Thursday, February 14, 2008

Overview of FTPS set-up on z/OS

A file with your high level qualifier has to be defined by the z/OS systems programmers, this file is required for secure FTP. The RACF admin has to modify your id to allow for secure FTP. (digicert).

Normally a FTP initiated on MVS uses SYS1.FTP.DATA to obtain information and instructions about the FTP controls to be used.
This "default" data set does not provide for Secure (SSL and/or TLS) FTP.
Three additional pieces of information/control are required. FTP will search automatically for that dataset (assuming you run the FTP with the RACF id of Userid).

While the three additional pieces of information/control are important, they are not enough for FTP. Consequently, it will find and use SYS1.FTP.DATA (in addition to your file) to get a complete set on information/controls.

Data contained in userid.ftp.data

FWF FALSE ; True = Fire Wall Friendly

; means data conncections will be

; setup from the FTP client to the

; FTP server

SECURE_MECHANISM TLS ; Client parm - we want SSL connec

SECURE_CTRLCONN PRIVATE ; in case the server doesn't require?

SECURE_DATACONN PRIVATE ; in case the server doesn't require?

; The Secure Server doesn't appear to

; use a secure connection to unless

; our client asks for it?



CIPHERSUITE SSL_NULL_MD5 ; 01

CIPHERSUITE SSL_NULL_SHA ; 02

CIPHERSUITE SSL_RC4_MD5_EX ; 03

CIPHERSUITE SSL_RC4_MD5 ; 04

CIPHERSUITE SSL_RC4_SHA ; 05

CIPHERSUITE SSL_RC2_MD5_EX ; 06

CIPHERSUITE SSL_DES_SHA ; 09

CIPHERSUITE SSL_3DES_SHA ; 0A



KEYRING TCPRING ; Name of the keyring for TLS

; It can be the name of an hfs

; file (name starts with /) or

; a resource name in the security

; product (e.g., RACF)



A certificate in the DER format is required from the target server. IBM supplies these certificates, find the one that is appropriate and change it to 'TRUST', default is 'NOTRUST'.

Inorder to use secure FTP to transmit data to an external entity, data channel ports will have to be opened from the server's side firewall standpoint. Ensure that your JCL points to the correct LPAR (e.g. LPAR1 or LPAR2), use WHILE LPAR07 etc.

Also, change your USERID.FTP.DATA file to include FWF FALSE (Fire-wall friendly)

To invoke a FTP from JCL, use the following:

//STEP01 EXEC PGM=FTP,PARM='-r tls ipaddress port# (EXIT',
// REGION=4096K
//INPUT DD *
userid
psw
ascii
cd /desired directory
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)