Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Software Releases 12.1 T

TN3270 Server Connectivity Enhancements

Downloads

Table Of Contents

TN3270 Server Connectivity Enhancements

Feature Overview

Dynamic LU Naming

Inverse DNS Nailing

SSL Encryption Support

Benefits

Restrictions

Related Features and Technologies

Related Documents

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Router Prerequisites

Mainframe prerequisites

Configuration Tasks

Configuring Dynamic LU Naming

Configuring a Listen-Point PU to Define DLUR PUs using Dynamic LU Naming

Configuring a Listen-Point PU to Define Direct PUs using Dynamic LU Naming

Configuring Inverse DNS Nailing

Nailing Clients to Pools by IP Address

Nailing Clients to Pools by Device Name

Nailing Clients to Pools by Device Name using a Domain ID

Nailing Clients to Pools by Domain Name

Nailing Clients to Pools by Domain Name Using a Domain ID

Configuring SSL Encryption Support

Obtaining Server Digital Certificate from Certificate Authority

Load Server Digital Certificate onto the flash of the TN3270 router

Configuring Security

Configuring the Profile

Configuring the Default Profile

Configuring a Listen Point for Security

Verifying TN3270 Server Connectivity Enhancements

Troubleshooting Tips

Monitoring and Maintaining TN3270 Server Connectivity Enhancements

Configuration Examples

Dynamic LU Naming Example

Inverse DNS Nailing Examples

SSL Encryption Support Examples

Command Reference

certificate reload

client pool

default-profile

disable (TN3270)

domain-id

enable (TN3270)

encryptorder

keylen

lu deletion

profile

pu dlur (listen-point)

sec-profile

security (TN3270)

servercert

show extended channel tn3270-server client-name

show extended channel tn3270-server nailed-domain

show extended channel tn3270-server nailed-name

show extended channel tn3270-server pu

show extended channel tn3270-server security

Glossary


TN3270 Server Connectivity Enhancements

This feature module describes the TN3270 Server Connectivity Enhancements feature. It includes information on the overview and benefits of the new feature, configuration tasks, configuration examples, and new and modified commands.

This document contains the following sections:

Feature Overview

Supported Platforms

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuration Examples

Command Reference

Glossary

Feature Overview

The TN3270 Server Connectivity Enhancements feature in Cisco IOS Release 12.1(5)T contains several TN3270 server configuration enhancements, which are described in this document:

Dynamic LU Naming

Inverse DNS Nailing

SSL Encryption Support

Dynamic LU Naming

The Dynamic LU Naming enhancement allows the user to configure named logical units (LUs) from the TN3270 server side. This enhancement allows the TN3270 server to pass an LU name to the Virtual Telecommunications Access Method (VTAM) software running on the mainframe and have VTAM dynamically create an LU with that name. The LU name is then sent to the mainframe as part of subvector 86 in the Reply PSID NMVT power-on frame. The TN3270 client can connect to any of the available TN3270 servers and the selected server can request a specific LU name for the client. In addition, the LU naming conventions have been modified to allow for more flexibility when specifying lu-seed names.

Inverse DNS Nailing

The Inverse DNS Nailing enhancement enables the TN3270 server to nail a pool of LUs to client machine names or to an entire domain. This enhancement allows dynamic IP addressing on the TN3270 client machines. This addressing is used in network design scenarios, for example, a Dynamic Host Configuration Protocol (DHCP) environment and in individual network configuration scenarios, for example, a machine is moved and needs a new network address.

The Cisco IOS software inverse nailing support uses the Domain Name System (DNS) in routers to look up the symbolic name associated with a client IP address. The TN3270 server uses this symbolic name to assign a predefined LU pool for the user. This eliminates the need for nailed TN3270 clients to have statically defined IP addresses. If you configure inverse DNS nailing on the TN3270 server, you do not need to modify the DNS nailing statements in the router configuration.

SSL Encryption Support

The SSL Encryption Support enhancement allows TN3270 clients and servers to negotiate authentication and encryption schemes using the Secure Socket Layer (SSL) technology. The TN3270 server uses SSL version 3.0 to establish secure sessions.

Benefits

This section describes the benefits of the TN3270 server feature enhancements introduced in Cisco IOS Release 12.1(5)T.

Dynamic LU Naming

Gives user more control over LU naming from the server side

Avoids duplicate LU names without requiring manual configuration on the mainframe and router

Minimizes VTAM configuration

Offers more flexibility due to modified LU naming convention

Inverse DNS Nailing

Eliminates the need for nailed TN3270 clients to have statically defined IP addresses

Enables the TN3270 server to connect with client machine names instead of IP addresses only

Allows the TN3270 server to work in a DHCP environment

Enables client nailing by machine name and/or by client domain.

SSL Encryption Support

Note Only SSL 3.0 is supported

Provides confidential connections. Session partners can securely send messages.

Authenticates the message. The partner receiving a message can determine the message's origin.

Ensures integrity of messages in the data stream.

Ensures non-repudiation. A message sender cannot falsely deny sending the message.

Restrictions

Dynamic LU Naming

You must replace the default exit ISTEXCSD with the VTAM User Exit for TN3270 Name Pushing, which you can download from the IBM website: http://www.ibm.com. This exit causes VTAM to ignore the LUSEED parameter on the PU statement, and instead use the SLU name sent by the router in the subvector 86 when a client connects in. If you do not configure this exit, VTAM ignores the subvector 86 and the specified LU name.

If you specify the LUSEED operand for the PU definition in VTAM and the subvector 86 specifies an LU name, the VTAM User Exit for TN3270 Name Pushing ignores the LUSEED operand.

If you do not specify the LUSEED operand for the PU definition in VTAM, and the subvector 86 is not present, then the VTAM User Exit for TN3270 Name Pushing cannot generate an LU name. VTAM does not log this failure, and the TN3270 server does not receive the ACTLU request. The TN3270 server displays the following message: 

*Apr 17 12:40:53:%CIP2-3-MSG:slot2 :

%TN3270S-3-NO_DYN_ACTLU_REQ_RCVD

  No ACTLU REQ received on LU JJDL1.6

Inverse DNS Nailing

If there are legacy and inverse DNS nailing statements, the inverse DNS nailing statements take precedence. The TN3270 server attempts an inverse DNS lookup before it checks for any legacy nailing configuration.

Cisco Systems, Inc. strongly recommends that users configure inverse DNS nailing on a PU that does not support generic LUs or a PU that has the generic-pool command configured with the deny keyword specified.

SSL Encryption Support

You must be running an IOS image with IPSec support. The strength of the SSL encryption support on the TN3270 server is determined by the strength of the IPSec image.

Related Features and Technologies

The TN3270 Server Connectivity Enhancements feature is an enhancement to the existing TN3270 server feature that is documented in the "TN3270 Server" chapters of the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1 and the Cisco IOS Bridging and IBM Networking Command Reference, Volume II, Release 12.1.

Inverse DNS Nailing

Domain Name System (DNS) technology

SSL Encryption Support

Secure Socket Layer (SSL) technology

Related Documents

Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1

Cisco IOS Bridging and IBM Networking Command Reference, Volume II, Release 12.1

Supported Platforms

Router Requirements

The TN3270 Server Connectivity features are supported on the following router platforms:

Cisco 7500 series—Supports CIP adapters

Cisco 7200 series—Supports the ECPA and PCPA adapters

Cisco 7000 series with RSP7000—Supports CIP adapters

You must configure the TN3270 server features on the virtual interface of a CMCC adapter. For a CIP, the virtual interface is either 2. For the CPA adapters, ECPA and PCPA, the virtual interface is port 0.

Supported Standards, MIBs, and RFCs

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB website on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.

RFCs

No new or modified RFCs are supported by this feature.

Prerequisites

This section describes the prerequisites of the TN3270 server feature enhancements introduced in Cisco IOS release 12.1(5)T. These are divided into router and mainframe prerequisites and then grouped by software (for example, microcode and VTAM) or feature (for example, SSL Encryption Support).

Router Prerequisites

Microcode prerequisites

The Cisco TN3270 server consists of a system image and a microcode image virtually bundled as one combined image. The following versions of hardware microcode are supported for the TN3270 Server Connectivity Enhancements feature on the CIP and CPA in Cisco IOS Release 12.1(5)T:

CIP hardware microcode—CIP28-1 and later.

CPA hardware microcode—XCPA28-1 and later.

For additional information about what is supported in the various releases of the Cisco IOS software and the CIP microcode, see the information on Cisco Connection Online (CCO).

Inverse DNS Nailing

To use inverse DNS Nailing on the TN3270 server, you must specify which DNS servers are required to resolve the TN3270 server client IP addresses. To specify the DNS servers, use the following commands:

ip domain-lookup

ip domain-name

ip name-server

SSL Encryption Support

You must be running an IOS image with IPSec support. The strength of the SSL encryption support on the TN3270 server is determined by the strength of the IPSec image.

A server digital certificate loaded on the TN3270 router is required to support TN33270 Server Security Enhancement.

Mainframe prerequisites

VTAM prerequisites

Mainframe hosts using Systems Network Architecture (SNA) with the TN3270 server must be running VTAM V4R2 or later.

Note You can use VTAM V3R4, but DLUR operation is not supported in V3R4 and proper DDDLU operation may require program temporary fixes (PTFs) to be applied to VTAM.

