OK. I am going to *guess* that if it all works unless the client supports only TLS 1.1 then it is the server that is refusing anything less than 1.2. I guess you have no control over that.
By the way TLSRFCLEVEL CCCNONOTIFY is a slight security exposure that some may balk at. No, there is no way "around certificates." Certificates are utterly fundamental to TLS. What about the password? Are you going to put that into INPUT in clear text? Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Wendell Lovewell Sent: Friday, September 11, 2020 9:05 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Passing STDENV DD to FTP via SYSIN Hey Charles, No nuclear secrets here. I've been pulled kicking & screaming into adding this level of security anyway. I'm shooting for the absolute easiest way to give any z/OS and z/VSE customer the ability to upload a file to a server that requires a secured connection. I don't see a way around the certificates, but at least I have been able to set up a single job a RACF admin could run to set up a keyring they can use. But I couldn't find a combination of parameters that would get SSL or TLS 1.1 working with this particular server (that I don't control). I used the info from that URL because one of the last things I want to do is require customers to set up a TLS policy just to upload a file. By forcing TLS 1.2 and these other SYSFTPD parameters, I think I can at least keep away from having to get into any (other than RACF) system-type files: //FTPXFER EXEC PGM=FTP,REGION=4292K, // PARM=('POSIX(ON) ALL31(ON)', // 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT') //SYSFTPD DD * CLIENTERRCODES EXTENDED EPSV4 TRUE EXTENSIONS AUTH_TLS FWFRIENDLY TRUE KEYRING TCPIP/MACK.FTP.KEYRING PASSIVEIGNOREADDR TRUE SECUREIMPLICITZOS FALSE SECURE_FTP REQUIRED SECURE_MECHANISM TLS SECURE_DATACONN PRIVATE SECURE_CTRLCONN PRIVATE SECURE_HOSTNAME REQUIRED TLSMECHANISM FTP TLSRFCLEVEL CCCNONOTIFY //* //INPUT DD * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
