1. Forum
  2. Usenet
  3. COMP.SYS.UNISYS

  • COMS/Telnet/CCF

    From Val@21:1/5 to All on Mon Aug 31 20:12:09 2020
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From mperew@gmail.com@21:1/5 to All on Tue Sep 1 09:06:30 2020
    For CCF, you can query the TCPIPPCM to tell you which ports are or are not secured.

    NA <CCF DSS Name> TCPIPPCM SHOW PORT <port name>

    Secured ports will include these attributes:
    SSLKeyContainer = <certificate name>
    SSLSecuereMode = True

    For Telnet, the command NA TELNET STATUS ALL will show which stations are secured. They will include the tag "SSL" and show they are on Port 992.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Kimpel@21:1/5 to Val on Tue Sep 1 08:32:44 2020
    On 8/31/2020 8:12 PM, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val


    You can view the status of all connections for a given port number with
    this command:

    NW TCPIP CONN MYNAME=<port number>

    You can also filter using IPADDRESS, STATE and and a few other
    attributes. See the documentation in the Networking Commands and
    Inquiries Help file. For example:

    NW TCPIP CONN MYNAME=23 TCPSTATE=ESTABLISHED

    This command may generate a long list, so you might want to run it from
    an Action line in MARC and use the STORE command to save the results to
    a file.

    Paul

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Graham Gold@21:1/5 to Paul Kimpel on Tue Sep 1 10:39:30 2020
    I’m not currently working on mainframe just now but when I was I developed some Windows Powershell script to translate the output from NW TCPIP CONN to a CSV file and also perform an NSLOOKUP (dns lookup on windows machines) - happy for you to use it
    if Powershell is useful to you.

    Put the below into a file on a pc with a .ps1 file extension and run (change the file paths accordingly to where the output from the MCP is (I used STore as Paul suggested then grabbed the file off an nxservices share):

    <# NW TCPIP CONN OUTPUT Parser - turns below into CSV output
    TCP CONNECTION ID = 10
    FILENAME = FILE_1
    MY NAME = 1234
    YOUR NAME = 45321
    STATE = ESTABLISHED
    YOUR IP ADDRESS 1.2.3.3
    PROTOCOL STACK = LEGACY,

    TCP CONNECTION ID = 11
    FILENAME = MY_PORT
    MY NAME = 9999
    YOUR NAME = 54231
    STATE = ESTABLISHED
    YOUR IP ADDRESS 9.8.7.6
    PROTOCOL STACK = LEGACY,


    $srcData = (gc C:\TCP_CONNS.TXT|select -Skip 8) -join ',' `
    -replace ' ','' `
    -replace ',,',"`r`n" `
    -replace ',TCPCONNECTIONID=','' `
    -replace 'TCPCONNECTIONID=',''`
    -replace 'FILENAME=','' `
    -replace 'MYNAME=','' `
    -replace 'YOURNAME=','' `
    -replace 'STATE=','' `
    -replace 'YOURIPADDRESS','' `
    -replace 'PROTOCOLSTACK=',''
    $outfile = @()
    $srcdata -split "`r`n"|where-object {$_ -notlike ''}|foreach {
    $obj = New-Object System.Object
    $inparr = $_.Split(",")
    $obj|Add-Member -MemberType NoteProperty -Name Connection_ID -Value $inparr[0]
    $obj|Add-Member -MemberType NoteProperty -Name Filename -Value $inparr[1]
    $obj|Add-Member -MemberType NoteProperty -Name MCP_Port -Value $inparr[2]
    $obj|Add-Member -MemberType NoteProperty -Name Client_Port -Value $inparr[3]
    $obj|Add-Member -MemberType NoteProperty -Name Port_State -Value $inparr[4]
    $obj|Add-Member -MemberType NoteProperty -Name Client_IP -Value $inparr[5]
    $ErrorActionPreference = "Stop"
    $Client_DNS_V = If ($obj.Port_State -ne "LISTEN") {Try { (NSLOOKUP $inparr[5] |Select-String Name).Line.ToString().Replace(" ","").Split(":")[1]} Catch {}} else {""}
    $ErrorActionPreference = "SilentlyContinue"
    $obj|Add-Member -MemberType NoteProperty -Name Client_DNS -Value $Client_DNS_V
    $obj|Add-Member -MemberType NoteProperty -Name Protocol_Stack -Value $inparr[6]
    $outfile += $obj
    rv Client_DNS_V
    }

    $outfile|Export-Csv -Path C:\TCP_CONNS.CSV -NoTypeInformation

    On Tuesday, September 1, 2020 at 4:32:47 PM UTC+1, Paul Kimpel wrote:
    On 8/31/2020 8:12 PM, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    You can view the status of all connections for a given port number with
    this command:

    NW TCPIP CONN MYNAME=<port number>

    You can also filter using IPADDRESS, STATE and and a few other
    attributes. See the documentation in the Networking Commands and
    Inquiries Help file. For example:

    NW TCPIP CONN MYNAME=23 TCPSTATE=ESTABLISHED

    This command may generate a long list, so you might want to run it from
    an Action line in MARC and use the STORE command to save the results to
    a file.

    Paul

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Val@21:1/5 to Graham Gold on Tue Sep 1 18:26:10 2020
    On Tuesday, September 1, 2020 at 1:39:31 PM UTC-4, Graham Gold wrote:
    I’m not currently working on mainframe just now but when I was I developed some Windows Powershell script to translate the output from NW TCPIP CONN to a CSV file and also perform an NSLOOKUP (dns lookup on windows machines) - happy for you to use it
    if Powershell is useful to you.

    Put the below into a file on a pc with a .ps1 file extension and run (change the file paths accordingly to where the output from the MCP is (I used STore as Paul suggested then grabbed the file off an nxservices share):

    <# NW TCPIP CONN OUTPUT Parser - turns below into CSV output
    TCP CONNECTION ID = 10
    FILENAME = FILE_1
    MY NAME = 1234
    YOUR NAME = 45321
    STATE = ESTABLISHED
    YOUR IP ADDRESS 1.2.3.3
    PROTOCOL STACK = LEGACY,

    TCP CONNECTION ID = 11
    FILENAME = MY_PORT
    MY NAME = 9999
    YOUR NAME = 54231
    STATE = ESTABLISHED
    YOUR IP ADDRESS 9.8.7.6
    PROTOCOL STACK = LEGACY,


    $srcData = (gc C:\TCP_CONNS.TXT|select -Skip 8) -join ',' `
    -replace ' ','' `
    -replace ',,',"`r`n" `
    -replace ',TCPCONNECTIONID=','' `
    -replace 'TCPCONNECTIONID=',''`
    -replace 'FILENAME=','' `
    -replace 'MYNAME=','' `
    -replace 'YOURNAME=','' `
    -replace 'STATE=','' `
    -replace 'YOURIPADDRESS','' `
    -replace 'PROTOCOLSTACK=',''
    $outfile = @()
    $srcdata -split "`r`n"|where-object {$_ -notlike ''}|foreach {
    $obj = New-Object System.Object
    $inparr = $_.Split(",")
    $obj|Add-Member -MemberType NoteProperty -Name Connection_ID -Value $inparr[0]
    $obj|Add-Member -MemberType NoteProperty -Name Filename -Value $inparr[1] $obj|Add-Member -MemberType NoteProperty -Name MCP_Port -Value $inparr[2] $obj|Add-Member -MemberType NoteProperty -Name Client_Port -Value $inparr[3] $obj|Add-Member -MemberType NoteProperty -Name Port_State -Value $inparr[4] $obj|Add-Member -MemberType NoteProperty -Name Client_IP -Value $inparr[5] $ErrorActionPreference = "Stop"
    $Client_DNS_V = If ($obj.Port_State -ne "LISTEN") {Try { (NSLOOKUP $inparr[5] |Select-String Name).Line.ToString().Replace(" ","").Split(":")[1]} Catch {}} else {""}
    $ErrorActionPreference = "SilentlyContinue"
    $obj|Add-Member -MemberType NoteProperty -Name Client_DNS -Value $Client_DNS_V
    $obj|Add-Member -MemberType NoteProperty -Name Protocol_Stack -Value $inparr[6]
    $outfile += $obj
    rv Client_DNS_V
    }

    $outfile|Export-Csv -Path C:\TCP_CONNS.CSV -NoTypeInformation
    On Tuesday, September 1, 2020 at 4:32:47 PM UTC+1, Paul Kimpel wrote:
    On 8/31/2020 8:12 PM, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    You can view the status of all connections for a given port number with this command:

    NW TCPIP CONN MYNAME=<port number>

    You can also filter using IPADDRESS, STATE and and a few other
    attributes. See the documentation in the Networking Commands and
    Inquiries Help file. For example:

    NW TCPIP CONN MYNAME=23 TCPSTATE=ESTABLISHED

    This command may generate a long list, so you might want to run it from
    an Action line in MARC and use the STORE command to save the results to
    a file.

    Paul

    Thanks for providing this value information.

    The NW TCPIP CONN reporting is only for the connections that are active at a given time (point in time). There are many of our users/connections that may not connect everyday or may not stay up all the time. So, Would you suggest to get accurate counts
    using lognalyzer over a monthly period as an option to generate that reporting?

    what options if any, should be specified in the LOG search criteria? we dont have Gregory's LOGEXTRACT utility

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Graham Gold@21:1/5 to Val on Wed Sep 2 10:40:37 2020
    I don’t have access to an MCP system right now but probably LOG TCPIP or LOG TCPIP IP. Would mean a change to the Powershell code to parse that as the output format is a little different.

    https://public.support.unisys.com/aseries/docs/ClearPath-MCP-19.0/86000460-525/86000460-525/section-000023081.html

    I may also have log parsing Powershell code but again it’ll be specific to the output I was parsing.

    Regards,
    Graham


    On Wednesday, September 2, 2020 at 2:26:11 AM UTC+1, Val wrote:
    On Tuesday, September 1, 2020 at 1:39:31 PM UTC-4, Graham Gold wrote:
    I’m not currently working on mainframe just now but when I was I developed some Windows Powershell script to translate the output from NW TCPIP CONN to a CSV file and also perform an NSLOOKUP (dns lookup on windows machines) - happy for you to use
    it if Powershell is useful to you.

    Put the below into a file on a pc with a .ps1 file extension and run (change the file paths accordingly to where the output from the MCP is (I used STore as Paul suggested then grabbed the file off an nxservices share):

    <# NW TCPIP CONN OUTPUT Parser - turns below into CSV output
    TCP CONNECTION ID = 10
    FILENAME = FILE_1
    MY NAME = 1234
    YOUR NAME = 45321
    STATE = ESTABLISHED
    YOUR IP ADDRESS 1.2.3.3
    PROTOCOL STACK = LEGACY,

    TCP CONNECTION ID = 11
    FILENAME = MY_PORT
    MY NAME = 9999
    YOUR NAME = 54231
    STATE = ESTABLISHED
    YOUR IP ADDRESS 9.8.7.6
    PROTOCOL STACK = LEGACY,


    $srcData = (gc C:\TCP_CONNS.TXT|select -Skip 8) -join ',' `
    -replace ' ','' `
    -replace ',,',"`r`n" `
    -replace ',TCPCONNECTIONID=','' `
    -replace 'TCPCONNECTIONID=',''`
    -replace 'FILENAME=','' `
    -replace 'MYNAME=','' `
    -replace 'YOURNAME=','' `
    -replace 'STATE=','' `
    -replace 'YOURIPADDRESS','' `
    -replace 'PROTOCOLSTACK=',''
    $outfile = @()
    $srcdata -split "`r`n"|where-object {$_ -notlike ''}|foreach {
    $obj = New-Object System.Object
    $inparr = $_.Split(",")
    $obj|Add-Member -MemberType NoteProperty -Name Connection_ID -Value $inparr[0]
    $obj|Add-Member -MemberType NoteProperty -Name Filename -Value $inparr[1] $obj|Add-Member -MemberType NoteProperty -Name MCP_Port -Value $inparr[2] $obj|Add-Member -MemberType NoteProperty -Name Client_Port -Value $inparr[3]
    $obj|Add-Member -MemberType NoteProperty -Name Port_State -Value $inparr[4]
    $obj|Add-Member -MemberType NoteProperty -Name Client_IP -Value $inparr[5] $ErrorActionPreference = "Stop"
    $Client_DNS_V = If ($obj.Port_State -ne "LISTEN") {Try { (NSLOOKUP $inparr[5] |Select-String Name).Line.ToString().Replace(" ","").Split(":")[1]} Catch {}} else {""}
    $ErrorActionPreference = "SilentlyContinue"
    $obj|Add-Member -MemberType NoteProperty -Name Client_DNS -Value $Client_DNS_V
    $obj|Add-Member -MemberType NoteProperty -Name Protocol_Stack -Value $inparr[6]
    $outfile += $obj
    rv Client_DNS_V
    }

    $outfile|Export-Csv -Path C:\TCP_CONNS.CSV -NoTypeInformation
    On Tuesday, September 1, 2020 at 4:32:47 PM UTC+1, Paul Kimpel wrote:
    On 8/31/2020 8:12 PM, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    You can view the status of all connections for a given port number with this command:

    NW TCPIP CONN MYNAME=<port number>

    You can also filter using IPADDRESS, STATE and and a few other attributes. See the documentation in the Networking Commands and Inquiries Help file. For example:

    NW TCPIP CONN MYNAME=23 TCPSTATE=ESTABLISHED

    This command may generate a long list, so you might want to run it from an Action line in MARC and use the STORE command to save the results to a file.

    Paul
    Thanks for providing this value information.

    The NW TCPIP CONN reporting is only for the connections that are active at a given time (point in time). There are many of our users/connections that may not connect everyday or may not stay up all the time. So, Would you suggest to get accurate counts
    using lognalyzer over a monthly period as an option to generate that reporting?

    what options if any, should be specified in the LOG search criteria? we dont have Gregory's LOGEXTRACT utility

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Kimpel@21:1/5 to Val on Wed Sep 2 18:34:56 2020
    On 9/1/2020 6:26 PM, Val wrote:
    On Tuesday, September 1, 2020 at 1:39:31 PM UTC-4, Graham Gold wrote:
    I’m not currently working on mainframe just now but when I was I developed some Windows Powershell script to translate the output from NW TCPIP CONN to a CSV file and also perform an NSLOOKUP (dns lookup on windows machines) - happy for you to use
    it if Powershell is useful to you.

    <snip>

    On Tuesday, September 1, 2020 at 4:32:47 PM UTC+1, Paul Kimpel wrote:
    On 8/31/2020 8:12 PM, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    You can view the status of all connections for a given port number with
    this command:

    NW TCPIP CONN MYNAME=<port number>

    You can also filter using IPADDRESS, STATE and and a few other
    attributes. See the documentation in the Networking Commands and
    Inquiries Help file. For example:

    NW TCPIP CONN MYNAME=23 TCPSTATE=ESTABLISHED

    This command may generate a long list, so you might want to run it from
    an Action line in MARC and use the STORE command to save the results to
    a file.

    Paul

    Thanks for providing this value information.

    The NW TCPIP CONN reporting is only for the connections that are active at a given time (point in time). There are many of our users/connections that may not connect everyday or may not stay up all the time. So, Would you suggest to get accurate counts
    using lognalyzer over a monthly period as an option to generate that reporting?

    what options if any, should be specified in the LOG search criteria? we dont have Gregory's LOGEXTRACT utility


    The LOG TCPIP commands for SYSTEM/LOGANALYZER don't seem to give you any information for normal connections. The closest thing I've been able to
    gen up for finding connections is this:

    LOG UC. FILE FIND "MYNAME: 23" OR "MYNAME: 3001"

    This definitely works for port 23 Telnet. I don't have anything coming
    in through CCF at present, so am unable to test that.

    That's still going to give you a lot of verbose output, but as you
    whittle down the clients using unsecured ports, the amount of output
    should diminish. At some point, it would probably be best to just close
    off the unsecured ports and see who complains.

    Paul

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Tom Schaefer@21:1/5 to Val on Tue Oct 6 20:16:44 2020
    Sorry to answer an older post...

    To move all connections to secure ports, you are going to have to add TelnetS support (uses Telnet and Crypto). You also need to ensure whatever emulator you use supports this as well (I do not know enough of your environment to steer you in exactly the
    right direction).

    As far as finding ports, you could use an external approach too. A basic port scanner (NMAP on Windows or Linux) run from a system on the same subnet would tell you what is listening on the system too. If you have a security infrastructure (such as a
    security scanner like Tenable/Nessus), that would identify non-secure ports too.

    Tom Schaefer

    On Monday, August 31, 2020 at 11:12:10 PM UTC-4, Val wrote:
    I am looking for feedback, and or suggestions on how to identify TCPIP connections that are using Telnet or CCF to connect to the mainframe. I am working to eliminate all non-secure port connections 23 and 3001 to go SSL with 992 and 3013.

    There are other non-secure port connections using application which i plan to address in a phased approach for migration.

    Thank you
    Val

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Peggy Quan@21:1/5 to All on Wed Oct 7 08:22:05 2020
    I have a program that will give you a 'best effort' try. what it does is look for an un-secure connection, then reports on the next MCS LOGON record in the sumlog. It isnt 100% accurate, but will narrow it down considerably. I also have a program that
    will read the sumlog and count up the connections by type, so you can see how far you are getting along if needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)