Dynamic LU Naming

The TN3270 server creates and deletes LUs dynamically on VTAM by sending Reply PSID poweron and Reply PSID poweroff messages when the named LU is connected and disconnected. In order to properly delete the dynamically created LUs, the following APARS should be applied to VTAM:

OW41274

OW41686

OW40315

You must replace the default exit ISTEXCSD with the VTAM User Exit for TN3270 Name Pushing, which you can download from the IBM website: http://www.ibm.com. This exit causes VTAM to ignore the LUSEED parameter on the PU statement, and instead use the SLU name sent by the router in the subvector 86 when a client connects in. If you do not configure this exit, VTAM ignores the subvector 86 and the specified LU name.

Configuration Tasks

The following sections describe configuration tasks for the TN3270 Server Connectivity Enhancements feature:

Configuring Dynamic LU Naming

Configuring Inverse DNS Nailing

Configuring SSL Encryption Support

See the "Configuration Examples" section for sample configurations.

For a complete description of the new or modified TN3270 Server commands in this feature module, refer to the "Command Reference" section. For a complete description of the rest of the TN3270 Server commands in this feature module, refer to the "TN3270 Server Commands" chapter in the Cisco IOS Bridging and IBM Networking Command Reference, Volume II, Release 12.1.

Configuring Dynamic LU Naming

Perform the tasks in the following sections to configure dynamic LU naming according to the type of PU:

Configuring a Listen-Point PU to Define DLUR PUs using Dynamic LU Naming

Configuring a Listen-Point PU to Define Direct PUs using Dynamic LU Naming

Mainframe Configuration Notes

You must replace the default exit ISTEXCSD with the VTAM User Exit for TN3270 Name Pushing, which you can download from the IBM website: http://www.ibm.com. This exit causes VTAM to ignore the LUSEED parameter on the PU statement, and instead use the SLU name sent by the router in the subvector 86 when a client connects in. If you do not configure this exit, VTAM ignores the subvector 86 and the specified LU name.

If you specify the LUSEED operand for the PU definition in VTAM and the subvector 86 specifies an LU name, the VTAM User Exit for TN3270 Name Pushing ignores the LUSEED operand.

If you do not specify the LUSEED operand on the mainframe, and the subvector 86 is not present, then the VTAM User Exit for TN3270 Name Pushing cannot generate an LU name. VTAM does not log this failure, and the TN3270 server does not receive the ACTLU request.

Configuring a Listen-Point PU to Define DLUR PUs using Dynamic LU Naming

To configure a listen-point PU on the internal LAN interface on the CMCC adapter, and to define DLUR PUs using dynamic LU naming, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 2 

Router(tn3270-lpoint)# pu pu-name idblk-idnum dlur [lu-seed lu-name-stem]

Creates a DLUR PU and enters listen-point PU configuration mode.

The lu-seed optional keyword specifies the LU name that the client uses when a specific LU name request is needed.

Step 3 

Router(tn3270-lpoint-pu)# lu deletion {always | normal | non-generic | never | named}

Specifies whether the TN3270 server sends a REPLY-PSID poweroff request to VTAM to delete the corresponding LU when a client disconnects.

Note You must specify the named option when configuring dynamic LU naming on the PU.

When you use the pu command, you enter listen-point PU configuration mode and can use all other commands in this task list. Values that you enter for siftdown commands (such as the lu deletion command) in listen-point PU configuration mode will override values that you previously entered in listen-point or TN3270 server configuration mode. For more information about configuring siftdown commands, see the "Configuring TN3270 Siftdown Commands" section in the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Note This task table focuses on configuring the Dynamic LU Naming enhancement only. For more complete TN3270 server configuration task information, see the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Configuring a Listen-Point PU to Define Direct PUs using Dynamic LU Naming

To configure a listen-point PU on the internal LAN interface on the CMCC adapter and configure direct PUs using dynamic LU naming, use the following commands beginning in listen-point configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 2 

Router(tn3270-lpoint)# pu pu-name idblk-idnum type adapter-number lsap [rmac rmac] [rsap rsap] [lu-seed lu-name-stem]

Creates a direct PU and enters listen-point PU configuration mode.

The lu-seed optional keyword specifies the LU name that the client uses when a specific LU name request is needed.

Step 3 

Router(tn3270-lpoint-pu)# lu deletion {always | normal | non-generic | never | named}

Specifies whether the TN3270 server sends a REPLY-PSID poweroff request to VTAM to delete the corresponding LU when a client disconnects.

Note You must specify the named option when configuring dynamic LU naming on the PU.

