Using Telnet (TN3270) on z/OS

This article gives some of the lessons I learned from using TN3270. My mission had been to connect x3270 to TN3270 (telnet) using TLS. Some things are obvious once you know, but frustrating all the same.

The x3270 command

When everything was configured I used the following command to access the system

x3270 -model 5 -cafile /home/zPDT/certDocCA.pem L:


  • -cafile… was the CA sent down from the server on z/OS
  • L: says this is TLS
  • is the IP address of my z/OS
  • 3023 is the port configured in AT-TLS (PAGENT) for the TLS configuration

Creating the configuration

You start TN3270 with the name of the configuration file it should use. For me this was USER.Z24C.TCPPARMS(TN3270).

My file looks like


 include adcd.z24c.tcpparms(port0023)  ; General Applications 
 include user.z24c.tcpparms(tnpt2023)  ; TLS Support AT-TLS 
 include user.z24c.tcpparms(tnpt3023)  ; TLS Support AT-TLS 

Where the include files contain self contained information about each port. My member name tnpo2023 is for TelNet, POrt 2023.

Restricting access

You can restrict which IP addresses can use which profile (port). See Transport Layer Security-Telnet profile example. The example below has a few minor tweaks from me.

TelnetParms         ; ATTLS defined secure port 
 TTLSPort 3023      ; 
 ConnType None      ; Default is no access

 Port 1023
 ...                    ; Mapping statements
 IPGROUP LocalIP        ; Subnets for buildings A and B
 PARMSMAP BasicPG localIP  ; hosts defined in IPGROUP localIP 
 PARMSGROUP BasicPG     ; override default ConnType
   CONNTYPE NONE        ; support basic connections if mapped to this group
; this defines who has access 
 PARMSMAP AdminPG ; this ip address can use secure connections
 PARMSGROUP AdminPG     ; override default ConnType
   CONNTYPE SECURE      ; allow any type of connections if mapped to this group

This says

  • The default connection type is NONE (from TelnetParms)
  • IP addresses, and have PARMSMAP BASICPG which have CONNTYPE NONE.
  • IP address has PARMSMAP AdminPG which has CONNTYPE SECURE.

Changing the configuration

You can update the TN3270 configuration while it is active. You use a command like

v tcpip,tn3270,obeyfile,USER.Z24C.TCPPARMS(TN3270)

Where USER.Z24C.TCPPARMS(TN3270) is the configuration file used at start up. If you have the configuration spread across several files, you cannot use OBEYFILE on one file – you need to use a complete configuration file. It appears to replace the current configuration with the specified one.

Displaying information.

You can use TSO netstat telnet to display the ports in use by Telnet. For proper display, you need to use the d tcpip,tn3270,…. command.

This is a bit restrictive as it only displays the information on the syslog. You can use Extended consoles, and so REXX can capture the output – but it still writes many records to SYSLOG and the operator console.

Display connection information

You can use the d tcpip,tn3270,conn,detail command, for example

EZZ6064I TN3270 CONN DISPLAY         FRAME LAST   F      E   SYS=S0W1
         ENCR                                           TSP          
-------- ---- ---------------------- -------- --------  --- --------       
00000048        TCP00001 A06TSO02  TAE SNX32703       
----- PORT:    23  ACTIVE           PROF: CURR CONNS:      1               
00000043 C02F        TLS00001           TPE                
00000046 C02F        TLS00002 A06TSO03  TAE SNX32703       
----- PORT:  2023  ACTIVE           PROF: CURR CONNS:      2               

Shows message EZZ6064I

  • there are two sessions with PORT 2023. Both using cipher suite C02F. The cipher spec value is described here.
  • The LUNAME of TCP… this comes from the BEGINVTAM .. part of the TN320 definitions.
  • Two terminals are connected to TSO (A06TS002), with the given logmode. The A in TSP means Active

EZZ… messages are here.

I could not see a way of displaying which z/OS certificate is being used.

Display profile information

d tcpip,tn3270,profile


  -------  --------------  ---  ----------  -------  ----        
  L******  ***TSBTQ***RT*  TT*  BB********  IP**ST*  SMD*        
----- PORT:    23  ACTIVE           PROF: CURR CONNS:      0     
  L******  ***TSBTQ***RT*  TJ*  TSTTTT**TT  IP**STT  SMD*        
----- PORT:  2023  ACTIVE           PROF: CURR CONNS:      0     
  L******  ***TSBTQ***RT*  TJ*  TSTTTT**TT  IP**STT  SMD*        
----- PORT:  3023  ACTIVE           PROF: CURR CONNS:      1     
   FORMAT            LONG                                        
   TCPIPJOBNAME      TCPIP                                       
   TNSACONFIG        DISABLED                                    
   DEBUG TASK        EXCEPTION  CONSOLE                          
   DEBUG CONFIG      EXCEPTION  CONSOLE                          
   DEBUG CONFIG      TRACEOFF                                    
21 OF 21 RECORDS DISPLAYED                                       

If you issue d tcpip,tn3270,profile,detail you get a lot of output – it will display only the first nnn lines. You can change this value by d tcpip,tn3270,profile,detail,MAX=200.

You may find it easier to specify a port tcpip,tn3270,profile,port=23,detail to get less output.

To display the TN3270 configuration options you can specify profile=…

d tcpip,tn3270,profile,port=3023,profile=xxxx,detail

Where profile=xxxx can be PROFile =CURRent|prfid|ACTive|ALL|Basic|Pending|Secure

Current, Active, ALL and basic seem to display the same information. I do not know the difference between them.

Displaying “VTAM” information

You can display some of the configuration, but not all of it. For example

D TCPIP,TN3270,object,PORT=3023,type=parmsgrp


OBJECT      CONNS  CLIENT ID CLIENT ID        ITEM                    
NAME        USING  TYPE      NAME             SPECIFIC   OPTIONS      
----------  ------ --------- ---------------- ---------- --------     
 BASICPG         0 IPGRP     LOCALIP   
 ADMINPG         1 IPADDR                                 

But you cannot display what LOCALIP is.

Where does the parameter come from?

d tcpip,tn3270,profile,port=3023,detail

This command gives

EZZ6080I TN3270 PROFILE DISPLAY 771                                          
  PERSIS   FUNCTION        DIA  SECURITY    TIMERS   MISC                    
  -------  --------------  ---  ----------  -------  ----                    
  *******  ***TSBTQ***RT*  EC*  BB********  *P**STS  *DD* *DEFAULT           
  L------  ------------T   TT-  ----------  I---ST-  SM-- *TGLOBAL           
  -------  -------------   TJ-  TSTTTT--TT  ------T  ---- *TPARMS            
  L******  ***TSBTQ***RT*  TJ*  TSTTTT**TT  IP**STT  SMD* CURR               

The field column headings are described here.

  • * means the option was turned off
  • – the option was not set.

In the first column (LMTGCAK)

  • The default is *
  • From the T(elnet)GLOBAL the value is L
  • From T(elnet)PARMS nothing is specified
  • So the Current definition is L

Quiescing and resuming ports

Quiescing a port stops new connections from using it. Resume allows it to be used.

v tcpip,tn3270,quiesce,port=3023
v tcpip,tn3270,resume,port=3023

Stopping a port may be bad for you

You can use a command

v tcpip,tn3270,stop,port=3023

Which cancels existing sessions using the port, and stops new connections from using it.

I cannot find how to start the port.

If you use

v tcpip,tn3270,obeyfile,USER.Z24C.TCPPARMS(TN3270)

to refresh the whole configuration all ports are restarted, so you can start all – but not just one port.

One thought on “Using Telnet (TN3270) on z/OS

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s