Re: Secure FTP (Was: z/OS every two years)

[John McKown]

On Sat, 2012-04-14 at 00:54 +, Gibney, Dave wrote:
  -Original Message-
snip
 
 And, I've always found FTPS (granted no client identification certs yet) 
 easier.
 None of that USS , sometimes called OMVS, perhaps properly called z/OS Unix 
 System Services, involved :)

 Actually, I recently finished a sporadic effort to automount /u using ZFS. 
 Now I can manage user's data in the zUnix arena.
 I may get back to trying ssh/sftp someday.

If you implement the freely available SSH enhancements from Dovetailed
Technologies, their sftp server can access the same z/OS legacy datasets
and SPOOL (get to read a job's output, put to submit a job) as FTP.

http://dovetail.com .

Not only is the basic code free, you don't even need to register with
them to download it. Literally no questions asked! Just download and
implement. And it's fairly simple. If you want support, you can get that
with a support contract.

 
 Dave Gibney
 Information Technology Services
 Washington State University
 

-- 
John McKown
Maranatha! 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: Secure FTP (Was: z/OS every two years)

[Gibney, Dave]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
 Behalf Of John McKown
 Sent: Saturday, April 14, 2012 1:16 PM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Secure FTP (Was: z/OS every two years)
 
 On Sat, 2012-04-14 at 00:54 +, Gibney, Dave wrote:
   -Original Message-
 snip
 
  And, I've always found FTPS (granted no client identification certs yet)
 easier.
  None of that USS , sometimes called OMVS, perhaps properly called z/OS
  Unix System Services, involved :)
 
  Actually, I recently finished a sporadic effort to automount /u using ZFS.
 Now I can manage user's data in the zUnix arena.
  I may get back to trying ssh/sftp someday.
 
 If you implement the freely available SSH enhancements from Dovetailed
 Technologies, their sftp server can access the same z/OS legacy datasets and
 SPOOL (get to read a job's output, put to submit a job) as FTP.
 
 http://dovetail.com .
 
 Not only is the basic code free, you don't even need to register with them
 to download it. Literally no questions asked! Just download and
 implement. And it's fairly simple. If you want support, you can get that with 
 a
 support contract.

I looked at that more than once. I honestly don't remember what, if any, 
impediment stopped me for that route. Maybe merely time. Probably incomplete 
configuring of Ported Tools. :) I'll look again if I get a chance, but I think 
I'm even more of a one man show than you are. Currently I have to deal with our 
disk array going EOSL end of June by surprise. It's possible that the vendor 
did notify the guy who left abruptly, but I don't know.

 
 
  Dave Gibney
  Information Technology Services
  Washington State University
 
 
 --
 John McKown
 Maranatha! 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send email to
 lists...@bama.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: Secure FTP (Was: z/OS every two years)

[Gibney, Dave]

 -Original Message-
 From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On
 Behalf Of Edward Jaffe
 Sent: Friday, April 13, 2012 5:23 PM
 To: IBM-MAIN@bama.ua.edu
 Subject: Secure FTP (Was: z/OS every two years)
 
 On 4/13/2012 5:04 PM, Art Gutowski wrote:
  I see.  Anyone else share in Mary Anne's sentiment?  In other words, is
 FTPS (or SFTP?) as much a requirement/priority notwithstanding the
 impending ShopzSeries / RECEIVE ORDER requirement?  If so, and you can
 respond, please drop me a line off-list.  Nothing detailed... just curious.
 
 We have customers that insist on 'secure' FTP for sending dumps,
 downloading
 files, etc. We set up an SFTP server on our public Internet site and that 
 seems
 to have satisfied all requirements thus far. We don't currently support FTPS
 with x.509 certificates. Hopefully, we'll never be asked to do so. It's a 
 PITA.

And, I've always found FTPS (granted no client identification certs yet) easier.
None of that USS , sometimes called OMVS, perhaps properly called z/OS Unix 
System Services, involved :)

Actually, I recently finished a sporadic effort to automount /u using ZFS. Now 
I can manage user's data in the zUnix arena.
I may get back to trying ssh/sftp someday.

Dave Gibney
Information Technology Services
Washington State University

 
 --
 Edward E Jaffe
 Phoenix Software International, Inc
 831 Parkview Drive North
 El Segundo, CA 90245
 310-338-0400 x318
 edja...@phoenixsoftware.com
 http://www.phoenixsoftware.com/
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN

Re: Secure FTP Server software vendors

[Ulrich Boche]

Hal Merritt wrote:

We are trying to set up a TLS FTP with a customer with us as client.  The 
customer's software vendor seems to be baffled.

Any Windows based TLS/SSL FTP server software that works for you for exchanges 
with z/os? For example, one of our customers is using a product from Momentum 
that seems to be working just fine.

Ipswitch has WS_FTP Professional which has both client and server 
products. I'm using the WS_FTP Professional client since a long time. It 
is working quite well with z/OS FTP servers (better than many other 
clients I have tried). I have no experience with their server products, 
I can just extrapolate my good experience with the client product.


The only disadvantage of the WS_FTP client is that it does not support 
the MSCAPI and the Windows certificate store, you need to import all 
certificates in WS_FTP's own certificate store. Don't know if the server 
has the same shortcoming.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Timothy Sipples]

Dumb question, but what sort of information would you be FTPing?

- - - - -
Timothy Sipples
IBM Consulting Enterprise Software Architect
Based in Tokyo, Serving IBM Japan / Asia-Pacific
E-Mail: timothy.sipp...@us.ibm.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Rugen, Len]

I use the Filezilla client, http://filezilla-project.org.  Their web
page says they have a server but I've never used it.


Len Rugen
  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Jim Wangler]

We also demo'd www.sslftp.com.  It has a server that worked, but we only use
the client piece. 


Jim Wangler 
214-502-6445

We are trying to set up a TLS FTP with a customer with us as client.  The
customer's software vendor seems to be baffled.

Any Windows based TLS/SSL FTP server software that works for you for
exchanges with z/os? For example, one of our customers is using a product
from Momentum that seems to be working just fine.

Thanks!!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Jim Wangler]

The latest version of Windows has an SSL Server... That's what we are using.



Jim Wangler 
214-502-6445
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf
Of Hal Merritt
Sent: Thursday, February 19, 2009 8:42 AM
To: IBM-MAIN@bama.ua.edu
Subject: Secure FTP Server software vendors

We are trying to set up a TLS FTP with a customer with us as client.  The
customer's software vendor seems to be baffled.

Any Windows based TLS/SSL FTP server software that works for you for
exchanges with z/os? For example, one of our customers is using a product
from Momentum that seems to be working just fine.

Thanks!!

NOTICE: This electronic mail message and any files transmitted with it are
intended exclusively for the individual or entity to which it is addressed.
The message, together with any attachment, may contain confidential and/or
privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution is strictly prohibited. If you have received this message in
error, please immediately advise the sender by reply email and delete all
copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Kirk Wolf]

FTPS (FTP/TLS) can be tricky wrt implementation incompatibilities.