When you use the pu command, you enter listen-point PU configuration mode and can use all other commands in this task list. Values that you enter for siftdown commands (such as the lu deletion command) in listen-point PU configuration mode will override values that you previously entered in listen-point or TN3270 server configuration mode. For more information about configuring siftdown commands, see the "Configuring TN3270 Siftdown Commands" section in the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Note This task table focuses on configuring the Dynamic LU Naming enhancement only. For more complete TN3270 server configuration task information, see the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Configuring Inverse DNS Nailing

Perform the tasks in the following section to configure the different methods of Inverse DNS Nailing feature:

Nailing Clients to Pools by IP Address

Nailing Clients to Pools by Device Name

Nailing Clients to Pools by Device Name using a Domain ID

Nailing Clients to Pools by Domain Name

Nailing Clients to Pools by Domain Name Using a Domain ID

Note You can configure Inverse DNS Nailing five different ways by using the same commands. This task table section presents the five different configuration methods as separate task tables.

Note These task tables focus on configuring the Inverse DNS Nailing enhancement. For more complete TN3270 server configuration task information, see the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Note Use the domain-id command only when you are going to configure the client pool command with the name keyword and DNS-domain-identifier option specified or with the domain-id keyword specified.

Nailing Clients to Pools by IP Address

To nail a client to a pool of LUs by IP address, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 2 

Router(tn3270-lpoint)# client ip ip-address [ip-mask] pool poolname

Nails a client located at the IP address to a pool.

Nailing Clients to Pools by Device Name

To nail a client to a pool of LUs by device name, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 2 

Router(tn3270-lpoint)# client name DNS-name pool poolname

Nails a client located at the DNS device name to a pool.

Nailing Clients to Pools by Device Name using a Domain ID

To nail a client to a pool of LUs by device name using a domain id, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# domain-id DNS-domain-identifier DNS-domain

(Optional) Specifies a domain name suffix to be appended to the configured machine names to form a fully qualified name.

Step 2 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 3 

Router(tn3270-lpoint)# client name DNS-name DNS-domain-identifier pool poolname

Nails a client located at the IP address to a pool.

Nailing Clients to Pools by Domain Name

To nail a client to a pool of LUs by domain name, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 2 

Router(tn3270-lpoint)# client domain-name DNS-domain pool poolname

Nails a client located at the domain-name to a pool.

Nailing Clients to Pools by Domain Name Using a Domain ID

To nail a client to a pool of LUs by domain name using a domain id, use the following commands beginning in TN3270 configuration mode.

 
Command
Purpose

Step 1 

Router(cfg-tn3270)# domain-id DNS-domain-identifier DNS-domain

(Optional) Specifies a domain name suffix to be appended to the configured machine names to form a fully qualified name.

Step 2 

Router(cfg-tn3270)# listen-point ip-address [tcp-port [number]]

Specifies the IP address and TCP port number to create a listen point. The default TCP port number is 23. This command changes the configuration mode from TN3270 to listen-point.

Step 3 

Router(tn3270-lpoint)# client domain-id DNS-domain-identifier pool poolname

Nails a client located at the domain-id to a pool.

Configuring SSL Encryption Support

Perform the tasks in the following sections to configure the SSL Encryption feature:

Obtain Server Digital Certificate from Certificate Authority

Load Server Digital Certificate onto the flash of the TN3270 router

Configuring Security (Required)

Configuring the Profile (Required)

Configuring the Default Profile (Optional)

Configuring a Listen Point for Security (Optional)

Obtaining Server Digital Certificate from Certificate Authority

In order to obtain a sever digital certificate, first create a Certificate Signing Request Pointer to Readme.csr file.

The certificate must be in PEM or Base64 format.

Once you obtain the server digital certificate from a CA such as Verisign, append the private key file onto the end of the digital certificate.

Load Server Digital Certificate onto the flash of the TN3270 router

Digital Certificate must be copied to the flash card on the TN3270 router

e.g. copytftp:servercert.pem slot0:

Configuring Security

To configure security on the TN3270 server, use the following command beginning in TN3270 server configuration mode:

Command
Purpose

Router(cfg-tn3270)# security

Enables security on the TN3270 server and enters TN3270 security configuration mode.


Enabling and Disabling Security

To enable and disable security on the TN3270 server, use the following commands beginning in TN3270 security configuration mode:

Command
Purpose

Router(tn3270-security)# enable

(Optional) Enables security in the TN3270 server.

Router(tn3270-security)# disable

(Optional) Disables the security feature in the TN3270 server.


Configuring the Profile

To configure a security profile on the TN3270 server, use the following command beginning in TN3270 security configuration mode:

Command
Purpose

Router(tn3270-security)# profile profilename {ssl | none}

Specifies a name and a security protocol for a security profile.


Configuring the Profile Options

To configure the security profile options, use the following commands beginning in TN3270 profile configuration mode:

Command
Purpose

Router(tn3270-sec-profile)# keylen {40 | 128}

Specifies the maximum bit length for the session encryption key for the TN3270 server.

Router(tn3270-sec-profile)# encryptorder [DES] [3DES] [RC4] [RC2] [RC5]

Specifies the encryption algorithm for the TN3270 SSL Encryption Support.

Router(tn3270-sec-profile)# servercert location

Specifies the location of the TN3270 server's security certificate in the flash memory. This command reads the security certificate from the specified location.

Router(tn3270-sec-profile)# certificate reload

(Optional) Reads the profile security certificate from the file specified in the servercert command.


Configuring the Default Profile

To configure the default security profile name to be applied to the listen-points, use the following command beginning in TN3270 security configuration mode:

Note The profile command must be specified before configuring a default-profile.

Command
Purpose

Router(tn3270-security)# default-profile profilename

Specifies the name of the profile to be applied to the listen-points by default.


Configuring a Listen Point for Security

To configure a listen-point for security, use the following command beginning in TN3270 listen-point configuration mode:

Note This task table focuses on configuring a listen-point in the SSL Encryption Support enhancement. For more complete TN3270 server configuration task information, see the "Configuring TN3270 Server" chapter in the Cisco IOS Bridging and IBM Networking Configuration Guide, Release 12.1.

Note The sec-profile command is optional if the default-profile command has been configured.

Command
Purpose

Router(tn3270-lpoint)# sec-profile profilename

Specifies the security profile to be associated with a listen-point.


Verifying TN3270 Server Connectivity Enhancements

Verifying Dynamic LU Naming on the TN3270 server

Complete the following steps to verify the Dynamic LU Naming enhancement:

Step 1 Issue the show extended channel tn3270-server command. Confirm that lu-deletion is set to named. 

Router# show extended channel 3/2 tn3270-server


<current stats> < connection stats >  <response time(ms)>

server-ip:tcp        lu in-use   connect disconn fail   host     tcp

172.28.1.106:23     510     1       12       11     0     54     40

172.28.1.107:23     511     0        0        0     0      0      0

172.28.1.108:23     255     0        0        0     0      0      0

total              1276     1

configured max_lu 20000

idle-time    0           keepalive 1800      unbind-action disconnect  

tcp-port   23            generic-pool permit no timing-mark

lu-termination unbind lu-deletion named

Step 2 To verify that dynamic LU naming is configured on the TN3270 server, issue the show extended channel tn3270-server pu command. Confirm that lu-deletion is set to named. 

Router# show extended channel 6/2 tn3270-server pu pu1


name(index)    ip:tcp               xid   state     link   destination r-lsap

PU1(1)       172.18.4.18:23      91903315 ACTIVE    dlur   NETA.SHPU1


idle-time    0      keepalive 1800      unbind-act discon   generic-poolperm

ip-preced-screen 0 ip-preced-printer 0 ip-tos-screen  0 ip-tos-printer 0

lu-termination unbind lu-deletion named

Verifying Inverse DNS Nailing on the TN3270 server

Complete the following steps to verify the Inverse DNS Nailing enhancement:

Step 1 To list all nailing statements with a specific nailed-domain name, issue the show extended channel tn3270-server nailed-domain command. 

Router# show extended channel 1/2 tn3270-server nailed-domain .cisco.com

CISCO.COM listen-point 172.18.4.18  pool PCPOOL

Step 2 To list all nailing statements with a specific nailed machine name, issue the show extended channel tn3270-server nailed-name command. 

Router# show extended channel 1/2 tn3270-server nailed-name myclient.cisco.com

MYCLIENT.CISCO.COM     listen-point 172.18.4.18  pool PCPOOL

HISCLIENT.CISCO.COM    listen-point 172.18.4.18  pool UNIXPOOL

HERCLIENT.CISCO.COM    listen-point 172.18.4.19  pool GENERALPOOL

Verifying SSL Encryption Support on the TN3270 server

Complete the following steps to verify the SSL Encryption Support enhancement:

Step 1 To verify the security profile on the TN3270 server, issue the show extended channel tn3270-server security command using the sec-profile option. Confirm that the status is enabled (status: ENABLE), and that the security certificate is loaded (Certificate Loaded: YES). 

Router# show extended channel 3/2 tn3270-server security sec-profile cert40

status:ENABLE Default Profile: (Not Configured)

Name               Active LUs  keylen encryptorder            Mechanism

CERT40                    0     40    RC4 RC2 RC5 DES 3DES    SSL

Servercert:slot0:coach188.pem

Certificate Loaded:YES				 Default-Profile:NO

Step 2 To verify the security profile on the TN3270 server listen-point, issue the show extended channel tn3270-server security command using the listen-point option. Confirm that the status is enabled (status: ENABLE) and that the state is active (State ACTIVE). 

