-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How connect to HOD SERPRO (hod.serpro.gov.br)? Or collect CONFIGs needed from HOD Java folders? #93
Comments
I can see from the screenshot that the port used in HOD is different from what is in your code. Trying myself using that port in the screenshot, I got this:
Sometimes I attempted a little more debugging using
I'm not a TLS expert, but I believe this may be an indication that the server is using a protocol that has been deprecated: https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1. If this is the case, you will not be able to connect with tnz/zti until the server is updated to use a more modern/secure protocol. |
Thank you for answer, @najohnsn !
I'm use port 443 because I analyzed my connection w/ Wireshark using HOD to access the same host and it track back the port 443 during whole communication. I suppose that the host use this settings quoted this documentaion IBM Docs:
I'm not also a TLS expert, but following your logic about trouble source, I've resolve isolate the error from rest of library and I've start tests using only Python SSL Lib and OpenSSL Toolkit, with support of Google, Stackoverflow and OpenSSL Cookbook, especially Chapter 2. Testing TLS with OpenSSL. As I said first message, I trying discover how HOD do it connect w/ IBM Server in this specific host to reproduce this behavor in python emulators like TNZ/ZTI. Because of that, I've discard the 23 port in my SSL/TLS tests. According IBM Docs probaly the host is using HOD environment w/ WebSphere to reroute client on context of browser (Portal Server). I began w/ very simple Python Script to access/analize ("logging") requests (HTTPS) to host:443 using "Requests Lib" anda "Python Socket / SSL" to TLS, but I always got the follow response w/ SSLError [SSL: CERTIFICATE_VERIFY_FAILED]. Of course, I hadn't sent certificate to verification in my requsitions/calls. Based of behaivour the host using HOD to access terminal, I suspected that it config HOD to use this two approuch to SSL/TLS connection: Web Start client, Transport Layer Security (TLS) AND Appendix C. P12 Keyring utility Then, I went looking for CustomizedCAs.p12 file in my computer from HOD folders and I ended up finding it. With support of some IBM Redpapers from googling, I discovered how convert p12 files to PEM files to using in my tests. I adapt my previous scripts to send the CustomizedCAs.PEM file in your requests/calls and finally 🎉 SUCCESS 🎉 (The previous error apparentily it disappeared!). I obtain this logging w/ Requests Lib test_reqSSL_HostSERPRO_Port443_hodCAs_2024y02m18d13h17m.log And w/ Python Socket / SSL, using this Pythonic Script, Ive obtain this TLSv1.2 Now, how I can pass CustomizedCAs.PEM file to TNZ/ZTI open TLS connection w/ IBM Telnet Server and load terminal emulator w/ same screen showed by HOD (top)? |
I appreciate the thorough investigation. My reaction to CERTIFICATE_VERIFY_FAILED is that it is your machine that failed verification of the server certificate. But, by default, tnz does not verify the server certificate. So, I expect that you either won't see this with tnz/zti or CERTIFICATE_VERIFY_FAILED is for the server failing to verify the client certificate. It's not "normal" but servers can authenticate clients with a client certificate. If this requirement is causing CERTIFICATE_VERIFY_FAILED for you, then tnz need at least one enhancement - provide the ability to specify a client certificate. If you would be willing to try out such an enhancement, I can create a PR with such support. |
Neil, sorry for late! I really appreciate your interest to help me with my specific use case! I would be willing to try out such an enhancement and contribute anyway, but I'll only time availability after May 5, because I'm committed another project now. After this date I will be able to resume my attempts to make TNZ work as an alternative to HOD in my use case and propose PR for you to analyze! If you also have availability, of course! See you later and thank you for taking the time to help me! |
With the enhancement from #138, I am able to use zti to see what looks like your initial screenshot. What I did in Windows: set SESSION_SECLEVEL=1
set SESSION_LU_NAME=LU1
set SESSION_SSL_MINIMUM_TLS=1.1
zti hod.serpro.gov.br:23000 I really don't know what the correct value for |
Hi,
It's possible using TNZ library to connect to connect host SERPRO (hod.serpro.gov.br) that recommend Host On Demand (HOD) to clients access mainframe applications on your network (w/ Web Browser Session Time Expire )?
I try connect w/ simple ZTI script above, but a I haven't sucess to view any load information on screen:
from tnz.py3270 import Emulator em = Emulator(visible=True, args=["-trace", "-tracefile", "ati.log"]) em.connect('hod.serpro.gov.br',port=23) em.wait_for_field() print(em) em.terminate()
Follow LOG file! (attachment)
When I using HOD without logon in SERPRO network (Web Session) must be show at least "initial screen" (attachment) w/ notice about browser session expiration (no longer sesssion invalid).....but w/ ZTI not even that!
What's configuration is necessary? The problem is that missing Browser Session?
On workstations w/ HOD installed and setting, it's possible collect configurations needed from HOD default files (jnlp/hodcivws) and folders?
Thanks for any support/help/contribution!
ati.log
The text was updated successfully, but these errors were encountered: