Generally speaking (I don't know about IBM support) you can get the FTP client
to connect via TLS 1.2 without using AT-TLS if you specify the right settings.
But you'll still need the certificates added to a RACF keyring.
//*-------------------------------------------------------------------
//FTPS EXEC PGM=FTP,REGION=4M,
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.whatever.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//* GSK_TRACE=0xFFFF
//* GSK_TRACE_FILE=/tmp/gsk.trc
//* The 2 stmts above can be temporarily uncommented for debugging
//SYSFTPD DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING &KEYOWNR/&KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* DEBUG SEC
//* TRACE
//* The 2 stmts above can be temporarily uncommented for debugging
//*
This worked on z/OS 2.4 and 2.5. Maybe earlier.
If you capture the trace, you'll need to use the gsktrace command to decipher
it:
gsktrace /tmp/gsk.trc > /tmp/gsk.out
"DEBUG" and "TRACE" are just routed to SYSOUT, so they're easier. But there is
a lot of information on the key exchange in the gsk trace.
Wendell
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