Router# show extended channel 3/2 tn3270-server security listen-point 172.18.5.188

status:ENABLE Default Profile: (Not Configured)

IPaddress      tcp-port   Security-Profile   active-sessions  Type    State

172.18.5.188    23        CERT40               0              Secure  ACTIVE

Active Sessions using Deleted Profile:0

Troubleshooting Tips

Dynamic LU Naming

You must replace the default exit ISTEXCSD with the VTAM User Exit for TN3270 Name Pushing, which you can download from the IBM website: http://www.ibm.com. This exit causes VTAM to ignore the LUSEED parameter on the PU statement, and instead use the SLU name sent by the router in the subvector 86 when a client connects in. If you do not configure this exit, VTAM ignores the subvector 86 and the specified LU name.

If the LUSEED operand is specified on the mainframe, but the subvector 86 requires an LU name, the VTAM User Exit for TN3270 Name Pushing ignores the LUSEED operand.

If the LUSEED operand is not specified on the mainframe, and the subvector 86 is not present, then the VTAM User Exit for TN3270 Name Pushing cannot generate an LU name. VTAM does not log this failure, and the TN3270 server does not receive the ACTLU request. The TN3270 server displays the following message: 

*Apr 17 12:40:53:%CIP2-3-MSG:slot2 :

%TN3270S-3-NO_DYN_ACTLU_REQ_RCVD

  No ACTLU REQ received on LU JJDL1.6

Specify the INCLUD0E=YES parameter on VTAM so that the TN3270 server will always receive the LU name generated by the VTAM exit.

Inverse DNS Nailing

If an inverse DNS lookup fails it could be because the DNS server is unavailable (either because it was not configured, or because it is down). In this case, you cannot tell if the client is nailed because it does not have a name. To complicate the scenario, assume there wasn't a legacy nailing match, but the PU supports LUs that have been assigned from a generic pool. In this situation, the client will disconnect and the router will display the following console message: 

A connection attempt from client <ip address> was refused because its DNS name could 
not be obtained.

This action removes any potential security risk but presents potential disadvantages—the client could be denied a valid LU, and the generic-pool permit and deny settings may be ignored. For these reasons, it is strongly recommended that users configure the Inverse DNS Nailing enhancement on a PU that does not support LUs that have been assigned froma generic pool, or a PU that has the generic-pool command configured with the deny keyword specified.

If an inverse DNS lookup succeeds, but the name is not nailed or the client has no machine name, then the client is not nailed and the TN3270 server reverts to the legacy LU nailing process.

Monitoring and Maintaining TN3270 Server Connectivity Enhancements

Dynamic LU Naming

To monitor the status of the Dynamic LU Naming enhancement, use the following commands in EXEC mode:

Command
Purpose

Router# show extended channel tn3270-server

Displays current server configuration parameters and the status of the PUs defined for the TN3270 server.

Router# show extended channel tn3270-server pu client-name

Displays configuration parameters for a PU and all the LUs currently attached to the PU, with the client machine name substituted for the client IP address.


Inverse DNS Nailing

To monitor the status of the Inverse DNS Nailing enhancement, use the following commands in EXEC mode:

Command
Purpose

Router# show extended channel tn3270-server client-name

Displays information about all connected clients with a specific machine name.

Router# show extended channel tn3270-server nailed-domain

Lists all nailing statements with a specific nailed-domain name.

Router# show extended channel tn3270-server nailed-name

Lists all nailing statements with a specific nailed- machine name.

Router# show extended channel tn3270-server pu client-name

Displays configuration parameters for a PU and all the LUs currently attached to the PU, with the client machine name substituted for the client IP address.


Configuration Examples

This section provides the following configuration examples:

Dynamic LU Naming Example

Inverse DNS Nailing Examples

SSL Encryption Support Examples

Dynamic LU Naming Example

Router configuration

The following router configuration is an example of the TN3270 server configured with LU pooling. A listen-point PU is configured to define DLUR PUs using dynamic LU naming. Note the following lines in the configuration:

The lu deletion command must be configured with the named option.

The PU pu1 is defined with lu-seed abc##pqr. Using hexadecimal numbers for ##, the LU names for this PU are ABC01PQR, ABC02PQR, ABC03PQR.... up to ABCFFPQR. Similarly, the PU pu2 is defined with lu-seed pqr###. Using decimal numbers for ###, the LU names for this PU are PQR001, PQR002... up to PQR255.

The LUs ABC01PQR through ABC32PQR and PQR100 through PQR199 are allocated to the pool SIMPLE. The LUs ABC64PQR through ABC96PQR and PQR010 through PQR035 are allocated to the pool PCPOOL. The remaining LUs are in the generic pool. 

tn3270-server

 pool simple cluster layout 1s

 pool pcpool cluster layout 4s1p

 lu deletion named

 dlur neta.shek neta.mvsd

  lsap tok 15 04

    link she1 rmac 4000.b0ca.0016

 listen-point 172.18.4.18

 pu pu1 91903315 tok 16 08 lu-seed abc##pqr

!

