This article gives some of the lessons I learned from using TN3270. My mission had been to connect x3270 to TN3270 (telnet) using TLS. Some things are obvious once you know, but frustrating all the same.
The x3270 command
When everything was configured I used the following command to access the system
x3270 -model 5 -cafile /home/zPDT/certDocCA.pem L:10.1.1.2:3023
Where
- -cafile… was the CA sent down from the server on z/OS
- L: says this is TLS
- 10.1.1.2 is the IP address of my z/OS
- 3023 is the port configured in AT-TLS (PAGENT) for the TLS configuration
Creating the configuration
You start TN3270 with the name of the configuration file it should use. For me this was USER.Z24C.TCPPARMS(TN3270).
My file looks like
TelnetGlobals
....
EndTelnetGlobals
include adcd.z24c.tcpparms(port0023) ; General Applications
include user.z24c.tcpparms(tnpt2023) ; TLS Support AT-TLS
include user.z24c.tcpparms(tnpt3023) ; TLS Support AT-TLS
Where the include files contain self contained information about each port. My member name tnpo2023 is for TelNet, POrt 2023.
Restricting access
You can restrict which IP addresses can use which profile (port). See Transport Layer Security-Telnet profile example. The example below has a few minor tweaks from me.
TelnetParms ; ATTLS defined secure port TTLSPort 3023 ; DEBUG CONN DETAIL JOBLOG DEBUG CONN trace CTRACE ConnType None ; Default is no access EndTelnetParms BEGINVTAM Port 1023 ... ; Mapping statements IPGROUP LocalIP ; Subnets for buildings A and B 255.255.255.0:10.1.1.0 255.255.255.0:10.1.2.0 ENDIPGROUP PARMSMAP BasicPG localIP ; hosts defined in IPGROUP localIP PARMSGROUP BasicPG ; override default ConnType CONNTYPE NONE ; support basic connections if mapped to this group ENDPARMSGROUP ; this defines who has access PARMSMAP AdminPG 10.1.0.2 ; this ip address can use secure connections PARMSGROUP AdminPG ; override default ConnType CONNTYPE SECURE ; allow any type of connections if mapped to this group ENDPARMSGROUP ENDVTAM
This says
- The default connection type is NONE (from TelnetParms)
- IP addresses 10.1.1.0, and 10.1.2.0 have PARMSMAP BASICPG which have CONNTYPE NONE.
- IP address 10.1.0.2 has PARMSMAP AdminPG which has CONNTYPE SECURE.
Changing the configuration
You can update the TN3270 configuration while it is active. You use a command like
v tcpip,tn3270,obeyfile,USER.Z24C.TCPPARMS(TN3270)
Where USER.Z24C.TCPPARMS(TN3270) is the configuration file used at start up. If you have the configuration spread across several files, you cannot use OBEYFILE on one file – you need to use a complete configuration file. It appears to replace the current configuration with the specified one.
Displaying information.
You can use TSO netstat telnet to display the ports in use by Telnet. For proper display, you need to use the d tcpip,tn3270,…. command.
This is a bit restrictive as it only displays the information on the syslog. You can use Extended consoles, and so REXX can capture the output – but it still writes many records to SYSLOG and the operator console.
Display connection information
You can use the d tcpip,tn3270,conn,detail command, for example
EZZ6064I TN3270 CONN DISPLAY FRAME LAST F E SYS=S0W1
ENCR TSP
CONN TYPE IPADDR..PORT LUNAME APPLID PTR LOGMODE
-------- ---- ---------------------- -------- -------- --- --------
00000048 10.1.0.2..51928 TCP00001 A06TSO02 TAE SNX32703
----- PORT: 23 ACTIVE PROF: CURR CONNS: 1
------------------------------------------------------------
00000043 C02F 10.1.0.2..48126 TLS00001 TPE
00000046 C02F 10.1.0.2..40978 TLS00002 A06TSO03 TAE SNX32703
----- PORT: 2023 ACTIVE PROF: CURR CONNS: 2
------------------------------------------------------------
Shows message EZZ6064I
- there are two sessions with PORT 2023. Both using cipher suite C02F. The cipher spec value is described here.
- The LUNAME of TCP… this comes from the BEGINVTAM .. part of the TN320 definitions.
- Two terminals are connected to TSO (A06TS002), with the given logmode. The A in TSP means Active
EZZ… messages are here.
I could not see a way of displaying which z/OS certificate is being used.
Display profile information
d tcpip,tn3270,profile
gives
PERSIS FUNCTION DIA SECURITY TIMERS MISC (LMTGCAK)(OPATSKTQSSHRTL)(DRF)(PCKLECXN23)(IPKPSTS)(SMLT) ------- -------------- --- ---------- ------- ---- L****** ***TSBTQ***RT* TT* BB******** IP**ST* SMD* ----- PORT: 23 ACTIVE PROF: CURR CONNS: 0 ------------------------------------------------------------ L****** ***TSBTQ***RT* TJ* TSTTTT**TT IP**STT SMD* ----- PORT: 2023 ACTIVE PROF: CURR CONNS: 0 ------------------------------------------------------------ L****** ***TSBTQ***RT* TJ* TSTTTT**TT IP**STT SMD* ----- PORT: 3023 ACTIVE PROF: CURR CONNS: 1 ------------------------------------------------------------ FORMAT LONG NOSMFPROFILE TCPIPJOBNAME TCPIP TNSACONFIG DISABLED DEBUG TASK EXCEPTION CONSOLE DEBUG CONFIG EXCEPTION CONSOLE DEBUG CONFIG TRACEOFF 21 OF 21 RECORDS DISPLAYED
If you issue d tcpip,tn3270,profile,detail you get a lot of output – it will display only the first nnn lines. You can change this value by d tcpip,tn3270,profile,detail,MAX=200.
You may find it easier to specify a port tcpip,tn3270,profile,port=23,detail to get less output.
To display the TN3270 configuration options you can specify profile=…
d tcpip,tn3270,profile,port=3023,profile=xxxx,detail
Where profile=xxxx can be PROFile =CURRent|prfid|ACTive|ALL|Basic|Pending|Secure
Current, Active, ALL and basic seem to display the same information. I do not know the difference between them.
Displaying “VTAM” information
You can display some of the configuration, but not all of it. For example
D TCPIP,TN3270,object,PORT=3023,type=parmsgrp
gives
OBJECT CONNS CLIENT ID CLIENT ID ITEM NAME USING TYPE NAME SPECIFIC OPTIONS ---------- ------ --------- ---------------- ---------- -------- PARMSGRP BASICPG 0 IPGRP LOCALIP ADMINPG 1 IPADDR 10.1.0.2
But you cannot display what LOCALIP is.
Where does the parameter come from?
d tcpip,tn3270,profile,port=3023,detail
This command gives
EZZ6080I TN3270 PROFILE DISPLAY 771 PERSIS FUNCTION DIA SECURITY TIMERS MISC (LMTGCAK)(OPATSKTQSSHRTL)(DRF)(PCKLECXN23)(IPKPSTS)(SMLT) ------- -------------- --- ---------- ------- ---- ******* ***TSBTQ***RT* EC* BB******** *P**STS *DD* *DEFAULT L------ ------------T TT- ---------- I---ST- SM-- *TGLOBAL ------- ------------- TJ- TSTTTT--TT ------T ---- *TPARMS L****** ***TSBTQ***RT* TJ* TSTTTT**TT IP**STT SMD* CURR
The field column headings are described here.
- * means the option was turned off
- – the option was not set.
In the first column (LMTGCAK)
- The default is *
- From the T(elnet)GLOBAL the value is L
- From T(elnet)PARMS nothing is specified
- So the Current definition is L
Quiescing and resuming ports
Quiescing a port stops new connections from using it. Resume allows it to be used.
v tcpip,tn3270,quiesce,port=3023
v tcpip,tn3270,resume,port=3023
Stopping a port may be bad for you
You can use a command
v tcpip,tn3270,stop,port=3023
Which cancels existing sessions using the port, and stops new connections from using it.
I cannot find how to start the port.
If you use
v tcpip,tn3270,obeyfile,USER.Z24C.TCPPARMS(TN3270)
to refresh the whole configuration all ports are restarted, so you can start all – but not just one port.
ColinPaice 
One thought on “Using Telnet (TN3270) on z/OS”