Re: Secure FTP (Was: z/OS every two years)
On Sat, 2012-04-14 at 00:54 +, Gibney, Dave wrote: -Original Message- snip And, I've always found FTPS (granted no client identification certs yet) easier. None of that USS , sometimes called OMVS, perhaps properly called z/OS Unix System Services, involved :) Actually, I recently finished a sporadic effort to automount /u using ZFS. Now I can manage user's data in the zUnix arena. I may get back to trying ssh/sftp someday. If you implement the freely available SSH enhancements from Dovetailed Technologies, their sftp server can access the same z/OS legacy datasets and SPOOL (get to read a job's output, put to submit a job) as FTP. http://dovetail.com . Not only is the basic code free, you don't even need to register with them to download it. Literally no questions asked! Just download and implement. And it's fairly simple. If you want support, you can get that with a support contract. Dave Gibney Information Technology Services Washington State University -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Secure FTP (Was: z/OS every two years)
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of John McKown Sent: Saturday, April 14, 2012 1:16 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Secure FTP (Was: z/OS every two years) On Sat, 2012-04-14 at 00:54 +, Gibney, Dave wrote: -Original Message- snip And, I've always found FTPS (granted no client identification certs yet) easier. None of that USS , sometimes called OMVS, perhaps properly called z/OS Unix System Services, involved :) Actually, I recently finished a sporadic effort to automount /u using ZFS. Now I can manage user's data in the zUnix arena. I may get back to trying ssh/sftp someday. If you implement the freely available SSH enhancements from Dovetailed Technologies, their sftp server can access the same z/OS legacy datasets and SPOOL (get to read a job's output, put to submit a job) as FTP. http://dovetail.com . Not only is the basic code free, you don't even need to register with them to download it. Literally no questions asked! Just download and implement. And it's fairly simple. If you want support, you can get that with a support contract. I looked at that more than once. I honestly don't remember what, if any, impediment stopped me for that route. Maybe merely time. Probably incomplete configuring of Ported Tools. :) I'll look again if I get a chance, but I think I'm even more of a one man show than you are. Currently I have to deal with our disk array going EOSL end of June by surprise. It's possible that the vendor did notify the guy who left abruptly, but I don't know. Dave Gibney Information Technology Services Washington State University -- John McKown Maranatha! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Secure FTP (Was: z/OS every two years)
-Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Edward Jaffe Sent: Friday, April 13, 2012 5:23 PM To: IBM-MAIN@bama.ua.edu Subject: Secure FTP (Was: z/OS every two years) On 4/13/2012 5:04 PM, Art Gutowski wrote: I see. Anyone else share in Mary Anne's sentiment? In other words, is FTPS (or SFTP?) as much a requirement/priority notwithstanding the impending ShopzSeries / RECEIVE ORDER requirement? If so, and you can respond, please drop me a line off-list. Nothing detailed... just curious. We have customers that insist on 'secure' FTP for sending dumps, downloading files, etc. We set up an SFTP server on our public Internet site and that seems to have satisfied all requirements thus far. We don't currently support FTPS with x.509 certificates. Hopefully, we'll never be asked to do so. It's a PITA. And, I've always found FTPS (granted no client identification certs yet) easier. None of that USS , sometimes called OMVS, perhaps properly called z/OS Unix System Services, involved :) Actually, I recently finished a sporadic effort to automount /u using ZFS. Now I can manage user's data in the zUnix arena. I may get back to trying ssh/sftp someday. Dave Gibney Information Technology Services Washington State University -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 310-338-0400 x318 edja...@phoenixsoftware.com http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
Re: Secure FTP Server software vendors
Hal Merritt wrote: We are trying to set up a TLS FTP with a customer with us as client. The customer's software vendor seems to be baffled. Any Windows based TLS/SSL FTP server software that works for you for exchanges with z/os? For example, one of our customers is using a product from Momentum that seems to be working just fine. Ipswitch has WS_FTP Professional which has both client and server products. I'm using the WS_FTP Professional client since a long time. It is working quite well with z/OS FTP servers (better than many other clients I have tried). I have no experience with their server products, I can just extrapolate my good experience with the client product. The only disadvantage of the WS_FTP client is that it does not support the MSCAPI and the Windows certificate store, you need to import all certificates in WS_FTP's own certificate store. Don't know if the server has the same shortcoming. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
Dumb question, but what sort of information would you be FTPing? - - - - - Timothy Sipples IBM Consulting Enterprise Software Architect Based in Tokyo, Serving IBM Japan / Asia-Pacific E-Mail: timothy.sipp...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
I use the Filezilla client, http://filezilla-project.org. Their web page says they have a server but I've never used it. Len Rugen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
We also demo'd www.sslftp.com. It has a server that worked, but we only use the client piece. Jim Wangler 214-502-6445 We are trying to set up a TLS FTP with a customer with us as client. The customer's software vendor seems to be baffled. Any Windows based TLS/SSL FTP server software that works for you for exchanges with z/os? For example, one of our customers is using a product from Momentum that seems to be working just fine. Thanks!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
The latest version of Windows has an SSL Server... That's what we are using. Jim Wangler 214-502-6445 -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Hal Merritt Sent: Thursday, February 19, 2009 8:42 AM To: IBM-MAIN@bama.ua.edu Subject: Secure FTP Server software vendors We are trying to set up a TLS FTP with a customer with us as client. The customer's software vendor seems to be baffled. Any Windows based TLS/SSL FTP server software that works for you for exchanges with z/os? For example, one of our customers is using a product from Momentum that seems to be working just fine. Thanks!! NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
FTPS (FTP/TLS) can be tricky wrt implementation incompatibilities. There are a couple of other options: 1) Tunnel regular FTP in an SSH connection. This would require that the Windows server also run SSHD, but OpenSSH for Windows is free and very easy to setup. We have a free / open source Java SSH/FTP tunneling tool that you can run on z/OS or another host in your local network. See our website for details, or send me a note offline. 2) Use a Linux box as a file transfer gateway for z/OS. This can be setup with all free software in such a way so that everything is controlled from a z/OS batch job. MVS datasets can be transferred to any host without any data-at-rest on the Linux appliance. The Linux curl command is a swiss army knife for all kinds of file transfer protocols (FTP/S, HTTP, SFTP, etc) and you can even script in file transformations such as compression, pgp, etc. For details, refer to an article that we wrote in the zJournal August/September 2008 issue, or send me an email offline and I'll forward you a copy. Kirk Wolf Dovetailed Technologies http://dovetail.com On Thu, Feb 19, 2009 at 8:41 AM, Hal Merritt hmerr...@jackhenry.com wrote: We are trying to set up a TLS FTP with a customer with us as client. The customer's software vendor seems to be baffled. Any Windows based TLS/SSL FTP server software that works for you for exchanges with z/os? For example, one of our customers is using a product from Momentum that seems to be working just fine. Thanks!! NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Server software vendors
The latest versions of the Filezilla client fail with TLS. Filezilla plugged a RFC hole. Last I pursued with IBM the answer was implement AT-TLS which I haven't had time to pursue. The last I tested Filezilla server worked fine, but it has been some years. As far as I know, Ipswitch's, Bluezone's, and couple other's servers would work well with Z/OS SSL clients. It's been about 4 or 5 years since I downloaded everyone I could find and tested them. I may still have the write-up if I didn't lose it in the PC hard disk failure I had a couple years ago. Anyway, most of our departments use Ipswitch's. Dave Gibney Information Technology Services Washington State University -Original Message- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Rugen, Len Sent: Thursday, February 19, 2009 6:48 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Secure FTP Server software vendors I use the Filezilla client, http://filezilla-project.org. Their web page says they have a server but I've never used it. Len Rugen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Rafael Fernandez L. wrote: Nobody mentioned ftp with GSSAPI (kerberos) ? Ignacio Landín Villegas Probably because there is rarely anyone using it. Furthermore, it was all but unusable for a long time: although the Kerberos ticket provided the cross-reference with the RACF userid, support for SECURE_PASSWORD OPTIONAL was not available until, IIRC, z/OS V1R7 or V1R8. Nobody wants to go through the installation of Kerberos with FTP on z/OS if you don't even get single sign-on. Also, if you use Kerberos with z/OS and Windows, the only common encryption algorithm is DES with 56-bit keys. Windows doesn't support Triple DES and z/OS doesn't support RC4. AES support (128- or 256-bit keys) requires z/OS V1R9 and Windows Vista and/or Windows Server 2008. (Sorry, sent my posting just to the newsgroup in my first attempt). -- Ulrich Boche SVA GmbH, Germany IBM Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Nobody mentioned ftp with GSSAPI (kerberos) ? Ignacio Landín Villegas -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Tuesday, July 29, 2008 10:39 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe Oh. I thought you were switching contexts. Now I see. And thanks to Kirk for the additional enlightenment. A file transfer protocol that isn't FTP is more than a little confusing. Let's see, we have: FTP FTP under TLS SSH packet file mover FTP under SSH But SSH also can be used for other things, like telnet, web service, etc, right? My head hurts :-) -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Tuesday, July 29, 2008 2:13 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED] wrote: I was referring to the sftp that Walt mentioned. My take was that it was neither TLS nor SSH. SFTP is not FTP at all. It is a secure, FTP-like communication protocol. Perhaps you didn't see the next sentence of that message? SFTP here, is a function provided by the ssh protocols. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html Banco de España - Aviso legal Este mensaje, su contenido y cualquier fichero transmitido con él está dirigido únicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la información contenida en él es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma vía o por teléfono (+ 34 91 338 66 66), así como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su borrado de manera inmediata. El Banco de España se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ilegítima al contenido de cualquier mensaje externo procedente del mismo. Para informacion y consultas visite nuestra web http://www.bde.es Banco de España - Disclaimer This message, its content and any file attached thereto is for the intended recipient only and is confidential. If you have received this e-mail in error or had access to it, you should note that the information in it is private and any use thereof is unauthorised. In such an event please notify us by e-mail or by telephone (+ 34 91 338 66 66). Any reproduction of this e-mail by whatsoever means and any transmission or dissemination thereof to other persons is prohibited. It should be deleted immediately from your system. The Banco de España reserves the right to take legal action against any persons unlawfully gaining access to the content of any external message it has emitted. For additional information, please visit our website http://www.bde.es -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Do you have any links to SFTP sources? Google search results were confusing and ambiguous. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Thursday, July 24, 2008 11:04 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED] wrote: Is SFTP really a 'secure ftp'? SFTP is not FTP at all. It is a secure, FTP-like communication protocol. (SFTP here, is a function provided by the ssh protocols.) I'm not sure anyone has really stated that in this thread, so I thought I'd mention it. Others have discussed additional details that I don't need to repeat. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Tuesday, July 29, 2008 10:27 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe Do you have any links to SFTP sources? Google search results were confusing and ambiguous. sftp (not SFTP) is a part of SSH. Try: http://www.openssh.org/manual.html in particular http://www.openbsd.org/cgi-bin/man.cgi?query=sftpsektion=1 Or maybe I'm not understanding your question. sftp is a part of SSH. One thing that might be confusing is that there is not an sftp daemon. The sftp client talks to the ssh daemon, just like the ssh command does. Or the scp program, for that matter. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105 .pdf from page 14: OpenSSH's sftp and IBM Communications Server's FTP with System SSL differ from each other. OpenSSH's sftp is an Open Source implementation of the IETF Secure Shell (SECSH) SSH File Transfer Protocol Internet Draft. OpenSSH uses a statically linked OpenSSL archive library to perform its cryptographic functions. OpenSSH does not provide key management facilities, nor is integrated with those provided by IBM. Password authentication is the only form of authentication where OpenSSH queries the security product. Public key authentication is currently overseen by the daemon. The Communications Server FTP server and client support Transport Layer Security (TLS). The FTP client and server negotiate the use of TLS based on a subset of the FTP security negotiation functions documented in RFC 2228. FTP uses z/OS System SSL, and therefore can use the cryptographic hardware. FTP can also use SAF facilities for key management. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Tuesday, July 29, 2008 10:27 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe Do you have any links to SFTP sources? Google search results were confusing and ambiguous. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Thursday, July 24, 2008 11:04 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED] wrote: Is SFTP really a 'secure ftp'? SFTP is not FTP at all. It is a secure, FTP-like communication protocol. (SFTP here, is a function provided by the ssh protocols.) I'm not sure anyone has really stated that in this thread, so I thought I'd mention it. Others have discussed additional details that I don't need to repeat. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
sftp usually refers to the file transfer protocol that works as an ssh subsystem (although some use the term to refer to FTP/TLS). In the OpenSSH implementation, sftp and sftp-server are separate binaries that are shipped as part of OpenSSH. The sources for sftp and sftp-server are available from: http://www.openssh.com/ It is possible to port these to z/OS and use them with IBM's port of ssh and sshd. It is very easy to configure sshd to use a different sftp-server. The later versions of OpenSSH rely on a newer version of the GNU autoconf tool chain, which is not available for z/OS, so that complicates things. And of course, adding in the z/OS specific patches, especially to support datasets, PDSs, etc, is a big job. Kirk Wolf Dovetailed Technologies On Tue, Jul 29, 2008 at 10:27 AM, Hal Merritt [EMAIL PROTECTED] wrote: Do you have any links to SFTP sources? Google search results were confusing and ambiguous. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
I was referring to the sftp that Walt mentioned. My take was that it was neither TLS nor SSH. SFTP is not FTP at all. It is a secure, FTP-like communication protocol. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Dooley, Robert Sent: Tuesday, July 29, 2008 10:34 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105 .pdf ..snip NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED] wrote: I was referring to the sftp that Walt mentioned. My take was that it was neither TLS nor SSH. SFTP is not FTP at all. It is a secure, FTP-like communication protocol. Perhaps you didn't see the next sentence of that message? SFTP here, is a function provided by the ssh protocols. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Its all a little confusing... SSH is a tool/protocol for providing a secure connection over IP networks. Once you have a connection, you can have multiple channels routed over it. Channels could be interactive terminal sessions (to replace telnet), port-forwarding channels, command redirection channels, and subsystem channels (which are a special case of command channels). Here's the main RFC for SSH: http://www.ietf.org/rfc/rfc4251.txt A *separate* tool distributed with most SSH implementations is sftp, which runs as an SSH subsystem. The sftp protocol is a packet protocol for file transfer that *assumes* that you already have a secure connection, and by default the sftp command line tool simply invokes the command line tool to setup its secure channel. sftp doesn't have connection setup, authentication, encryption, compression, etc - it relys in SSH to do that. Here's the main RFC for SFTP: http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/ Another spin on this is that you can also use SSH to setup a secure channel and a SOCKS proxy and then use an *FTP* client over the secure SSH channel via the proxy. This is an alternative to FTP/TLS, which can be a nightmare for firewalls and NAT routers due to its use of multiple sockets which, when encrypted, can't be snooped to setup the data port connection. FWIW, we use SSH subsystem channels in our (free) Co:Z product to setup a secure connection from a batch job to a remote Unix/Windows process. Additional channels are setup via port forwarding if the remote process wants to access z/OS datasets from the launching job. Anyway, the SSH protocol is very cool, and the OpenSSH project is some of the most useful free software available. If you really want to be in the club, support them by buying one of their cool tee shirts ( http://www.openssh.org/tshirts.html) Kirk Wolf Dovetailed Technologies http://dovetail.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Oh. I thought you were switching contexts. Now I see. And thanks to Kirk for the additional enlightenment. A file transfer protocol that isn't FTP is more than a little confusing. Let's see, we have: FTP FTP under TLS SSH packet file mover FTP under SSH But SSH also can be used for other things, like telnet, web service, etc, right? My head hurts :-) -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell Sent: Tuesday, July 29, 2008 2:13 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED] wrote: I was referring to the sftp that Walt mentioned. My take was that it was neither TLS nor SSH. SFTP is not FTP at all. It is a secure, FTP-like communication protocol. Perhaps you didn't see the next sentence of that message? SFTP here, is a function provided by the ssh protocols. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
Kurt Eastwood wrote: Hello, First off let me say I am not an FTP expert. We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them. Is SFTP really a 'secure ftp'? There are several flavours of secure ftp. It can be FTP over SSL/TLS, it's sometimes called FTPS - this is what you surely have. It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and unsupported tool. AFAIK it supports HFS files only (I mean anu Unix file, regardless of filesystem type: ZFS, HFS,e tc.) I vaguely remain some other type of secure ftp, but I can't remember any details. HTH -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA wynosi 118.642.672 zote i zosta w caoci wpacony. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
We run FTP with SSL and FTP with SSH. FTP/SSL is part of TCPIP, while sftp (FTP/SSH) is part of IBM Ported Tools (free for the download). We run both from batch procedure. We have RACF control the certificates and keyrings for FTP/SSL. Then you use the SYSFTPD DD statement to tell FTP if SSL is to be used, what ciphers to use and where to find the keyring. FTP/SSL works with MVS data sets, while sftp does not. Sftp only works with HFS files. So our batch procedure transfers the MVS data set to a HFS file before it invokes sftp. You will also need a .ssh directory under the home directory for the userid of the job. Inside that directory you will need a known.hosts file that must contain the keys from the outside clients. You need the keys because batch sftp does not allow you to use a userid/password. Good Luck. Brad Wissink Information Technology Services Iowa State University 515-294-3088 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Eastwood Sent: Thursday, July 24, 2008 10:01 AM To: IBM-MAIN@BAMA.UA.EDU Subject: secure ftp on the mainframe Hello, First off let me say I am not an FTP expert. We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them. Is SFTP really a 'secure ftp'? Can SFTP be used on the mainframe and if so can anyone give some guidance on how they use it and what is needed to begin using it? Is SFTP for the mainframe an additional program that you have to purchase? I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the mainframe. Thank you in advance for your help. Kurt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Kurt Eastwood Hello, First off let me say I am not an FTP expert. We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them. Is SFTP really a 'secure ftp'? Yes, if you accept encrypted transfers as secure. Can SFTP be used on the mainframe and if so can anyone give some guidance on how they use it and what is needed to begin using it? Yes. Many posts on the subject in the IBM-MAIN archives. Is SFTP for the mainframe an additional program that you have to purchase? Yes. The price is $ZERO. I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the mainframe. It's included in the z/OS Unix Ported Tools product, which is available at no charge via ShopzSeries. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
As another posted, 'sftp' is not a unique enough name. There is a 'speedy' FTP that uses a propriety protocol, for example. The short answer to your question is that there are several 'flavors' of data encryption offered on z/os. The two main types are TLS (transport layer security, formally known as 'secure sockets layer' or SSL) and SSH (secure shell). SSH is very popular in tinkertoyland, but is currently a huge PITA to implement on z/os. SSH uses only the *nix side of the house and data has to be copied to and from z/fs. Hopefully someday regular z/os datasets will be directly supported. TLS is certificate based (a very widely used strategy) and fits right into your regular z/os batch solutions. Getting the infrastructure up and running for encrypted FTP and TN3270 under TLS is almost trivial. A few entries in TCPPARMS and you are there. Certificate management, on the other hand, is likely the second most confusing things you'll ever run in to. (Women are first on that list :-D ) Just to confuse things even more, the definition of 'secure' may be changing. Heretofore, 'secure' meant only that data (to include login passwords) not flow in the open over a network. A recent audit 'issue' is that we implement both client as well as server authentication over and beyond logon credentials (the familiar ID and password). The root issue is to protect against a 'man in the middle' attack. But wait! There's more! Keep in mind that, no matter what you choose, the other host has to be doing the same thing and you may have little or no control over that host. HTH and good luck. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Eastwood Sent: Thursday, July 24, 2008 10:01 AM To: IBM-MAIN@BAMA.UA.EDU Subject: secure ftp on the mainframe Hello, First off let me say I am not an FTP expert. We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them. Is SFTP really a 'secure ftp'? Can SFTP be used on the mainframe and if so can anyone give some guidance on how they use it and what is needed to begin using it? Is SFTP for the mainframe an additional program that you have to purchase? I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the mainframe. Thank you in advance for your help. Kurt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
-Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Thursday, July 24, 2008 10:47 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe [snip] SSH is very popular in tinkertoyland, but is currently a huge PITA to implement on z/os. SSH uses only the *nix side of the house and data has to be copied to and from z/fs. Hopefully someday regular z/os datasets will be directly supported. I agree. I wish that IBM had supplied their patches to OpenSSH so that others could look at extending sftp to legacy datasets. I will also mention that Dovetailed Technologies Co:Z can do file transfers over OpenSSH which will access (read/write) legacy datasets. It is not sftp, but it is over an SSH encrypted channel. [snip] HTH and good luck. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
And you may consider file transfer over MQ, of course. ITschak | Itschak Mugzach | Director | SecuriTeam Software | | Email: [EMAIL PROTECTED] | Mob: +972 522 986404 | Skype: Itschak Mugzach | Web: www.Securiteam.co.il | -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McKown, John Sent: Thursday, July 24, 2008 5:49 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt Sent: Thursday, July 24, 2008 10:47 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: secure ftp on the mainframe [snip] SSH is very popular in tinkertoyland, but is currently a huge PITA to implement on z/os. SSH uses only the *nix side of the house and data has to be copied to and from z/fs. Hopefully someday regular z/os datasets will be directly supported. I agree. I wish that IBM had supplied their patches to OpenSSH so that others could look at extending sftp to legacy datasets. I will also mention that Dovetailed Technologies Co:Z can do file transfers over OpenSSH which will access (read/write) legacy datasets. It is not sftp, but it is over an SSH encrypted channel. [snip] HTH and good luck. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html __ NOD32 3280 (20080718) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
On Thu, 24 Jul 2008 17:05:40 +0200, R.S. [EMAIL PROTECTED] wrote: It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and unsupported tool. AFAIK it supports HFS files only (I mean anu Unix file, regardless of filesystem type: ZFS, HFS,e tc.) I vaguely remain some other type of secure ftp, but I can't remember any details. The IBM Ported Tools for z/OS provides a free, and as far as I know supported, implementation of OpenSSH for z/OS. That will give sftp support, and other ssh functionality. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp on the mainframe
On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED] wrote: Is SFTP really a 'secure ftp'? SFTP is not FTP at all. It is a secure, FTP-like communication protocol. (SFTP here, is a function provided by the ssh protocols.) I'm not sure anyone has really stated that in this thread, so I thought I'd mention it. Others have discussed additional details that I don't need to repeat. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
On Fri, 7 Mar 2008 16:21:25 -0600, Miller, Pat [EMAIL PROTECTED] wrote: I need to exchange files with an agency that uses sftp and SSH-2. From looking at the archives and the TCP/IP Implementation red book (vol 2, std apps), I am unclear whether I can use ftps and AT-TLS or am stuck with sftp. sftp is not at all related to ftp. It is an entirely different protocol, part of SSH or OpenSSH processing. Their agency might also support ftps, but you'd have to ask them. Alternatively you can install the IBM Ported Tools for z/OS as Richard mentioned, which will give you an OpenSSH implementation on z/OS, and that will give you the ability to use sftp. http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html For discussion of OpenSSH on z/OS I suggest using the MVS-OE mailing list rather than IBM-MAIN. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
Miller, Pat wrote: I need to exchange files with an agency that uses sftp and SSH-2. From looking at the archives and the TCP/IP Implementation red book (vol 2, std apps), I am unclear whether I can use ftps and AT-TLS or am stuck with sftp. I'm not sure what platform they operate from, other than it's not z/OS. Go ahead. Educate me. Please. sftp with ssh will not interoperate with ftps using TLS. So far we have been able to use TLS with most of the people we exchange data with. In a few cases we PGP encrypt the data and use regular FTP. There is an ssh port at http://www-03.ibm.com/servers/eserver/zseries/zos/unix/port_tools.html It may be incorporated in later releases we are still 1.7). I have not tried this yet. -- Richard -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP Config: CIPHERSUITE statements?
Chase, John wrote: Hi, All, Is it better to order the CIPHERSUITE statements from weaker to stronger, or from stronger to weaker? Why? TIA, -jc- Logically I would go from stronger to weaker since you want the strongest encryption that both sides can understand. -- Mark Jacobs Time Customer Service Tampa, FL -- A desire not to butt into other people's business is at least eighty percent of all human wisdom...and the other twenty percent isn't very important. Jubal Harshaw (Stranger in a Strange Land) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
I got this via private e-mail. I'm posting it here for completeness. Ed R. From: [EMAIL PROTECTED] Sent: Tuesday, March 14, 2006 12:52 PM Subject: Re: Secure FTP There's a few things you need to configure ... * ICSF -- if you're going to use hardware encryption SA22-7520 ICSF System Programmers Guide SA22-7521 ICSF Administration * System SSL -- I think it comes properly configured out of the box for z/OS ... don't remember doing anything with it. needed the manual to learn how to turn on the trace facility ... SC24-5901 System SSL programming * RACF -- to set up keyrings and certificates, basically the RACDCERT command ... SA22-7683 RACF Security Administrators Guide SA22-7681 RACF System Programmers Guide * Comm Server -- for ftp it's just a matter of editing the FTP.DATA configuration file. for tn3270E it's a matter of editing the PROFILE.TCPIP file. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
Ed Rabara wrote: John S. Giltner, Jr. wrote: We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) instead. SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP TSL/SSL can access all files no matter where they live. As 99.9% of all the files we process are mvs files we found it made our life easier. I'm interested in enabling the secure part of secure FTP, secure TN3270 Server, etc. Am I to understand that to get those secure parts working you have to have TLS/SSL working on your system first? Can you point me to the most complete and useful manual to enable TLS/SSL on z/OS, please? Try SG24-7170-00, Communications Server for z/OS V1R7 TCP/IP Implementation, Volume 2 Standard Applications -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
How about secure FTP on OS/390 2.9? Is there any hope? Thanks, Jim Weidt Senior Systems Engineer Jostens Inc. The Ponds Office: 952-838-7555 Cell: 612-419-3738 [EMAIL PROTECTED] ** GBA ** CONFIDENTIALITY NOTICE: The information contained in this e-mail communication and any attached documentation may be privileged, confidential or otherwise protected from disclosure and is intended only for the use of the designated recipient(s). It is not intended for transmission to, or receipt by, any unauthorized person. The use, distribution, transmittal or retransmittal by an unintended recipient of this communication is strictly prohibited. If you are not the intended recipient of this e-mail, please delete it from your system without copying it and notify the above sender. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ulrich Boche Sent: Tuesday, March 14, 2006 8:09 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Secure FTP Ed Rabara wrote: John S. Giltner, Jr. wrote: We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) instead. SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP TSL/SSL can access all files no matter where they live. As 99.9% of all the files we process are mvs files we found it made our life easier. I'm interested in enabling the secure part of secure FTP, secure TN3270 Server, etc. Am I to understand that to get those secure parts working you have to have TLS/SSL working on your system first? Can you point me to the most complete and useful manual to enable TLS/SSL on z/OS, please? Try SG24-7170-00, Communications Server for z/OS V1R7 TCP/IP Implementation, Volume 2 Standard Applications -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
Don't think so. TSL/SSL FTP (FTPS) was introduced in z/OS 1.2. SSH FTP (SFTP) was in 1.4 I think, as a optional free package offically supported by IBM. Weidt, James wrote: How about secure FTP on OS/390 2.9? Is there any hope? Thanks, Jim Weidt Senior Systems Engineer Jostens Inc. The Ponds Office: 952-838-7555 Cell: 612-419-3738 [EMAIL PROTECTED] ** GBA ** -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
Cletus, Your Industry may dictate a solution. For Example Financial - Connect:Direct International - HARBOR/FT Commercial - FTP SSH Contact the site where you must transfer to and from and gather a consensus of product standards from them. Kevin -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of McGee, Cletus Sent: Monday, March 13, 2006 10:39 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Secure FTP We are exploring our options to meet a requirement to do a secure FTP from the Mainframe. I was wondering what others have done in this area. Any product suggestions or methodologies to accomplish this? Thanks *** Cletus McGee Technical Services (334) 394-3320 Have a grand day - The information contained in this email/fax is confidential; it is intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are notified that any dissemination, distribution, or use of this information is strictly prohibited. If you have received this communication in error, please contact us immediately at the telephone number or e-mail address set forth above and destroy all copies of the original message. Although this email/fax is believed to be free of any virus or other defect that might affect any computer system in which it is received, it is the responsibility of the recipient to ensure that it is virus free; Alfa accepts no responsibility for any loss or damage arising in any way from its use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
On 13/03/06, McGee, Cletus [EMAIL PROTECTED] wrote: We are exploring our options to meet a requirement to do a secure FTP from the Mainframe. I was wondering what others have done in this area. Any product suggestions or methodologies to accomplish this? We have used a SSH tunnel carrying FTP. The target box was a windows PC running copSSH. -- Steve Despair - It's always darkest just before it goes pitch black... -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