There are a couple of other options:

1) Tunnel regular FTP in an SSH connection.   This would require that the
Windows server also run SSHD, but OpenSSH for Windows is free and very easy
to setup.   We have a free / open source Java SSH/FTP tunneling tool that
you can run on z/OS or another host in your local network.  See our website
for details, or send me a note offline.

2) Use a Linux box as a file transfer gateway for z/OS.   This can be setup
with all free software in such a way so that everything is controlled from a
z/OS batch job. MVS datasets can be transferred to any host without any
data-at-rest on the Linux appliance.   The Linux curl command is a swiss
army knife for all kinds of file transfer protocols (FTP/S, HTTP, SFTP, etc)
and you can even script in file transformations such as compression, pgp,
etc.   For details, refer to an article that we wrote in the zJournal
August/September 2008 issue, or send me an email offline and I'll forward
you a copy.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Thu, Feb 19, 2009 at 8:41 AM, Hal Merritt hmerr...@jackhenry.com wrote:

 We are trying to set up a TLS FTP with a customer with us as client.  The
 customer's software vendor seems to be baffled.

 Any Windows based TLS/SSL FTP server software that works for you for
 exchanges with z/os? For example, one of our customers is using a product
 from Momentum that seems to be working just fine.

 Thanks!!

 NOTICE: This electronic mail message and any files transmitted with it are
 intended
 exclusively for the individual or entity to which it is addressed. The
 message,
 together with any attachment, may contain confidential and/or privileged
 information.
 Any unauthorized review, use, printing, saving, copying, disclosure or
 distribution
 is strictly prohibited. If you have received this message in error, please
 immediately advise the sender by reply email and delete all copies.

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Server software vendors

[Gibney, Dave]

  The latest versions of the Filezilla client fail with TLS. Filezilla
plugged a RFC hole. Last I pursued with IBM the answer was implement
AT-TLS which I haven't had time to pursue. 
  The last I tested Filezilla server worked fine, but it has been some
years. As far as I know, Ipswitch's, Bluezone's, and couple other's
servers would work well with Z/OS SSL clients. It's been about 4 or 5
years since I downloaded everyone I could find and tested them. I may
still have the write-up if I didn't lose it in the PC hard disk failure
I had a couple years ago.

  Anyway, most of our departments use Ipswitch's.

Dave Gibney
Information Technology Services
Washington State University


 -Original Message-
 From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
 Behalf Of Rugen, Len
 Sent: Thursday, February 19, 2009 6:48 AM
 To: IBM-MAIN@bama.ua.edu
 Subject: Re: Secure FTP Server software vendors
 
 I use the Filezilla client, http://filezilla-project.org.  Their web
 page says they have a server but I've never used it.
 
 
 Len Rugen
 
 
 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
 Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Ulrich Boche]

Rafael Fernandez L. wrote:

Nobody mentioned ftp with GSSAPI (kerberos) ?

Ignacio Landín Villegas
 

Probably because there is rarely anyone using it.

Furthermore, it was all but unusable for a long time: although the 
Kerberos ticket provided the cross-reference with the RACF userid, 
support for SECURE_PASSWORD OPTIONAL was not available until, IIRC, 
z/OS V1R7 or V1R8. Nobody wants to go through the installation of 
Kerberos with FTP on z/OS if you don't even get single sign-on.


Also, if you use Kerberos with z/OS and Windows, the only common 
encryption algorithm is DES with 56-bit keys. Windows doesn't support 
Triple DES and z/OS doesn't support RC4. AES support (128- or 256-bit 
keys) requires z/OS V1R9 and Windows Vista and/or Windows Server 2008.


(Sorry, sent my posting just to the newsgroup in my first attempt).
--
Ulrich Boche
SVA GmbH, Germany
IBM Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Rafael Fernandez L.]

Nobody mentioned ftp with GSSAPI (kerberos) ?

Ignacio Landín Villegas
 

-Original Message-
From: IBM Mainframe Discussion List 
[mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
Sent: Tuesday, July 29, 2008 10:39 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

Oh. 

I thought you were switching contexts. Now I see. And thanks 
to Kirk for the additional enlightenment.

A file transfer protocol that isn't FTP is more than a little 
confusing.


Let's see, we have:

FTP
FTP under TLS
SSH packet file mover
FTP under SSH 

But SSH also can be used for other things, like telnet, web 
service, etc, right? 

My head hurts :-)

  

-Original Message-
From: IBM Mainframe Discussion List 
[mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell
Sent: Tuesday, July 29, 2008 2:13 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt 
[EMAIL PROTECTED]
wrote:

I was referring to the sftp that Walt mentioned. My take was that it
was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication 
protocol.

Perhaps you didn't see the next sentence of that message?  
SFTP here, is a function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access 
instructions, send email to [EMAIL PROTECTED] with the 
message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted 
with it are intended exclusively for the individual or entity 
to which it is addressed. The message, together with any 
attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, 
disclosure or distribution is strictly prohibited. If you have 
received this message in error, please immediately advise the 
sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access 
instructions, send email to [EMAIL PROTECTED] with the 
message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html



Banco de España - Aviso legal
 
Este mensaje, su contenido y cualquier fichero transmitido 
con él está dirigido únicamente a su destinatario y es 
confidencial. Por ello, se informa a quien lo reciba por error o 
tenga conocimiento del mismo sin ser su destinatario, que la 
información contenida en él es reservada y su uso no 
autorizado, por lo que en tal caso le rogamos nos lo comunique 
por la misma vía o por teléfono (+ 34 91 338 66 66), así como 
que se abstenga de reproducir el mensaje mediante cualquier 
medio o remitirlo o entregarlo a otra persona, procediendo a su 
borrado de manera inmediata.

El Banco de España se reserva las acciones legales que le 
correspondan contra todo tercero que acceda de forma 
ilegítima al contenido de cualquier mensaje externo procedente 
del mismo.

Para informacion y consultas visite nuestra web 
http://www.bde.es


Banco de España - Disclaimer
This message, its content and any file attached thereto is for 
the intended recipient only and is confidential. If you have 
received this e-mail in error or had access to it, you should 
note that the information in it is private and any use thereof 
is unauthorised. In such an event please notify us by e-mail or 
by telephone (+ 34 91 338 66 66). Any reproduction of this 
e-mail by whatsoever means and any transmission or dissemination 
thereof to other persons is prohibited. It should be deleted 
immediately from your system.

The Banco de España reserves the right to take legal action 
against any persons unlawfully gaining access to the content of 
any external message it has emitted.

For additional information, please visit our website 
http://www.bde.es

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

Do you have any links to SFTP sources? Google search results were
confusing and ambiguous.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Thursday, July 24, 2008 11:04 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED]
wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention
it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Tuesday, July 29, 2008 10:27 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
 Do you have any links to SFTP sources? Google search results were
 confusing and ambiguous.   

sftp (not SFTP) is a part of SSH.

Try: http://www.openssh.org/manual.html

in particular
http://www.openbsd.org/cgi-bin/man.cgi?query=sftpsektion=1

Or maybe I'm not understanding your question. sftp is a part of SSH. One
thing that might be confusing is that there is not an sftp daemon. The
sftp client talks to the ssh daemon, just like the ssh command does. Or
the scp program, for that matter.

--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Dooley, Robert]

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105
.pdf 

from page 14:

OpenSSH's sftp and IBM Communications Server's FTP with System SSL
differ from each other. OpenSSH's sftp is an Open Source implementation
of the IETF Secure Shell (SECSH) SSH File Transfer Protocol  Internet
Draft. OpenSSH uses a statically linked OpenSSL archive library to
perform its cryptographic functions. OpenSSH does not provide key
management facilities, nor is integrated with those provided by IBM.
Password authentication is the only form of authentication where OpenSSH
queries the security product. Public key authentication is currently
overseen by the daemon.

The Communications Server FTP server and client support Transport Layer
Security (TLS). The FTP client and server negotiate the use of TLS based
on a subset of the FTP security negotiation functions documented in RFC
2228. FTP uses z/OS System SSL, and therefore can use the cryptographic
hardware. FTP can also use SAF facilities for key management.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Hal Merritt
Sent: Tuesday, July 29, 2008 10:27 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

Do you have any links to SFTP sources? Google search results were
confusing and ambiguous.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Thursday, July 24, 2008 11:04 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED]
wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention
it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it
are intended
exclusively for the individual or entity to which it is addressed. The
message, 
together with any attachment, may contain confidential and/or privileged
information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution 
is strictly prohibited. If you have received this message in error,
please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Kirk Wolf]

sftp usually refers to the file transfer protocol that works as an
ssh subsystem (although some use the term to refer to FTP/TLS).
In the OpenSSH implementation, sftp and sftp-server are separate
binaries that are shipped as part of OpenSSH.

The sources for sftp and sftp-server are available from:
http://www.openssh.com/
It is  possible to port these to z/OS and use them with IBM's port of
ssh and sshd.   It is very easy to configure sshd to use a different
sftp-server.

The later versions of OpenSSH rely on a newer version of the GNU
autoconf tool chain, which is not available for z/OS, so that
complicates things.
And of course, adding in the z/OS specific patches, especially to
support datasets, PDSs, etc, is a big job.

Kirk Wolf
Dovetailed Technologies

On Tue, Jul 29, 2008 at 10:27 AM, Hal Merritt [EMAIL PROTECTED] wrote:
 Do you have any links to SFTP sources? Google search results were
 confusing and ambiguous.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

I was referring to the sftp that Walt mentioned. My take was that it was
neither TLS nor SSH.   

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.



-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Dooley, Robert
Sent: Tuesday, July 29, 2008 10:34 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105
.pdf 

 
..snip 

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED] wrote:

I was referring to the sftp that Walt mentioned. My take was that it was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.

Perhaps you didn't see the next sentence of that message?  SFTP here, is a
function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Kirk Wolf]

Its all a little confusing...

SSH is a tool/protocol for providing a secure connection over IP networks.
Once you have a connection, you can have multiple channels routed over
it.   Channels could be interactive terminal sessions (to replace telnet),
port-forwarding channels, command redirection channels, and subsystem
channels (which are a special case of command channels).

Here's the main RFC for SSH:  http://www.ietf.org/rfc/rfc4251.txt

A *separate* tool distributed with most SSH implementations is sftp, which
runs as an SSH subsystem.  The sftp protocol is a packet protocol for file
transfer that *assumes* that you already have a secure connection, and by
default the sftp command line tool simply invokes the command line tool to
setup its secure channel.  sftp doesn't have connection setup,
authentication, encryption, compression, etc - it relys in SSH to do that.

Here's the main RFC for SFTP:
http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/

Another spin on this is that you can also use SSH to setup a secure channel
and a SOCKS proxy and then use an *FTP* client over the secure SSH channel
via the proxy.  This is an alternative to FTP/TLS, which can be a nightmare
for firewalls and NAT routers due to its use of multiple sockets which, when
encrypted, can't be snooped to setup the data port connection.

FWIW, we use SSH subsystem channels in our (free) Co:Z product to setup a
secure connection from a batch job to a remote Unix/Windows process.
Additional channels are setup via port forwarding if the remote process
wants to access z/OS datasets from the launching job.

Anyway, the SSH protocol is very cool, and the OpenSSH project is some of
the most useful free software available.   If you really want to be in the
club, support them by buying one of their cool tee shirts (
http://www.openssh.org/tshirts.html)

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

Oh. 

I thought you were switching contexts. Now I see. And thanks to Kirk for
the additional enlightenment.

A file transfer protocol that isn't FTP is more than a little confusing.


Let's see, we have:

FTP
FTP under TLS
SSH packet file mover 
FTP under SSH 

But SSH also can be used for other things, like telnet, web service,
etc, right? 

My head hurts :-)

  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Tuesday, July 29, 2008 2:13 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED]
wrote:

I was referring to the sftp that Walt mentioned. My take was that it
was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.

Perhaps you didn't see the next sentence of that message?  SFTP here,
is a
function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[R.S.]

Kurt Eastwood wrote:

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 


There are several flavours of secure ftp.
It can be FTP over SSL/TLS, it's sometimes called FTPS - this is what 
you surely have.
It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and 
unsupported tool. AFAIK it supports HFS files only (I mean anu Unix 
file, regardless of filesystem type: ZFS, HFS,e tc.)
I vaguely remain some other type of secure ftp, but I can't remember 
any details.


HTH

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Wissink, Brad [ITSYS]]

We run FTP with SSL and FTP with SSH.  FTP/SSL is part of TCPIP, while sftp 
(FTP/SSH) is part of IBM Ported Tools (free for the download).  We run both 
from batch procedure.  We have RACF control the certificates and keyrings for 
FTP/SSL.  Then you use the SYSFTPD DD statement to tell FTP if SSL is to be 
used, what ciphers to use and where to find the keyring.   FTP/SSL works with 
MVS data sets, while sftp does not.  Sftp only works with HFS files.  So our 
batch procedure transfers the MVS data set to a HFS file before it invokes 
sftp.  You will also need a .ssh directory under the home directory for the 
userid of the job.  Inside that directory you will need a known.hosts file that 
must contain the keys from the outside clients.  You need the keys because 
batch sftp does not allow you to use a userid/password.  

Good Luck.

Brad Wissink
Information Technology Services
Iowa State University
515-294-3088

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt 
Eastwood
Sent: Thursday, July 24, 2008 10:01 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: secure ftp on the mainframe

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also 
use SFTP on the UNIX boxes to send files to various sites. I am looking for any 
information or help on using SFTP, which I understand to be 'secure ftp' on the 
mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 
 
Can SFTP be used on the mainframe and if so can anyone give some guidance on 
how they use it and what is needed to begin using it?
 
Is SFTP for the mainframe an additional program that you have to purchase?
 
I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the 
mainframe.

Thank you in advance for your help.
Kurt


  

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
[EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Kurt Eastwood
 
 Hello,
  
 First off let me say I am not an FTP expert.
  
 We currently use FTP on the mainframe to send files to 
 various sites. We also use SFTP on the UNIX boxes to send 
 files to various sites. I am looking for any information or 
 help on using SFTP, which I understand to be 'secure ftp' on 
 the mainframe to send files with sensitive information in them.
  
 Is SFTP really a 'secure ftp'? 

Yes, if you accept encrypted transfers as secure.

 Can SFTP be used on the mainframe and if so can anyone give 
 some guidance on how they use it and what is needed to begin using it?

Yes.  Many posts on the subject in the IBM-MAIN archives.

 Is SFTP for the mainframe an additional program that you have 
 to purchase?

Yes.  The price is $ZERO.

 I find FTP in TCPIP.SEZALOAD but cannot find any reference to 
 SFTP on the mainframe.

It's included in the z/OS Unix Ported Tools product, which is available at no 
charge via ShopzSeries.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

As another posted, 'sftp' is not a unique enough name. There is a 'speedy' FTP 
that uses a propriety protocol, for example. 

The short answer to your question is that there are several 'flavors' of data 
encryption offered on z/os. The two main types are TLS (transport layer 
security, formally known as 'secure sockets layer' or SSL) and SSH (secure 
shell).

SSH is very popular in tinkertoyland, but is currently a huge PITA to implement 
on z/os. SSH uses only the *nix side of the house and data has to be copied to 
and from z/fs. Hopefully someday regular z/os datasets will be directly 
supported. 

TLS is certificate based (a very widely used strategy) and fits right into your 
regular z/os batch solutions.

Getting the infrastructure up and running for encrypted FTP and TN3270 under 
TLS is almost trivial. A few entries in TCPPARMS and you are there. Certificate 
management, on the other hand, is likely the second most confusing things 
you'll ever run in to. (Women are first on that list :-D ) 

Just to confuse things even more, the definition of 'secure' may be changing. 
Heretofore, 'secure' meant only that data (to include login passwords) not flow 
in the open over a network. A recent audit 'issue' is that we implement both 
client as well as server authentication over and beyond logon credentials (the 
familiar ID and password). The root issue is to protect against a 'man in the 
middle' attack. 

But wait! There's more! Keep in mind that, no matter what you choose, the other 
host has to be doing the same thing and you may have little or no control over 
that host. 

HTH and good luck.   









-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt 
Eastwood
Sent: Thursday, July 24, 2008 10:01 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: secure ftp on the mainframe

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also 
use SFTP on the UNIX boxes to send files to various sites. I am looking for any 
information or help on using SFTP, which I understand to be 'secure ftp' on the 
mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 
 
Can SFTP be used on the mainframe and if so can anyone give some guidance on 
how they use it and what is needed to begin using it?
 
Is SFTP for the mainframe an additional program that you have to purchase?
 
I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the 
mainframe.

Thank you in advance for your help.
Kurt


  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Thursday, July 24, 2008 10:47 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
[snip]
 
 SSH is very popular in tinkertoyland, but is currently a huge 
 PITA to implement on z/os. SSH uses only the *nix side of the 
 house and data has to be copied to and from z/fs. Hopefully 
 someday regular z/os datasets will be directly supported. 

I agree. I wish that IBM had supplied their patches to OpenSSH so that
others could look at extending sftp to legacy datasets. I will also
mention that Dovetailed Technologies Co:Z can do file transfers over
OpenSSH which will access (read/write) legacy datasets. It is not sftp,
but it is over an SSH encrypted channel.

 
[snip]
 
 HTH and good luck.   


--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Itschak Mugzach]

And you may consider file transfer over MQ, of course.

ITschak  


| Itschak Mugzach | Director | SecuriTeam Software |
| Email: [EMAIL PROTECTED] | Mob: +972 522 986404 | Skype: Itschak
Mugzach | Web: www.Securiteam.co.il  | 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of McKown, John
Sent: Thursday, July 24, 2008 5:49 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

 -Original Message-
 From: IBM Mainframe Discussion List
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Thursday, July 24, 2008 10:47 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
[snip]
 
 SSH is very popular in tinkertoyland, but is currently a huge PITA to 
 implement on z/os. SSH uses only the *nix side of the house and data 
 has to be copied to and from z/fs. Hopefully someday regular z/os 
 datasets will be directly supported.

I agree. I wish that IBM had supplied their patches to OpenSSH so that
others could look at extending sftp to legacy datasets. I will also mention
that Dovetailed Technologies Co:Z can do file transfers over OpenSSH which
will access (read/write) legacy datasets. It is not sftp, but it is over an
SSH encrypted channel.

 
[snip]
 
 HTH and good luck.   


--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged and/or
confidential.  It is for intended addressee(s) only.  If you are not the
intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is strictly
prohibited and could, in certain circumstances, be a criminal offense.  If
you have received this e-mail in error, please notify the sender by reply
and delete this message without copying or disclosing it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html


__ NOD32 3280 (20080718) Information __

This message was checked by NOD32 antivirus system.
http://www.eset.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Thu, 24 Jul 2008 17:05:40 +0200, R.S. [EMAIL PROTECTED] wrote:
It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and
unsupported tool. AFAIK it supports HFS files only (I mean anu Unix
file, regardless of filesystem type: ZFS, HFS,e tc.)
I vaguely remain some other type of secure ftp, but I can't remember
any details.

The IBM Ported Tools for z/OS provides a free, and as far as I know
supported, implementation of OpenSSH for z/OS.  That will give sftp support,
and other ssh functionality.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED] wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Walt Farrell]

On Fri, 7 Mar 2008 16:21:25 -0600, Miller, Pat [EMAIL PROTECTED]
wrote:

I need to exchange files with an agency that uses sftp and SSH-2.  From
looking at the archives and the TCP/IP Implementation red book (vol 2, std
apps), I am unclear whether I can use ftps and AT-TLS or am stuck with sftp.

sftp is not at all related to ftp.  It is an entirely different protocol,
part of SSH or OpenSSH processing.

Their agency might also support ftps, but you'd have to ask them. 
Alternatively you can install the IBM Ported Tools for z/OS as Richard
mentioned, which will give you an OpenSSH implementation on z/OS, and that
will give you the ability to use sftp.

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html

For discussion of OpenSSH on z/OS I suggest using the MVS-OE mailing list
rather than IBM-MAIN.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Richard Peurifoy]

Miller, Pat wrote:

I need to exchange files with an agency that uses sftp and SSH-2.  From looking 
at the archives and the TCP/IP Implementation red book (vol 2, std apps), I am 
unclear whether I can use ftps and AT-TLS or am stuck with sftp.

I'm not sure what platform they operate from, other than it's not z/OS.  


Go ahead.  Educate me.  Please.



sftp with ssh will not interoperate with ftps using TLS.
So far we have been able to use TLS with most of the people
we exchange data with. In a few cases we PGP encrypt the data
and use regular FTP.

There is an ssh port at

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html

It may be incorporated in later releases we are still 1.7).

I have not tried this yet.

--
Richard

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP Config: CIPHERSUITE statements?

[Mark Jacobs]

Chase, John wrote:

Hi, All,

Is it better to order the CIPHERSUITE statements from weaker to
stronger, or from stronger to weaker?

Why?

TIA,

-jc-



  
Logically I would go from stronger to weaker since you want the 
strongest encryption that both sides can understand.


--
Mark Jacobs
Time Customer Service
Tampa, FL 
--


A desire not to butt into other people's business is at 
least eighty percent of all human wisdom...and the other

twenty percent isn't very important.

Jubal Harshaw (Stranger in a Strange Land)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Ed Rabara]

I got this via private e-mail. I'm posting it here for completeness.

Ed R.

From: [EMAIL PROTECTED]
Sent: Tuesday, March 14, 2006 12:52 PM
Subject: Re: Secure FTP

There's a few things you need to configure ...

* ICSF -- if you're going to use hardware encryption
  SA22-7520 ICSF System Programmers Guide
  SA22-7521 ICSF Administration

* System SSL -- I think it comes properly configured out of the box for
z/OS ...
  don't remember doing anything with it.  needed the manual to learn how
to turn on the trace facility ...
  SC24-5901 System SSL programming

* RACF -- to set up keyrings and certificates, basically the RACDCERT
command ...
  SA22-7683 RACF Security Administrators Guide
  SA22-7681 RACF System Programmers Guide

* Comm Server -- for ftp it's just a matter of editing the FTP.DATA
configuration file.
  for tn3270E it's a matter of editing the PROFILE.TCPIP file.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Ulrich Boche]

Ed Rabara wrote:

John S. Giltner, Jr. wrote:


We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL)
instead.

SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP
TSL/SSL can access all files no matter where they live.  As 99.9% of
all the files we process are mvs files we found it made our life
easier.


I'm interested in enabling the secure part of secure FTP, secure TN3270
Server, etc. Am I to understand that to get those secure parts working
you have to have TLS/SSL working on your system first? Can you point me to
the most complete and useful manual to enable TLS/SSL on z/OS, please?



Try SG24-7170-00, Communications Server for z/OS V1R7
TCP/IP Implementation, Volume 2 Standard Applications
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Weidt, James]

How about secure FTP on OS/390 2.9?

Is there any hope? 


Thanks,
Jim Weidt
Senior Systems Engineer
Jostens Inc.
The Ponds
Office: 952-838-7555
Cell: 612-419-3738
[EMAIL PROTECTED]
** GBA **
 

CONFIDENTIALITY NOTICE:  The information contained in this e-mail
communication and any attached documentation may be privileged,
confidential or otherwise protected from disclosure and is intended only
for the use of the designated recipient(s).  It is not intended for
transmission to, or receipt by, any unauthorized person.  The use,
distribution, transmittal or retransmittal by an unintended recipient of
this communication is strictly prohibited.   If you are not the intended
recipient of this e-mail, please delete it from your system without
copying it and notify the above sender.  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ulrich Boche
Sent: Tuesday, March 14, 2006 8:09 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Secure FTP

Ed Rabara wrote:
 John S. Giltner, Jr. wrote:
 
 We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP 
 TSL/SSL) instead.

 SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP 
 TSL/SSL can access all files no matter where they live.  As 99.9%

 of all the files we process are mvs files we found it made our life

 easier.
 
 I'm interested in enabling the secure part of secure FTP, secure 
 TN3270 Server, etc. Am I to understand that to get those secure 
 parts working you have to have TLS/SSL working on your system first? 
 Can you point me to the most complete and useful manual to enable
TLS/SSL on z/OS, please?
 

Try SG24-7170-00, Communications Server for z/OS V1R7 TCP/IP
Implementation, Volume 2 Standard Applications
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search
the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[John S. Giltner, Jr.]

Don't think so.

TSL/SSL FTP (FTPS) was introduced in z/OS 1.2.  SSH FTP (SFTP) was in 
1.4 I think, as a optional free package offically supported by IBM.


Weidt, James wrote:

How about secure FTP on OS/390 2.9?

Is there any hope? 



Thanks,
Jim Weidt
Senior Systems Engineer
Jostens Inc.
The Ponds
Office: 952-838-7555
Cell: 612-419-3738
[EMAIL PROTECTED]
** GBA **
 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Clark, Kevin D, HRC-Alexandria/EDS]

Cletus, 

Your Industry may dictate a solution. 

For Example 

Financial   - Connect:Direct
International - HARBOR/FT
Commercial -  FTP SSH



Contact the site where you must transfer to and from and gather a consensus
of product standards from them. 

Kevin 


-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of McGee, Cletus
Sent: Monday, March 13, 2006 10:39 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Secure FTP


We are exploring our options to meet a requirement to do a secure FTP from
the Mainframe. I was wondering what others have done in this area. Any
product suggestions or methodologies to accomplish this? 

 

Thanks

 

***

Cletus McGee

Technical Services

(334) 394-3320

 

Have a grand day

   

 

 




-
The information contained in this email/fax is confidential; it is intended
only for the use of the individual or entity named above. If the reader of
this message is not the intended recipient, you are notified that any
dissemination, distribution, or use of this information is strictly
prohibited. If you have received this communication in error, please contact
us immediately at the telephone number or e-mail address set forth above and
destroy all copies of the original message. Although this email/fax is
believed to be free of any virus or other defect that might affect any
computer system in which it is received, it is the responsibility of the
recipient to ensure that it is virus free; Alfa accepts no responsibility
for any loss or damage arising in any way from its use.


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Steve Flynn]

On 13/03/06, McGee, Cletus [EMAIL PROTECTED] wrote:
 We are exploring our options to meet a requirement to do a secure FTP
 from the Mainframe. I was wondering what others have done in this area.
 Any product suggestions or methodologies to accomplish this?

We have used a SSH tunnel carrying FTP. The target box was a windows
PC running copSSH.

--
Steve
Despair - It's always darkest just before it goes pitch black...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Jack Kelly]

we're just in the throes of it now. looks like ibm's free 5655-m23 does 
the job

Jack Kelly
LA Systems @ US Courts
x 202-502-2390

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[John S. Giltner, Jr.]

We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) 
instead.


SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP 
TSL/SSL can access all files no matter where they live.  As 99.9% of 
all the files we process are mvs files we found it made our life 
easier.  We also found it easier to automate, as we already were using 
the FTP SMF exit to issue WTO for NetView to see when transmissions ended.



McGee, Cletus wrote:

We are exploring our options to meet a requirement to do a secure FTP
from the Mainframe. I was wondering what others have done in this area.
Any product suggestions or methodologies to accomplish this? 

 


Thanks

 


***

Cletus McGee

Technical Services

(334) 394-3320

 


Have a grand day


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Ed Rabara]

John S. Giltner, Jr. wrote:

We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL)
instead.

SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP
TSL/SSL can access all files no matter where they live.  As 99.9% of
all the files we process are mvs files we found it made our life
easier.

I'm interested in enabling the secure part of secure FTP, secure TN3270
Server, etc. Am I to understand that to get those secure parts working
you have to have TLS/SSL working on your system first? Can you point me to
the most complete and useful manual to enable TLS/SSL on z/OS, please?

