 server configuration
Command History
Usage Guidelines
The user can configure up to 255 domain names, one per statement.
This command must be configured you configure the client pool command with either the domain-id keyword or the name keyword and the optional DNS-domain-identifier argument.
Examples
In the following example, the domain-id command specifies 23 as the DNS-domain-identifier for the .cisco.com domain name. All clients nailed to the pool GENERAL will use .cisco.com as the domain name suffix. For example, the client name ally-isdn1 will become ally-isdn1.cisco.com.
tn3270-serverRelated Commands
enable (TN3270)
To turn on security in the TN3270 server, use the enable (TN3270) security configuration mode command.
enable
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Security configuration
Command History
Usage Guidelines
There is not a no form for this command.
If the security command has been disabled, then issuing this command does not affect existing connections.
This command is not displayed in the show running configuration command output because the security functionality is enabled by default.
Examples
The following example turns on security in the TN3270 server:
enableRelated Commands
security
Enables security on the TN3270 server.
disable (TN3270)
Turns off the security feature in the TN3270 server.
encryptorder
To specify thesecurity encryption algorithm for the SSL Encryption Support, use the encryptorder profile configuration command.
encryptorder [DES] [3DES] [RC4] [RC2] [RC5]
Syntax Description
Defaults
The default encryption order is RC4, RC2, RC5, DES, 3DES for domestic software. The default encryption order is RC4, RC2, DES for exportable software.
Command Modes
Profile configuration
Command History
Usage Guidelines
There is not a no form for this command.
These algorithms may be entered in any order, but can be specified only once per encryptorder command.
Exportable versions of software cannot accept the 3DES or RC5 encryption algorithms.
Examples
The following example specifies RC4, DES, and RC2 as the encryption algorithms:
tn3270securityprofile DOMESTIC SSLencryptorder RC4 DES RC2keylen
To specify themaximum bit length for the session encryption key for the TN3270 server with security, use the keylen 128 secureity mode command. To disable this specification and thereby set the key length to the default of 40 bits, use the no form of this command or keylen 40.
keylen {40 | 128}
no keylen {40 | 128}The length is optional on the no form of this command
Syntax Description
40
Specifies the bit length for the encryption keys to 40.
128
Specifies the bit length for the encryption keys to 128.
Defaults
The default encryption key length is 40 bits.
Command Modes
Profile configuration.
Command History
Usage Guidelines
Exportable software versions cannot accept encryption key lengths greater than 40 bits.
Entering the no form of this command resets the length to the default value of 40 bits.
If the key length is changed, all new connections will use the new value. If an active session renegotiates its security specifications, it will use the new key length value.
Examples
The following example specifies the maximum encryption key length value to 128 bits:
tn3270-serversecurityprofile DOMESTIC SSLencryptorder RC4 DES RC2keylen 128lu deletion
To specify whether the TN3270 server sends a REPLY-PSID poweroff request to VTAM to delete the corresponding LU when a client disconnects, use the lu deletion TN3270 server configuration command. Use the no form of this command to remove LU deletion from the current configuration scope.
lu deletion {always | normal | non-generic | never | named}
no lu deletion
Syntax Description
Defaults
The default keyword is never.
Command Modes
TN3270 server configuration—The lu deletion command at this level applies to all PUs supported by the TN3270 server.
Listen-point configuration—The lu deletion command at this level applies to all PUs defined at the listen point.
Listen-point PU configuration—The lu deletion command at this level applies only to the specified PU.
DLUR PU configuration—The lu deletion command at this level applies to all PUs defined under DLUR configuration mode.
PU configuration—The lu deletion command at this level applies only to the specified PU.
Note
Command History
11.2(18)BC
This command was introduced.
12.0(5)T
This command was integrated in to Cisco IOS Release 12.0 T.
12.1(5)T
This command was modified to add the named keyword.
Usage Guidelines
Use the always keyword of the lu deletion command when you have only screen LUs, and they are all different sizes. This prevents screen LUs from attaching to a previously used LU with an incompatible screen size.
Use the normal keyword of the lu deletion command when you have both screen and printer LUs. This is important because printers are acquired by the host application, and not logged on manually. If VTAM deletes the LU, then there is nothing for a host application (such as CICS) to acquire.
You can use the non-generic mode of LU deletion if VTAM can support deletion of specifically-named LUs. (The support of this mode is not currently available in VTAM, as of VTAM version 4.4.1.)
Use the never mode of LU deletion when you have only screen LUs and they all use the same screen size.