we're just in the throes of it now. looks like ibm's free 5655-m23 does the job Jack Kelly LA Systems @ US Courts x 202-502-2390 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) instead. SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP TSL/SSL can access all files no matter where they live. As 99.9% of all the files we process are mvs files we found it made our life easier. We also found it easier to automate, as we already were using the FTP SMF exit to issue WTO for NetView to see when transmissions ended. McGee, Cletus wrote: We are exploring our options to meet a requirement to do a secure FTP from the Mainframe. I was wondering what others have done in this area. Any product suggestions or methodologies to accomplish this? Thanks *** Cletus McGee Technical Services (334) 394-3320 Have a grand day -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
John S. Giltner, Jr. wrote: We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) instead. SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP TSL/SSL can access all files no matter where they live. As 99.9% of all the files we process are mvs files we found it made our life easier. I'm interested in enabling the secure part of secure FTP, secure TN3270 Server, etc. Am I to understand that to get those secure parts working you have to have TLS/SSL working on your system first? Can you point me to the most complete and useful manual to enable TLS/SSL on z/OS, please? TIA, Ed R. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP
It's a Comm. Server (TCPIP) redbook. I don't remember the number, but I'd expect you to find it if you searched redbooks for SSL FTP TN3270 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ed Rabara Sent: Monday, March 13, 2006 8:44 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Secure FTP John S. Giltner, Jr. wrote: We originally tried SFTP (SSH FTP) but ended up using FTPS (FTP TSL/SSL) instead. SSH FTP can only access files in a HFS/ZFS, no real mvs files, FTP TSL/SSL can access all files no matter where they live. As 99.9% of all the files we process are mvs files we found it made our life easier. I'm interested in enabling the secure part of secure FTP, secure TN3270 Server, etc. Am I to understand that to get those secure parts working you have to have TLS/SSL working on your system first? Can you point me to the most complete and useful manual to enable TLS/SSL on z/OS, please? TIA, Ed R. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on z/OS
Test results very positive on 1.4. I did find the 1.6 manuals somewhat easier to understand. For testing, I used one LPAR to talk to another. I seem to recall that the server had to be correctly configured for the client to work properly on a given host. One gotcha: don't use a human ID to own certificates. If that ID is ever deleted, so are the certificates. Or so I understand. There is lots of discussion on the RACF list. HTH and good luck. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of John S. Giltner, Jr. Sent: Tuesday, July 19, 2005 6:58 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Secure FTP on z/OS Neal Eckhardt wrote: I have seen it documented that SSL/TLS is supported in the FTP server from z/OS 1.2 and later. Does the FTP client also support SSL/TLS? I can't find anything in the z/OS 1.4 configuration manual referencing SSL/TLS in the CLIENT. Thanks, Neal Not sure about the 1.4 manuals, but it is in the 1.6 manuals. You may want to check the IP User's Guide and Commands. Look at the section on FTCDATA and the parameter SECURE_FTP. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on z/OS
Neal Eckhardt wrote: I have seen it documented that SSL/TLS is supported in the FTP server from z/OS 1.2 and later. Does the FTP client also support SSL/TLS? I can't find anything in the z/OS 1.4 configuration manual referencing SSL/TLS in the CLIENT. Thanks, Neal Not sure about the 1.4 manuals, but it is in the 1.6 manuals. You may want to check the IP User's Guide and Commands. Look at the section on FTCDATA and the parameter SECURE_FTP. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp port 21 990 application layer firewall
On Tue, Jul 12, 2005 at 08:15:05AM -0500, Joel Ivey wrote: Peter, thanks for the response. Our firewall is by Symantec. According to the firewall folks, they cannot set up a separate set of rules to allow ftps traffic through 21/20 from certain ip addresses.It's either all or nothing. If they allow ftps traffic through, they won't be able to do deep inspection on those ports enterprise-wide. I find that remarkable. Tell 'em to get another firewall. Even open-source firewalls have this capability, and Checkpoint Software's Firewall-1 has had it for nearly a decade. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: secure ftp port 21 990 application layer firewall
Joel, I would suspect that the issue you're running into is that your firewall is doing stateful inspection. The problem is not that the firewall doesn't recognize AUTH TLS, but that it's having a problem during the TLS negotiation. It is something that we ran into when first starting with FTP-TLS transfers. BTW, is your firewall CheckPoint FW-1? If you're running FW-1 NG, or higher, it is relatively easy for them to setup a separate service definition and turn off the stateful inspection. You have to do it for both the control port and the data ports. If you don't get your firewall folks to turn the stateful inspection off, the transfers won't work. You can see the failure by turning on DEBUG SEC. We do not use port 990. Due to it's use being deprecated by IETF and not in the proposed standard, I try to steer away from it. All connections we do are port 21. Now, if you're running your own FTP Server, you can choose to use a different port for the control connection, as one the companies we transmit to (via ftp client on our side) does. But for 99% of the cases we have, the servers are using port 21. Peter I. Vander Woude Sr. Mainframe Engineer -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
I believe the software looks for the key database password in the stash file. When I ran into this recently, I was using gskkyman to manage my key file, and there's an option in gskkyman 10 - Store database password to create the stash file. Once I did that, the TLS handshake moved on to the next error 8-( ... -Mark Vitale Senior Software Engineer Telephone 610.865.0300 (ext. 126) ISM - The power behind great IT decisions Visit us at www.perfman.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
