Generally speaking (I don't know about IBM support) you can get the FTP client to connect via TLS 1.2 without using AT-TLS if you specify the right settings. But you'll still need the certificates added to a RACF keyring.
//*------------------------------------------------------------------- //FTPS EXEC PGM=FTP,REGION=4M, // PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.whatever.com 21 -e') //STDENV DD * GSK_PROTOCOL_TLSV1_2=ON //* GSK_TRACE=0xFFFF //* GSK_TRACE_FILE=/tmp/gsk.trc //* The 2 stmts above can be temporarily uncommented for debugging //SYSFTPD DD *,SYMBOLS=(JCLONLY) CLIENTERRCODES EXTENDED EPSV4 TRUE EXTENSIONS AUTH_TLS FWFRIENDLY TRUE KEYRING &KEYOWNR/&KEYRING PASSIVEIGNOREADDR TRUE SECUREIMPLICITZOS FALSE SECURE_FTP REQUIRED SECURE_MECHANISM TLS SECURE_DATACONN PRIVATE SECURE_CTRLCONN PRIVATE SECURE_HOSTNAME REQUIRED TLSMECHANISM FTP TLSRFCLEVEL RFC4217 //* DEBUG SEC //* TRACE //* The 2 stmts above can be temporarily uncommented for debugging //* This worked on z/OS 2.4 and 2.5. Maybe earlier. If you capture the trace, you'll need to use the gsktrace command to decipher it: gsktrace /tmp/gsk.trc > /tmp/gsk.out "DEBUG" and "TRACE" are just routed to SYSOUT, so they're easier. But there is a lot of information on the key exchange in the gsk trace. Wendell ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN