Re: Secure FTP on the Mainframe

Hal Merritt Thu, 26 May 2005 09:30:08 -0700

The manuals are confusing as they seem to be focused on Websphere and
assume that is what you want to do. So far, I have achieved a secure
transfer, or at least so say the messages. I created the CA cert on one
system, then exported/imported it to another. Both systems are z/os 1.4
but do not share RACF. Changing the FTPSDATA requires a recycle of FTP
(P FTPD1, S FTPD).


I am still baffled by the certificate process. I posed a plea for help
on the RACF list, and received two replies that I have not yet studied.
One suggested: 
http://www-306.ibm.com/software/network/commserver/zos/library/  

Another from Wai Choi - RACF Development. I will post that separately.  

NOTE: THE FOLLOWING IS FROM MY TESTING NOTES. TEST RESULTS ARE
ENCOURAGING, BUT I HAVE NO IDEA IF/HOW THIS WOULD APPLY TO ANYONE ELSE.
I STILL DON'T KNOW IF THIS IS THE CORRECT PROCESS. YMMV.  

IF YOU ARE ANY OF YOUR STAFF ARE CAUGHT OR KILLED, THE SECRETARY WILL
DISAVOW... oops, sorry, wrong disclaimer. 

ICSF is not required, but highly recommended.

The invocation (last steps below) still needs polishing. The DEBUG
statements may not be appropriate for prime time. My notes:   

1. Build CA CERT

  RACDCERT CERTAUTH GENCERT -                      
    SUBJECTSDN( -  
         .............                                
               
2. Build personal certs
   a.   FTPD

  RACDCERT ID(FTPD) GENCERT -                         
    SUBJECTSDN( -     
          ....                                
       SIGNWITH(CERTAUTH -                            
          LABEL('from above'))                           

   b.   User

  RACDCERT ID(myid) GENCERT -           
    SUBJECTSDN( -                          
         ......
       SIGNWITH(CERTAUTH -                 
          LABEL('from above'))                


3. Activate and RACLIST classes DIGTCERT DIGTRING
4. Add FACILITY IRR.DIGTCERT.LISTRING and permit.
5. Build key rings.
   a. FTPD
   b.   User
6. Connect both CA and personal certs to keyrings.
7. Add to server SYS1.TCPPARMS(FTPSDATA):

DEBUG SEC                     ; Helpful

 ACCESSERRORMSGS              ; Send detailed login failure replies   
 KEYRING thekeyringname       ; Cert keyring for the server FTPDx

 EXTENSIONS AUTH_TLS          ; Activate SSL support                  

8. Add to client //SYSFTPD DD DISP=SHR,DSN=my.parmlib(FTPSSL1) which
contains:

  DEBUG SOC(2)                                          
  CLIENTERRCODES TRUE                                   
  KEYRING mykeyring                                         
  SECURE_DATACONN PRIVATE                               
  SECURE_MECHANISM  TLS                                   

9.      Invoke FTP:

//S001 EXEC PGM=FTP,PARM='-v -d -e -r TLS'            

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

Reply via email to