TIA, Ed R.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP

[Gibney, Dave]

   It's a Comm. Server (TCPIP) redbook. I don't remember the number, but
I'd expect you to find it if you searched redbooks for SSL FTP TN3270 

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Ed Rabara
 Sent: Monday, March 13, 2006 8:44 PM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: Secure FTP
 
 John S. Giltner, Jr. wrote:
 
 We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP 
 TSL/SSL) instead.
 
 SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP 
 TSL/SSL can access all files no matter where they live.  As 
 99.9% 
 of all the files we process are mvs files we found it made 
 our life 
 easier.
 
 I'm interested in enabling the secure part of secure FTP, 
 secure TN3270 Server, etc. Am I to understand that to get 
 those secure parts working you have to have TLS/SSL working 
 on your system first? Can you point me to the most complete 
 and useful manual to enable TLS/SSL on z/OS, please?
 
 TIA, Ed R.
 
 --
 For IBM-MAIN subscribe / signoff / archive access 
 instructions, send email to [EMAIL PROTECTED] with the 
 message: GET IBM-MAIN INFO Search the archives at 
 http://bama.ua.edu/archives/ibm-main.html
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on z/OS

[Hal Merritt]

Test results very positive on 1.4. I did find the 1.6 manuals somewhat
easier to understand.

For testing, I used one LPAR to talk to another. I seem to recall that
the server had to be correctly configured for the client to work
properly on a given host.  

One gotcha: don't use a human ID to own certificates. If that ID is ever
deleted, so are the certificates. Or so I understand.  

There is lots of discussion on the RACF list. 

HTH and good luck.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of John S. Giltner, Jr.
Sent: Tuesday, July 19, 2005 6:58 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Secure FTP on z/OS

Neal Eckhardt wrote:
 I have seen it documented that SSL/TLS is supported in the FTP server
 from z/OS 1.2 and later. Does the FTP client also support SSL/TLS?  I
 can't find anything in the z/OS 1.4 configuration manual referencing
 SSL/TLS in the CLIENT.
 
 Thanks,
 Neal

Not sure about the 1.4 manuals, but it is in the 1.6 manuals.

You may want to check the IP User's Guide and Commands.  Look at the 
section on FTCDATA and the parameter SECURE_FTP.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on z/OS

[John S. Giltner, Jr.]

Neal Eckhardt wrote:

I have seen it documented that SSL/TLS is supported in the FTP server
from z/OS 1.2 and later. Does the FTP client also support SSL/TLS?  I
can't find anything in the z/OS 1.4 configuration manual referencing
SSL/TLS in the CLIENT.

Thanks,
Neal


Not sure about the 1.4 manuals, but it is in the 1.6 manuals.

You may want to check the IP User's Guide and Commands.  Look at the 
section on FTCDATA and the parameter SECURE_FTP.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp port 21 990 application layer firewall

[Jay Maynard]

On Tue, Jul 12, 2005 at 08:15:05AM -0500, Joel Ivey wrote:
 Peter, thanks for the response.  Our firewall is by Symantec.   According to
 the firewall folks, they cannot set up a separate set of rules to allow ftps
 traffic through 21/20 from certain ip addresses.It's either all or
 nothing.   If they allow ftps traffic through, they won't be able to do deep
 inspection on those ports enterprise-wide.  I find that remarkable.

Tell 'em to get another firewall. Even open-source firewalls have this
capability, and Checkpoint Software's Firewall-1 has had it for nearly a
decade.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp port 21 990 application layer firewall

[Peter Vander Woude]

Joel,

  I would suspect that the issue you're running into is that your firewall is 
doing stateful inspection.  The problem is not that the firewall doesn't 
recognize AUTH TLS, but that it's having a problem during the TLS negotiation.  
It is something that we ran into when first starting with FTP-TLS transfers.  

  BTW, is your firewall CheckPoint FW-1?  If you're running FW-1 NG, or higher, 
it is relatively easy for them to setup a separate service definition and 
turn off the stateful inspection.

  You have to do it for both the control port and the data ports.  If you don't 
get your firewall folks to turn the stateful inspection off, the transfers 
won't work.  You can see the failure by turning on DEBUG SEC. 

  We do not use port 990.  Due to it's use being deprecated by IETF and not in 
the proposed standard, I try to steer away from it.  All connections we do are 
port 21.  Now, if you're running your own FTP Server, you can choose to use a 
different port for the control connection, as one the companies we transmit to 
(via ftp client on our side) does.  But for 99% of the cases we have, the 
servers are using port 21.





Peter I. Vander Woude
Sr. Mainframe Engineer

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Mark Vitale]

I believe the software looks for the key database password
in the stash file.  When I ran into this recently, I was using
gskkyman to manage my key file, and there's an option in gskkyman
10 - Store database password to create the stash file.  

Once I did that, the TLS handshake moved on to the next error 8-( ...

-Mark Vitale 
Senior Software Engineer
Telephone 610.865.0300 (ext. 126) 

ISM - The power behind great IT decisions
Visit us at www.perfman.com 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

I don't agree. The OMVS setup looked to be more complicated and would
result in a less secure environment. 

Do stay away from the ISPF panels and do the cert generation in batch.  

My $0.02 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Richard Pinion
Sent: Thursday, May 26, 2005 11:42 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Secure FTP on the Mainframe

Nothing wrong with using RACF for the CERT stuff but you can generate
CERTS from OMVS using gskkyman.  Maybe it is better to learn to crawl
first rather than trying to run.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Ulrich Boche]

Howard Rifkind wrote:

Ulrich,
 
Can sFTP and FTP reside within the same z/OS partition and be used at the same time?
 
For instance, one person is FPT'ing a secure document using sFTP and another is using just plain old FTP for something else




You could use three different kinds of file transfer on the same LPAR at 
the same time:


The FTP server can be used for unencrypted FTP, ftp: or plain old 
FTP) and for encrypted file transfer, ftps:. You can use the same 
ftpd server, typically with two different ports for ftp: and ftps:.


To use sftp:, you need to install the IBM Ported Tools for z/OS UNIX. 
This is an official and supported IBM port of OpenSSH. It is independent 
of the ftpd server and can coexist with it (different port numbers are 
used).

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Craig Kittendorf]

Hi,

I followed Share Session 3925 to set up my ftp server on one z/OS v1.4 LPAR
(CDCU).  I then exported the certificate to another LPAR (CDCT) and imported
the certificated into its key data base.

When trying ftp from the second lpar to the first I get the following:

EZA1450I IBM FTP CS V1R4
EZA1772I FTP: EXIT has been set.
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
EZA1554I Connecting to: CDCU 205.145.225.134 port: 21.
220-FTPD1 IBM FTP CS V1R4 at CDCU, 10:03:13 on 2005-05-29.
220 Connection will close if idle for more than 5 minutes.
 FC0159 ftpAuth: security values: mech=TLS, sFTP=A, sCC=C, sDC=P 
FC0182 ftpAuth:  cipherspecs = 03040506090A 
FC0215 ftpAuth: keyring  =/u/jsysxxx/SSL/cdcu_self_signed.crt 
FC0216 ftpAuth: stashFile=/u/jsysxxx/SSL/cdcu_self_signed.sth
FC0223 ftpAuth: environment_open() 
FC0341 ftpAuth: environment_init() 
FC0345 ftpAuth: TLS init failed with rc = 201 (No key database password
supplied
FC0786 endSecureEnv: entered
EZA2897I Authentication negotiation failed 
EZA1701I  USER jxx 
534 Server requires authentication before USER command 
EZA1735I FTP Return Code = 26534, Error Code = 2

Where would the key database password be supplied?

Thanks,
Craig 

-Original Message-
 
Subject: Re: Secure FTP on the Mainframe

 We would like to install Secure FTP in our maiframes TCP/IP configuration
and I have no idea how to do this.
 
 Would some one be kind enough to point me in the right direction where to
start and what manuals to check out, and what to be aware of.
 
 I'm not really prime time with TCP/IP. Thanks.
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Steve Bireley]

Howard Rifkind wrote.
Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install
Secure FTP in our maiframes TCP/IP configuration and I have no idea how
to do this.

Would some one be kind enough to point me in the right direction where
to start and what manuals to check out, and what to be aware of.

I'm not really prime time with TCP/IP. Thanks.


Howard,

Something to be aware of when using SSL/TLS with FTP is how these
sessions will make it through a firewall.  If your users will be coming
through the Internet to your mainframe FTP server, you may have some
difficulty unless you plan for it up front.  The FTP protocol requires
two connections, a Control connection and a Data connection.  Normally,
a firewall scans the data on the control port looking for the PASV
response from the server that tells the client how to connect the data
port.  Since the data stream is encrypted, the firewall cannot get this
information.  This issue is further compounded when you add Network
Address Translation in the firewall.

To handle the first case, your FTP server must be able to define a
narrow range of ports that it will assign as data ports for the data
connection.  This can be one or more ports. These ports must then be
open on the firewall.  The PASV response from the host will contain the
IP address and port the client to which the client will connect the data
port.  The firewall will have an open range of ports to accommodate the
data connection.

If NAT it enabled in the firewall, then the FTP server will send back
its true IP address and port, in the PASV response, rather than the
public IP address and port.  Since the firewall cannot see the PASV
response, it cannot fix it on way as it does with clear text FTP.  To
get around this, some FTP clients and servers support EPSV rather than
PASV. In this case, the FTP server only returns the port number and the
client assumes the IP address to be the same as the control port. In
other cases, the FTP client can be configured to always connect the data
connection to the same IP as the control connection.

Both of these situations can be handled using a Secure FTP Proxy server
that sits in front of a non secure FTP server.  

Good Luck!

Steve Bireley
Vice-President
Product Development
Seagull Software
www.seagullsoftware.com

Seagull Free FTP
BlueZone Secure FTP
BlueZone Terminal Emulation
Seagull Security Server

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Howard Rifkind]

Ulrich,
 
Can sFTP and FTP reside within the same z/OS partition and be used at the same 
time?
 
For instance, one person is FPT'ing a secure document using sFTP and another is 
using just plain old FTP for something else

Ulrich Boche [EMAIL PROTECTED] wrote:
Howard Rifkind wrote:

 We would like to install Secure FTP in our maiframes TCP/IP configuration and 
 I have no idea how to do this.
 
 Would some one be kind enough to point me in the right direction where to 
 start and what manuals to check out, and what to be aware of.
 
 I'm not really prime time with TCP/IP. Thanks.
 

Which kind of secure FTP are you looking for? There are two:

1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps:

2. SFTP, a secure file transfer protocol implemented by OpenSSH.

The protocols are incompatible but both are available on z/OS. The UNIX 
people usually prefer SFTP.
-- 
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


-
Do You Yahoo!?
 Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Richard Pinion]

Would you be interested in using FTP with SSL/TLS support?  If so, it is 
already installed.   You need some parms and commands which I or other users of 
ibm-main can provide. 

 [EMAIL PROTECTED] 05/26/05 10:21AM 
We would like to install Secure FTP in our maiframes TCP/IP configuration and I 
have no idea how to do this.
 
Would some one be kind enough to point me in the right direction where to start 
and what manuals to check out, and what to be aware of.
 
I'm not really prime time with TCP/IP.  Thanks.


-
Discover Yahoo!
 Get on-the-go sports scores, stock quotes, news  more. Check it out!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

The information in this e-mail message, including any attachments, may 
contain confidential and privileged information that is protected by 
law. It is intended for the sole use of the recipient named above. If 
you are not the intended recipient or the agent responsible for 
delivering it to the intended recipient, you are hereby notified that 
any unauthorized review, use, dissemination or copying is strictly 
prohibited. If you have received this electronic mail transmission in 
error please notify us immediately at [EMAIL PROTECTED]
and delete any copies from your system.

GWAVAsig

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

The manuals are confusing as they seem to be focused on Websphere and
assume that is what you want to do. So far, I have achieved a secure
transfer, or at least so say the messages. I created the CA cert on one
system, then exported/imported it to another. Both systems are z/os 1.4
but do not share RACF. Changing the FTPSDATA requires a recycle of FTP
(P FTPD1, S FTPD). 

I am still baffled by the certificate process. I posed a plea for help
on the RACF list, and received two replies that I have not yet studied.
One suggested: 
http://www-306.ibm.com/software/network/commserver/zos/library/  

Another from Wai Choi - RACF Development. I will post that separately.  

NOTE: THE FOLLOWING IS FROM MY TESTING NOTES. TEST RESULTS ARE
ENCOURAGING, BUT I HAVE NO IDEA IF/HOW THIS WOULD APPLY TO ANYONE ELSE.
I STILL DON'T KNOW IF THIS IS THE CORRECT PROCESS. YMMV.  

IF YOU ARE ANY OF YOUR STAFF ARE CAUGHT OR KILLED, THE SECRETARY WILL
DISAVOW... oops, sorry, wrong disclaimer. 

ICSF is not required, but highly recommended.

The invocation (last steps below) still needs polishing. The DEBUG
statements may not be appropriate for prime time. My notes:   

1. Build CA CERT

  RACDCERT CERTAUTH GENCERT -  
SUBJECTSDN( -  
 .
   
2. Build personal certs
   a.   FTPD

  RACDCERT ID(FTPD) GENCERT - 
SUBJECTSDN( - 
  
   SIGNWITH(CERTAUTH -
  LABEL('from above'))   

   b.   User

  RACDCERT ID(myid) GENCERT -   
SUBJECTSDN( -  
 ..
   SIGNWITH(CERTAUTH - 
  LABEL('from above'))


3. Activate and RACLIST classes DIGTCERT DIGTRING
4. Add FACILITY IRR.DIGTCERT.LISTRING and permit.
5. Build key rings.
   a. FTPD
   b.   User
6. Connect both CA and personal certs to keyrings.
7. Add to server SYS1.TCPPARMS(FTPSDATA):

DEBUG SEC ; Helpful

 ACCESSERRORMSGS  ; Send detailed login failure replies   
 KEYRING thekeyringname   ; Cert keyring for the server FTPDx

 EXTENSIONS AUTH_TLS  ; Activate SSL support  

8. Add to client //SYSFTPD DD DISP=SHR,DSN=my.parmlib(FTPSSL1) which
contains:

  DEBUG SOC(2)  
  CLIENTERRCODES TRUE   
  KEYRING mykeyring 
  SECURE_DATACONN PRIVATE   
  SECURE_MECHANISM  TLS   

9.  Invoke FTP:

//S001 EXEC PGM=FTP,PARM='-v -d -e -r TLS'

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

And here is the cross posing from the RACF list as promised:

QUOTE:
This is a foil that I presented in SHARE and Vanguard. People think this
helps them to clear things out.  Would it help you?