Use the named keyword of the lu deletion command when you have configured dynamic LU names from the TN3270 server side.
Examples
Following is an example of the lu deletion command specifying that the TN3270 server send a REPLY-PSID poweroff request to delete only screen LUs upon session disconnect for any PUs supported by the TN3270 server:
tn3270-serverlu deletion normalFollowing is an example of the lu deletion command configuring a listen-point PU to define DLUR PUs using dynamic LU naming:
tn3270-serverlisten-point 172.18.4.18pu pu1 05D9901 dlurlu deletion namedRelated Commands
profile
This command creates or modifies a security profile. To create a profile, specify the name of the new profile along with the security type. To modify a security profile, specify the nameof the profile without the security type. The security type is only required when creating a profile. Using the security type when modifying a profile will result in an error.
To specify a name and a security protocol for a security profile, use the profile configuration command. To remove this name and protocol specification, use the no form of this command.
Create a new profile:
profile profilename {ssl | none}
Modify an existing profile:
profile profilename
Delete a profile:
no profile profilename {ssl | none}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Security configuration
Command History
Usage Guidelines
Profile names cannot be duplicated.
Entering the no form of this command deletes the profile definition and all of its subcommand definitions (encryptorder, servercert, keylen, certificate reload commands). Entering the no form of this command deletes the sec-profile command specifications on all listen-points where it is currently defined.
Entering the profile command moves the user into the profile configuration mode. Entering the no form of the command moves the user into the security configuration mode.
This command has no retroactive effect.
Examples
The following example specifies FOO as the profile name and ssl as the security protocol. When the no profile FOO command is configured, all new client connections will be non-secure.
tn3270-serversecurityprofile FOO sslkeylen 40/128servercert slot0:foocertificate reloadlisten-point 10.10.10.1sec-profile FOOpu DIRECT 012ABCDE tok 0 04no profile FOORelated Commands
pu dlur (listen-point)
To create a PU entity that has no direct link to a host or to enter listen-point PU configuration mode, use the pu dlur listen-point configuration command. Use the no form of this command to remove the PU entity.
pu pu-name idblk-idnum dlur [lu-seed lu-name-stem]
no pu pu-name idblk-idnum dlur [lu-seed lu-name-stem]
Syntax Description
Defaults
No PU is defined.
Command Modes
Listen-point configuration
Command History
Usage Guidelines
If the PU is already created, the pu dlur command without any arguments starts listen-point PU configuration mode. In this mode you can modify an existing listen-point DLUR PU entity.
You should define the DLUR before you configure the listen-point DLUR PU.
A typical usage for the IP address is to reserve an IP address for each application. For example, clients wanting to connect to TSO specify an IP address that is defined with PUs that have LOGAPPL=TSO.
If the lu-seed option is not configured, the PU name is used as the implicit lu-seed to generate the LU name. If the lu-seed option is configured, then there is an explicit LU name.
If the explicit LU names conflict, the TN3270 server will reject the PU configuration. If the implicit LU names (i.e., the PU names) conflict, the TN3270 server will accept the PU definitions, but the LU names will consist of a modified, truncated version of the PU name and the LOCADDR.
Table 1 LU Seed Name Examples
NC##RAL
NC#RAL
USA##NC
#GEORGE
#####
Examples
The following example defines three PUs in the listen point with an IP address of 172.18.4.18:
tn3270-serverlisten-point 172.18.4.18pu p0 05D99001 dlurpu p1 05D99002 dlurpu p2 05D99003 dlurThe following is an example of the TN3270 server configured with LU pooling. A listen-point PU is configured to define DLUR PUs using the dynamic LU naming. Note that the lu deletion command must be configured with the named option. The PU pu1 is defined with lu-seed abc##pqr. Using hexadecimal numbers for ##, the LU names for this PU are ABC01PQR, ABC02PQR, ABC0APQR.... up to ABCFFPQR. Similarly, the PU pu2 is defined with lu-seed pqr###. Using decimal numbers for ###, the LU names for this PU are PQR001, PQR002... up to PQR255.
The LUs ABC01PQR through ABC32PQR and PQR100 through PQR199 are allocated to the pool SIMPLE. The LUs ABC64PQR through ABC96PQR and PQR010 through PQR035 are allocated to the pool PCPOOL. The remaining LUs are in the generic pool.:
tn3270-serverpool simple cluster layout 1spool pcpool cluster layout 4s1pRelated Commands
dlur
Enables the SNA session switch function on the CMCC adapter, or enters DLUR configuration mode.
listen-point
Defines an IP address for the TN3270 server.
sec-profile
To specify a security profile to be associated with a listen-point, use the sec-profile listen-point configuration command. To remove this specification, use the no form of this command.
sec-profile profilename
no sec-profile profilename
Syntax Description
Defaults
No default behavior or values.
Command Modes
TN3270 listen-point configuration
Command History
Usage Guidelines
If this command is not entered or if the no form of the command is entered, the security profile reverts to the profile configured in the default-profile command. If no default-profile is specified, then the listen-point will accept only non-secure connections
This command has no retroactive effect.
Examples
The following example specifies FOO as the security profile name for all new clients connecting to listen-point 10.10.10.1 until the sec-profile FOO1 command is configured. Once the sec-profile FOO1 command is configured, all new client connections to 10.10.10.1 will use FOO1 as the profile name.
tn3270-serversecurityprofile FOO sslkeylen 40/128servercert slot0:foocertificate reloadprofile FOO1 sslkeylen 40servercert slot0:foo1certificate reloadlisten-point 10.10.10.1sec-profile FOOpu DIRECT 012ABCDE tok 0 04Sec-profile F001Related Commands
profile
Specifies a name and a security protocol for a security profile.
default-profile
Specifies the name of the profile to be applied to the listening-points by default.
security (TN3270)
To enable or modify security and enter the TN3270 security configuration mode, use the security command. To disable security on the TN3270 server, use the no form of this command.
security
no security
Syntax Description
This command has no arguments or keywords.
Defaults
The default is enabled.
Command Modes
TN3270 server configuration
Command History
Usage Guidelines
If the no form of this command is configured, any listen-points that contain a security profile definition will be re-configured, and thus no longer secure. Sessions already established on the listen-point will continue to run in the same mode (secure or non-secure) as originally configured. If sessions are active on a listen-point, a message will be sent to the IOS console stating that the listen-point has sessions running with an outdated security specification. A shutdown/restart sequence must be performed on the listen-point if the user wants the sessions on the listen-point to use the new specification.
Entering this command moves the user into the security configuration mode. Entering the no form of this command moves the user to a TN3270 server configuration mode.
This command has no retroactive effect.
Examples
In the following example, security is enabled on the TN3270 server:
tn3270-serversecurityRelated Commands
servercert
To specify the location of the TN3270 server's security certificate in the router's flash memory, use the servercert profile configuration command.
servercert location
Syntax Description
location
Hexadecimal string can contain up to63 characters whicht specify the location of the server's certificate in the flash memory.
Defaults
No default behavior or values.
Command Modes
Profile configuration
Command History
Usage Guidelines
The certificate must be created offline. It cannot be created using using the Cisco IOS software. Third party software may be used, or a Windows-based utility that can be downloaded from http://www.___________. The certificate should be in PEM or Base64 format. The output from the certificate generation contains two parts: The certificate and the private key. These two files shouldbe concatenated together to create a single certificate file containing the certificate and the private key in PEM or Base64 format.
The resultant file containing the certificate and the private key should be stored on the flash via TFIP, and the location entered here. This certificate is in X.509 format, signed by a Certificate Authority (CA). If the file does not exist in the flash memory when the command is entered, the command is not rejected. An error message is displayed indicating that the file does not exist. The first time this command is configured the certificate is automatically loaded from the specified location. Subsequent changes to the location file will not cause the certificate to be read automatically into system's memory. The certificate reload command must be issued to read the certificate into memory. If the user exits from the profile configuration mode without configuring the servecert command, a warning message is displayed.The warning message specifies that it is mandatory to configure a servercent.
The following example specifies that slot0:foo is the location of the security certificate:
tn3270-serversecurityprofile FOO sslkeylen 512servercert slot0:foocertificate reloadRelated Commands
show extended channel tn3270-server client-name
To display information about all connected clients with a specific machine name, use the show extended channel tn3270-server client-name EXEC command.
show extended channel slot/virtual channel tn3270-server client-name name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
There is not a no form for this command.
Examples
The following is sample output from the show extended channel tn3270-server client-name command:
Router# show extended channel 4/2 tn3270-server client-name dhcp-rtp-34-40.cisco.comNote: if state is ACT/NA then the client is disconnectedlu name client-name nail state model frames in out idle for6 dhcp-rtp-34-40.cisco. N P-ACTLU 3278S2E 1 0 0:1:59pu is T240CA, lu is DYNAMIC unbound, negotiated TN3270Ebytes 101 in, 0 out; RuSize 256 in, 256 out; NegRsp 0 in, 0 outpacing window 0 in, 0 out; credits 0 in, queue-size 0 in, 0 outresponse time buckets 0 0 0 0 0average total response time 0 average IP response time 0number of transactions 0Note: if state is ACT/NA then the client is disconnectedlu name client-name nail state model frames in out idle for7 T240DA07 dhcp-rtp-34-40.cisco. N P-BIND 3278S2E 4 3 0:1:32pu is T240CA, lu is DYNAMIC unbound, negotiated TN3270Ebytes 199 in, 407 out; RuSize 256 in, 256 out; NegRsp 0 in, 0 outpacing window 0 in, 0 out; credits 0 in, queue-size 0 in, 0 outresponse time buckets 0 0 0 0 0average total response time 0 average IP response time 0number of transactions 0Total 2 clients found using dhcp-rtp-34-40.cisco.comTable 2 describes significant fields in the display.
show extended channel tn3270-server nailed-domain
To list all nailing statements with a specific nailed-domain name, use the show extended channel tn3270-server nailed-domain EXEC command.
show extended channel slot/virtual channel tn3270-server nailed-domain name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
There is not a no form for this command.
Examples
The following is sample output from the show extended channel tn3270-server nailed-domain command:
Router# show extended channel 1/2 tn3270-server nailed-domain .cisco.comCISCO.COM listen-point 172.18.4.18 pool PCPOOLTable 3 describes significant fields in the display.
show extended channel tn3270-server nailed-name
To list all nailing statements with a specific nailed machine name, use the show extended channel tn3270-server nailed-name EXEC command.
show extended channel slot/virtual channel tn3270-server nailed-name name
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
There is not a no form for this command.
Examples
The following is sample output from the show extended channel tn3270-server nailed-name command:
Router# show extended channel 1/2 tn3270-server nailed-name myclient.cisco.comMYCLIENT.CISCO.COM listen-point 172.18.4.18 pool PCPOOLHISCLIENT.CISCO.COM listen-point 172.18.4.18 pool UNIXPOOLHERCLIENT.CISCO.COM listen-point 172.18.4.19 pool GENERALPOOLTable 4 describes significant fields in the display.
show extended channel tn3270-server pu
To display configuration parameters for a PU and all the LUs currently attached to the PU, including the LU cluster layout and pool name, use the show extended channel tn3270-server pu EXEC command.
show extended channel slot/virtual channel tn3270-server pu pu-name [cluster | client-name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
The show extended channel tn3270-server pu command is valid only on the virtual channel interface. The display shown depends on whether the PU is a direct PU or a SNA session switch PU.
The output for the show extended channel tn3270-server pu command varies based on using the optional cluster keyword. Without the cluster keyword, the output column headings for the LU information appear as "model," "frames in out," and "idle for."
When you use the cluster keyword, the output column headings for the LU information appear as "cluster," "pool," and "count." The cluster heading lists the specific cluster within the pool to which the LU belongs along with the specific cluster layout after the slash.
The pool heading identifies the corresponding pool name, and the count heading identifies the cluster number out of the total number of clusters in the pool.
There is not a no form for this command.
Examples
This example shows a sample router configuration and the corresponding output using the show extended channel tn3270-server pu command:
interface Channel6/1no ip addressno keepalivecsna E160 40!interface Channel6/2ip address 172.18.4.17 255.255.255.248no keepalivelan TokenRing 15source-bridge 15 1 500adapter 15 4000.b0ca.0015lan TokenRing 16source-bridge 16 1 500adapter 16 4000.b0ca.0016tn3270-serverpool PCPOOL cluster layout 4s1ppool SIMPLE cluster layout 1apool UNIXPOOL cluster layout 49s1pdlur NETA.SHEK NETA.MVSDlsap token-adapter 15 04link SHE1 rmac 4000.b0ca.0016listen-point 172.18.4.18 tcp-port 23pu PU1 91903315 dlurallocate lu 1 pool PCPOOL clusters 10allocate lu 51 pool UNIXPOOL clusters 2allocate lu 200 pool SIMPLE clusters 50listen-point 172.18.4.19 tcp-port 2023pu PU2 91913315 token-adapter 16 08allocate lu 1 pool UNIXPOOL clusters 2allocate lu 101 pool SIMPLE clusters 100allocate lu 201 pool PCPOOL clusters 10Following is an example of the output from the show extended channel tn3270-server pu command without the cluster keyword for a PU named PU1:
Router# show extended channel 6/2 tn3270-server pu pu1name(index) ip:tcp xid state link destination r-lsapPU1(1) 172.18.4.18:23 91903315 ACTIVE dlur NETA.SHPU1idle-time 0 keepalive 1800 unbind-act discon generic-poolpermip-preced-screen 0 ip-preced-printer 0 ip-tos-screen 0 ip-tos-printer 0lu-termination unbind lu-deletion neverbytes 27019 in, 73751 out; frames 1144 in, 869 out; NegRsp 0 in, 0 outactlus 5, dactlus 0, binds 5Note: if state is ACT/NA then the client is disconnectedlu name client-ip:tcp nail state model frames in out idle for1 SHED1001 161.44.100.162:1538 N ACT/SESS 3278S2E 228 172 0:0:251 SHED1051 161.44.100.162:1539 N ACT/SESS 3278S2E 240 181 0:0:2151 SHED1151 161.44.100.162:1536 N ACT/SESS 327802E 212 160 0:0:5152 SHED1152 161.44.100.162:1537 N ACT/SESS 3278S2E 220 166 0:0:4200 SHED1200 161.44.100.162:1557 N ACT/SESS 3278S2E 244 184 0:0:2Following is an example of the output from the show extended channel tn3270-server pu command with the cluster keyword for a PU named PU1. In the example below, 1/1a identifies cluster 1 with a layout of 1a, which contains 1 LU of any type.
Router# show extended channel 6/2 tn3270-server pu pu1 clustername(index) ip:tcp xid state link destination r-lsapPU1(1) 172.18.4.18:23 91903315 ACTIVE dlur NETA.SHPU1idle-time 0 keepalive 1800 unbind-act discon generic-poolpermip-preced-screen 0 ip-preced-printer 0 ip-tos-screen 0 ip-tos-printer 0lu-termination unbind lu-deletion neverbytes 27489 in, 74761 out; frames 1164 in, 884 out; NegRsp 0 in, 0 outactlus 5, dactlus 0, binds 5Note: if state is ACT/NA then the client is disconnectedlu name client-ip:tcp nail state cluster pool count1 SHED1001 161.44.100.162:1538 N ACT/SESS 1/4s1p PCPOOL 1/551 SHED1051 161.44.100.162:1539 N ACT/SESS 1/49s1p UNIXPOOL 1/50151 SHED1151 161.44.100.162:1536 N ACT/SESS 1/1a :GENERIC 1/1152 SHED1152 161.44.100.162:1537 N ACT/SESS 1/1a :GENERIC 1/1200 SHED1200 161.44.100.162:1557 N ACT/SESS 1/1a SIMPLE 1/1
Note
Following is an example of the output from the show extended channel tn3270-server pu command with the client-name keyword for a PU named JADOEPU:
Router# show extended channel 1/2 tn3270-server pu jadoepu client-namename(index) ip:tcp xid state link destination r-lsapJADOEPU(1) 172.18.5.168:23 91922362 ACTIVE tok 31 4000.4000.0001 04 10idle-time 0 keepalive 30 unbind-act discon generic-pool permip-preced-screen 0 ip-preced-printer 0 ip-tos-screen 0 ip-tos-printer 0lu-termination unbind lu-deletion neverbytes 824 in, 2619 out; frames 36 in, 39 out; NegRsp 0 in, 0 outactlus 4, dactlus 0, binds 3Note: if state is ACT/NA then the client is disconnectedlu name client-name nail state model frames in out idle for1 VINCDP01 never connected Y ACT/NA 1 1 2:31:432 VINCDP02 never connected Y ACT/NA 1 1 2:31:435 VINDG005 HERCLIENT.CISCO.COM Y ACT/SESS 327904E 22 21 0:0:66 VINDG006 HISCLIENT.CISCO.COM Y ACT/NA 327904E 12 12 1:44:47client-ip mask nail-type lu-first lu-last10.20.30.40 screen 1 220.30.40.50 screen 9 10client-name nail-type lu-first lu-lastMYCLIENT.CISCO.COM screen 5 10.CISCO.COM screen 11 15Table 5 describes significant fields in the display.
Related Commands
show extended channel tn3270-server security
To display information about the TN3270 security enhancement, use the show extended channel tn3270-server security EXEC command.
show extended channel slot/virtual channel tn3270-server security [[sec-profile profilename] [listen-point ipaddress [tcp-port number]]]
Syntax Description
Defaults
The default tcp-port value is 23.
Command Modes
EXEC
Command History
Usage Guidelines
There is not a no form for this command.
Examples
The following is sample output from the show extended channel tn3270-server security command with the optional Sec-profile keyword configured:
Router# show extended channel 3/2 tn3270-server security sec-profile cert40status:ENABLE Default Profile: (Not Configured)Name Active LUs keylen encryptorder MechanismCERT40 0 40 RC4 RC2 RC5 DES 3DES SSLServercert:slot0:coach188.pemCertificate Loaded:YES Default-Profile:NOThe following is sample output from the show extended channel tn3270-server security command with the optional listen-point keyword configured:Router# show extended channel 3/2 tn3270-server security listen-point 172.18.5.188status:ENABLE Default Profile: (Not Configured)IPaddress tcp-port Security-Profile active-sessions Type State172.18.5.188 23 CERT40 0 Secure ACTIVEActive Sessions using Deleted Profile:0Table 6 describes significant fields in the display.
Related Commands
sec-profile
Specifies the security profile to be associated with a listen-point.
listen-point
Defines an IP address for the TN3270 server.
Glossary
DHCP—Dynamic Host Configuration Protocol (RFC 2131). DHCP clients obtain thier IP address assignments and other configuration information from DHCP servers.
DNS—Domain Name System. System used for translating names of network nodes into addresses.
SSL—Secure Sockets Layer. Encryption technology for the web, used to provide secure transactions.
DES—Data Encryption Standard. Standard cryptographic algorithm developed by the U.S. National Bureau of Standards.
RC2—A proprietary encryption algorithm provided by RSA Security. RC2 is a block encryption algorithm which supports keys that are from 1 to 128 bytes in length.
RC4—A proprietary encryption algorithm provided by RSA Security. RC4 provides 40 and 128 bit encryption.
TLS—Transport Layer Security (RFC 2246). An open standard version of SSL.
DDDLU—Dynamic Definition of Dependent LU. A feature of VTAM that allows LUs to be created as needed and not be predefined under a switched PU. The CIP TN3270 server supports DDDLU.
Direct PU—A PU 2 that has its own LLC2 link to the owning VTAM. Several direct PUs can share a local SAP, but each must have a unique local/remote MAC/SAP quadruple.
DLUR—Dependent LU Requester. A feature of APPN that allows traditional 3270 traffic to be routed over the APPN network. The DLUR feature in the CIP creates an LU 6.2 session (pipe) with DLUS (Dependent LU Server) in VTAM (VTAM version 4R2 or higher). DLUR is defined as a separate switched PU to VTAM. All 3270 session control traffic (SSCP-to-PU and SSCP-to-LU) flows over this DLUR-DLUS pipe. Session data traffic, however, can be routed directly from LU to LU using APPN routing. The CIP DLUR is implemented as an APPN end node (EN).
DLUR PU—A PU 2 that uses the DLUR-DLUS pipe to send and receive all session control traffic. It does not use its own source SAP because it uses the DLUR SAP. Similarly, it does not have its own LLC session to the mainframe gateway because it rides on top of the DLUR LLC link.
LU deletion—A feature of the TN3270 server in Cisco IOS release 12.0(5)T that allows you to specify whether the TN3270 server sends a REPLY-PSID poweroff request to VTAM to delete an LU when a client disconnects.
LU nailing—A method by which you can associate a client's connection request with a specific LU. In Cisco IOS release 12.0(5)T, LU nailing is extended to support association of LU pools with a particular client IP address.
LU pool—A group of LUs that can contain logical clusters to establish relationships between screen and printer LUs.
LU termination—A feature of the TN3270 server in Cisco IOS release 12.0(5)T that supports SNA's TERMSELF RU, which allows the TN3270 server to order termination of all sessions and session requests associated with an LU when users turn off their device or disconnect from the server.
NMVT—Network Management Vector Transport. An SNA message consisting of a series of vectors conveying network management information.
REPLY-PSID—Request sent to VTAM for a particular product-set identification (PSID). The PSID is used in SNA to identify the hardware and software products that implement a network component.
Siftdown command—Command with values that are applied down through several levels of configuration and are optionally altered at each configuration level.
TERMSELF RU—An SNA request/response unit that forces termination of all sessions and session requests associated with an LU.
TFTP—Trivial File Transfer Program (RFC 1350). TFTP clients obtain files from TFTP servers without the use of client authentication (username and password).
VTAM—Virtual Telecommunications Access Method. Set of programs that control communications between SNA logical units. VTAM controls data transmission between mainframes and attached devices and performs SNA routing functions. VTAM is now a component of communications server for OS/390 (CS/390).