!The following statement allocates LUs ABC01PQR through ABC32PQR to the pool named 
!simple.

!

  allocate lu 1 pool simple clusters 50

!

!The following statement allocates LUs ABC64PQR through ABC96PQR to the pool named 
!pcpool.

!

  allocate lu 100 pool pcpool clusters 10

 pu pu2 91913315 dlur lu-seed pqr###

!

!The following statement allocates LUs PQR010 through PQR035 to the pool named pcpool.

!

  allocate lu 10 pool pcpool clusters 5

!

!The following statement allocates LUs PQR100 through PQR199 to the pool named simple.

!

  allocate lu 100 pool simple clusters 100

Mainframe configuration 

The following mainframe configuration is an example of the VTAM configuration that can be used if 
the TN3270 server is configured with the Dynamic LU Naming enhancement.

Note PUs are defined with the LUGROUP command. It is not necessary to specify an LUSEED. If the LUSEED operand is specified, it is ignored.

Note You must specify the INCLUD0E=YES parameter on VTAM so that the TN3270 server receives the LU name generated by the VTAM exit. 

SWN72022 VBUILD TYPE=SWNET

PU1      PU     ADDR=01,                                            X

                PUTYPE=2,                                           X

                IDBLK=919,                                          X

                IDNUM=03315,                                        X

                INCLUD0E=YES,                                       X

                LUGROUP=MYLUS

*

PU2      PU     ADDR=01,                                            X

                PUTYPE=2,                                           X

                IDBLK=919,                                          X

                IDNUM=13315,                                        X

                INCLUD0E=YES,                                       X

                LUGROUP=MYLUS

Inverse DNS Nailing Examples

Nailing Clients to Pools by Device Name, Domain Name, and Domain ID using a Domain ID

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing: 

tn3270-server

  domain-id 2 .cisco.com

  domain-id 20 .yahoo.com

  pool GENERAL  cluster layout 4s1p

  pool TEST  cluster layout 4s1p

  listen-point 172.18.5.168

   pu T240CA   91922363 token-adapter 31 12 rmac 4000.4000.0001

    allocate lu 1 pool GENERAL  clusters 1

   client name lucy49.cisco.com pool GENERAL

   client name george 20 pool TEST

   client name arthur 20 pool TEST

   client name tyson 20 pool TEST

   client name daisy 20 pool TEST

  listen-point 172.18.5.169

   pu T240CB   91922364 token-adapter 31 12 rmac 4000.4000.0002

    allocate lu 1 pool TEST     clusters 50

   client domain-name cisco.com pool GENERAL

   client domain-id 20 pool TEST

Nailing Clients to Pools by IP Address

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example, the client pool command is configured with the ip keyword. The command nails the client at IP address 10.1.2.3 with an IP mask of 255.255.255.0 to the pool named OMAHA: 

tn3270-server

 pool OMAHA cluster layout 10s1p

 listen-point 172.18.4.18

 client ip 10.1.2.3 255.255.255.0 pool OMAHA

Nailing Clients to Pools by Device Name

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the name keyword. The command nails the client at device name george-isdn29.cisco.com to the pool named GENERAL: 

tn3270-server

  pool GENERAL  cluster layout 4s1p

  listen-point 172.18.5.168

   pu T240CA   91922363 token-adapter 31 12 rmac 4000.4000.0001

    allocate lu 1 pool GENERAL  clusters 1

  client name george-isdn29.cisco.com pool GENERAL

Nailing Clients to Pools by Device Name using a Domain ID

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the name keyword and the optional DNS-domain-identifier argument. The command nails the client at device name lucy-isdn49.cisco.com to the pool named GENERAL: 

tn3270-server

 domain-id 23 .cisco.com

  pool GENERAL  cluster layout 4s1p

  listen-point 172.18.5.168

   pu T240CA   91922363 token-adapter 31 12 rmac 4000.4000.0001

    allocate lu 1 pool GENERAL  clusters 1

 client name lucy-isdn49 23 pool GENERAL

Nailing Clients to Pools by Domain Name

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the domain-name keyword. The command nails any client at domain name .cisco.com to the pool named GENERAL: 

tn3270-server

  pool GENERAL  cluster layout 4s1p

  listen-point 172.18.5.168

   pu T240CA   91922363 token-adapter 31 12 rmac 4000.4000.0001

    allocate lu 1 pool GENERAL  clusters 1

 client domain-name .cisco.com pool GENERAL

Nailing Clients to Pools by Domain Name Using a Domain ID

The following router configuration shows an example of commands used to define the TN3270 server with LU pools using inverse DNS nailing. In this example the client pool command is configured with the domain-id keyword . The command nails any client at domain name .cisco.com to the pool named GENERAL: 

tn3270-server

 domain-id 23 .cisco.com

  pool GENERAL  cluster layout 4s1p

  listen-point 172.18.5.168

   pu T240CA   91922363 token-adapter 31 12 rmac 4000.4000.0001

    allocate lu 1 pool GENERAL  clusters 1

 client domain-id 23 pool GENERAL

SSL Encryption Support Examples

Mainframe configuration

The following mainframe configuration is an example of the VTAM configuration that can be used if the SSL Encryption Support enhancement is configured: 

example PU definition:

*

BMPU4   PU     ADDR=01,   

               PUTYPE=2,

               LOGAPPL=NETTMVSD,

               LUGROUP=BMCL13,LUSEED=BMPU4###,

               PACING=8,VPACING=8,

               IDBLK=919,

               IDNUM=36821

*

BMPU5   PU     ADDR=01,                                                

               PUTYPE=2,                                               

               LOGAPPL=NETTMVSD,                                       

               LUGROUP=BMCL13,LUSEED=BMPU5###,                         

               PACING=8,VPACING=8,                                     

               IDBLK=919,                                              

               IDNUM=46821

*

*

BMPU6   PU     ADDR=01,                                                

               PUTYPE=2,                                                

               LOGAPPL=NETTMVSD,                                       

               USSTAB=USSTCPMF,                                         

               DLOGMOD=D4C32782,

               PACING=8,VPACING=8,                                     

               IDBLK=919,                                              

               IDNUM=56821

*

BMPU6001 LU    LOCADDR=01

BMPU6002 LU    LOCADDR=02

BMPU6003 LU    LOCADDR=03

BMPU6004 LU    LOCADDR=04

BMPU6005 LU    LOCADDR=05

BMPU6006 LU    LOCADDR=06

BMPU6007 LU    LOCADDR=07

BMPU6008 LU    LOCADDR=08

BMPU6009 LU    LOCADDR=09

BMPU6010 LU    LOCADDR=10

.

.

BMPU6255 LU    LOCADDR=255

*

Simple SSL Encryption Support Example

The following router configuration shows an example of commands used to define a simple configuration of the SSL Encryption Support enhancement. In this configuration, listen-point 172.18.5.187 is a secured listen-point using security profile cert40. Note that the security profile is using all of the default parameters. 

interface Channel3/2

 ip address 172.18.5.185 255.255.255.248

 no keepalive

 lan TokenRing 15

  source-bridge 15 1 500

  adapter 15 4000.b0ca.0015

 lan TokenRing 16

  source-bridge 16 1 500

  adapter 16 4000.b0ca.0016

 tn3270-server

  security

   profile CERT40 SSL

    servercert slot0:verisign187.pem

  listen-point 172.18.5.187

   sec-profile CERT40

   pu BMPU5    91946821 token-adapter 15 08 rmac 4000.b0ca.0016

Complex SSL Encryption Support Example

The following router configuration shows an example of commands used to define a more complex configuration of the SSL Encryption Support enhancement:

Listen-point 172.18.5.186 is a non-secured listen point.

Listen-point 172.18.5.187 is a secured listen-point using security-profile cert128 with the encryption order specified and a keylen of 128 which implies strong (domestic) encryption.

Listen-point 172.18.5.188 is a secured listen-point using security profile cert40 with default security-profile parameters. 

interface Channel3/2

 ip address 172.18.5.185 255.255.255.248

 no keepalive

 lan TokenRing 15

  source-bridge 15 1 500

  adapter 15 4000.b0ca.0015

 lan TokenRing 16

  source-bridge 16 1 500

  adapter 16 4000.b0ca.0016

 tn3270-server

  security

   profile CERT128 SSL

    servercert slot0:verisign128.pem

    encryptorder RC4 RC2 DES

    keylen 128

   profile CERT40 SSL

    servercert slot0:coach188.pem

  listen-point 172.18.5.186

   pu BMPU4    91946821 token-adapter 15 04 rmac 4000.b0ca.0016

  listen-point 172.18.5.187

   sec-profile CERT128

   pu BMPU5    91956821 token-adapter 15 08 rmac 4000.b0ca.0016

  listen-point 172.18.5.188

   sec-profile CERT40

   pu BMPU6    91966821 token-adapter 15 0C rmac 4000.b0ca.0016

Command Reference

This section documents new or modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.

certificate reload

client pool

default-profile

disable (TN3270)

domain-id

enable (TN3270)

encryptorder

keylen

lu deletion

profile

pu dlur (listen-point)

sec-profile

security (TN3270)

servercert

show extended channel tn3270-server client-name

show extended channel tn3270-server nailed-domain