Given: 
?   CA1 is the CA cert which signed the server cert S
?   CA2 is the CA cert which signed the client cert C
?   Ring X is the server?s key ring, ring Y is the client?s key ring

Question:
What cert(s) needed in ring X? in ring Y?
?   For Server authentication
Ring X: CA1, S  Ring Y: CA1
?   For Client authentication (implies server authentication too)
Ring X: CA1, S, CA2 Ring Y: CA2, C, CA1
Further thinking:
Would it be simpler (for which case?) if both the server and client
certs were signed by the same CA cert, say CA1? How do the rings look
like?

Regards,
Wai 


Wai Choi - RACF Development
Tie-line:295-7623
External: (845)435-7623
Internet: [EMAIL PROTECTED]

END QUOTE.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Dave Gibney]

   I've just recently done both secure FTP and TN3270 in z/OS 1.4
I used the redbook volume 7. I found gskkyman just as confusing as RACF, so 
I used RACF :)
   I also need to thank Sam for pointing out Filezilla, which is a good 
FTP client and supports TLS
   One recomendation I would make is to set up your RACDCERT command in 
batch TSO JCL.

It's a lot easier to see the errors.

At 12:41 PM 5/26/2005 -0400, you wrote:
Nothing wrong with using RACF for the CERT stuff but you can generate 
CERTS from OMVS using gskkyman.  Maybe it is better to learn to crawl 
first rather than trying to run.


 [EMAIL PROTECTED] 05/26/05 12:32PM 
And here is the cross posing from the RACF list as promised:



Dave Gibney[EMAIL PROTECTED]
System Programmer(509) 335-7359
Information Technology
Washington State University
Pullman, WA 99164-1222

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Richard Pinion]

I can't remember what I had to do to activate gskkyman.  Oh yes, I had to add 
GSK.SGSKLOAD
to PROG00 for APF and LNKLIST.  Run gskkyman from TSO/OMVS.  Once I had done 
the z/OS setup
as below I had to work with the network guys to punch a hole thru our firewall 
to allow FTP SSL.

Here are the parms that I have in SYSFTPD

//SYSFTPD  DD *   
; -   
; 
; 7. Security options 
; 
; -   
  
 SECURE_MECHANISM  TLS   ; Name of the security mechanism 
 ; that the client uses when it   
 ; sends an AUTH command to the   
 ; server.
 ; GSSAPI = Kerberos support  
 ; TLS= TLS   
  
SECURE_FTPREQUIRED  ; Authentication indicator
 ; ALLOWED(D) 
 ; REQUIRED   
  
 SECURE_CTRLCONN   private   ; Minimum level of security for  
 ; the control connection 
 ; CLEAR  (D) 
 ; SAFE
 ; PRIVATE 
   
 SECURE_DATACONN   private   ; Minimum level of security for   
 ; the data connection 
 ; NEVER   
 ; CLEAR  (D)  
 ; SAFE
 ; PRIVATE 
   
   
;SECURE_PBSZ   16384 ; Kerberos maximum size of the
 ; encoded data blocks 
 ; Default value is 16384  
 ; Valid range is 512 through 32768
   
; Name of a ciphersuite that can be passed to the partner during   
; the TLS handshake. None, some, or all of the following may be
; specified. The number to the far right is the cipherspec id  
; that corresponds to the ciphersuite's name.  
 CIPHERSUITE   SSL_DES_SHA   ; 09  
 CIPHERSUITE   SSL_3DES_SHA  ; 0A  
CIPHERSUITE   SSL_NULL_MD5  ; 01   
CIPHERSUITE   SSL_NULL_SHA  ; 02   
CIPHERSUITE   SSL_RC4_MD5_EX; 03   
CIPHERSUITE   SSL_RC4_MD5   ; 04   
CIPHERSUITE   SSL_RC4_SHA   ; 05   
CIPHERSUITE   SSL_RC2_MD5_EX; 06   
   
KEYRING   /ftp/ssl/mykeyring  ; Name of the keyring for TLS
; It can be the name of an HFS 
; file (name starts with /) or 
; a resource name in the security  
; product (e.g., RACF) 
   
TLSTIMEOUT060   ; Maximum time limit between full  
; TLS handshakes to protect data   
; connections  
; Default value is 100 seconds.
; Valid range is 0 through 86400   
 ; 

Re: Secure FTP on the Mainframe

[Ulrich Boche]

[EMAIL PROTECTED] wrote:

There must be something in the air or water, or maybe you have a spy here.
I was just asked the same thing.

I tried to get a 3270 emulator to support SSL/TLS but was told by our
manager that SSL had nothing to do with encryption so forget it.

Anyway, I'm in the process of trying to install the ICSF and have also found
some keywords in the IP Configuration manual for secure FTP.

Craig



Sorry to say but your manager is absolutely, positively clueless. SSL or 
TLS definitely has to do with encryption. From a security standpoint, it 
is one of the best implementations of encryption methods available today.


The TN3270E server on z/OS supports SSL and TLS for encrypted sessions, 
optionally even to the point of authenticating users with digital 
certificates.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Ulrich Boche]

Howard Rifkind wrote:


We would like to install Secure FTP in our maiframes TCP/IP configuration and I 
have no idea how to do this.
 
Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of.
 
I'm not really prime time with TCP/IP.  Thanks.




Which kind of secure FTP are you looking for? There are two:

1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps:

2. SFTP, a secure file transfer protocol implemented by OpenSSH.

The protocols are incompatible but both are available on z/OS. The UNIX 
people usually prefer SFTP.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Vik]

I think this would really help you to get going with what you want --
 
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B340/2.3.10?SHELF=F1A1BK50DT=20040609153838
 
Please have a look into the following REDBOOK (lists the key ring set up):
 
SG24-6840-00 Communications Server for z/OS V1R2 TCP/IP Implementation 
Guide Volume 7: Security   Chapters 910 mostly i think! 
 
Link -- http://www.redbooks.ibm.com/redbooks/pdfs/sg246840.pdf
 
-Vik


Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install Secure FTP in 
our maiframes TCP/IP configuration and I have no idea how to do this.

Would some one be kind enough to point me in the right direction where to start 
and what manuals to check out, and what to be aware of.

I'm not really prime time with TCP/IP. Thanks.



-
Do You Yahoo!?
Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



-
Do You Yahoo!?
 Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html