I don't agree. The OMVS setup looked to be more complicated and would result in a less secure environment. Do stay away from the ISPF panels and do the cert generation in batch. My $0.02 -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Richard Pinion Sent: Thursday, May 26, 2005 11:42 AM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: Secure FTP on the Mainframe Nothing wrong with using RACF for the CERT stuff but you can generate CERTS from OMVS using gskkyman. Maybe it is better to learn to crawl first rather than trying to run. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Howard Rifkind wrote: Ulrich, Can sFTP and FTP reside within the same z/OS partition and be used at the same time? For instance, one person is FPT'ing a secure document using sFTP and another is using just plain old FTP for something else You could use three different kinds of file transfer on the same LPAR at the same time: The FTP server can be used for unencrypted FTP, ftp: or plain old FTP) and for encrypted file transfer, ftps:. You can use the same ftpd server, typically with two different ports for ftp: and ftps:. To use sftp:, you need to install the IBM Ported Tools for z/OS UNIX. This is an official and supported IBM port of OpenSSH. It is independent of the ftpd server and can coexist with it (different port numbers are used). -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Hi, I followed Share Session 3925 to set up my ftp server on one z/OS v1.4 LPAR (CDCU). I then exported the certificate to another LPAR (CDCT) and imported the certificated into its key data base. When trying ftp from the second lpar to the first I get the following: EZA1450I IBM FTP CS V1R4 EZA1772I FTP: EXIT has been set. EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages. EZA1554I Connecting to: CDCU 205.145.225.134 port: 21. 220-FTPD1 IBM FTP CS V1R4 at CDCU, 10:03:13 on 2005-05-29. 220 Connection will close if idle for more than 5 minutes. FC0159 ftpAuth: security values: mech=TLS, sFTP=A, sCC=C, sDC=P FC0182 ftpAuth: cipherspecs = 03040506090A FC0215 ftpAuth: keyring =/u/jsysxxx/SSL/cdcu_self_signed.crt FC0216 ftpAuth: stashFile=/u/jsysxxx/SSL/cdcu_self_signed.sth FC0223 ftpAuth: environment_open() FC0341 ftpAuth: environment_init() FC0345 ftpAuth: TLS init failed with rc = 201 (No key database password supplied FC0786 endSecureEnv: entered EZA2897I Authentication negotiation failed EZA1701I USER jxx 534 Server requires authentication before USER command EZA1735I FTP Return Code = 26534, Error Code = 2 Where would the key database password be supplied? Thanks, Craig -Original Message- Subject: Re: Secure FTP on the Mainframe We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Howard Rifkind wrote. Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. Howard, Something to be aware of when using SSL/TLS with FTP is how these sessions will make it through a firewall. If your users will be coming through the Internet to your mainframe FTP server, you may have some difficulty unless you plan for it up front. The FTP protocol requires two connections, a Control connection and a Data connection. Normally, a firewall scans the data on the control port looking for the PASV response from the server that tells the client how to connect the data port. Since the data stream is encrypted, the firewall cannot get this information. This issue is further compounded when you add Network Address Translation in the firewall. To handle the first case, your FTP server must be able to define a narrow range of ports that it will assign as data ports for the data connection. This can be one or more ports. These ports must then be open on the firewall. The PASV response from the host will contain the IP address and port the client to which the client will connect the data port. The firewall will have an open range of ports to accommodate the data connection. If NAT it enabled in the firewall, then the FTP server will send back its true IP address and port, in the PASV response, rather than the public IP address and port. Since the firewall cannot see the PASV response, it cannot fix it on way as it does with clear text FTP. To get around this, some FTP clients and servers support EPSV rather than PASV. In this case, the FTP server only returns the port number and the client assumes the IP address to be the same as the control port. In other cases, the FTP client can be configured to always connect the data connection to the same IP as the control connection. Both of these situations can be handled using a Secure FTP Proxy server that sits in front of a non secure FTP server. Good Luck! Steve Bireley Vice-President Product Development Seagull Software www.seagullsoftware.com Seagull Free FTP BlueZone Secure FTP BlueZone Terminal Emulation Seagull Security Server -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Ulrich, Can sFTP and FTP reside within the same z/OS partition and be used at the same time? For instance, one person is FPT'ing a secure document using sFTP and another is using just plain old FTP for something else Ulrich Boche [EMAIL PROTECTED] wrote: Howard Rifkind wrote: We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. Which kind of secure FTP are you looking for? There are two: 1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps: 2. SFTP, a secure file transfer protocol implemented by OpenSSH. The protocols are incompatible but both are available on z/OS. The UNIX people usually prefer SFTP. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html - Do You Yahoo!? Yahoo! Small Business - Try our new Resources site! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Would you be interested in using FTP with SSL/TLS support? If so, it is already installed. You need some parms and commands which I or other users of ibm-main can provide. [EMAIL PROTECTED] 05/26/05 10:21AM We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. - Discover Yahoo! Get on-the-go sports scores, stock quotes, news more. Check it out! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html The information in this e-mail message, including any attachments, may contain confidential and privileged information that is protected by law. It is intended for the sole use of the recipient named above. If you are not the intended recipient or the agent responsible for delivering it to the intended recipient, you are hereby notified that any unauthorized review, use, dissemination or copying is strictly prohibited. If you have received this electronic mail transmission in error please notify us immediately at [EMAIL PROTECTED] and delete any copies from your system. GWAVAsig -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
The manuals are confusing as they seem to be focused on Websphere and assume that is what you want to do. So far, I have achieved a secure transfer, or at least so say the messages. I created the CA cert on one system, then exported/imported it to another. Both systems are z/os 1.4 but do not share RACF. Changing the FTPSDATA requires a recycle of FTP (P FTPD1, S FTPD). I am still baffled by the certificate process. I posed a plea for help on the RACF list, and received two replies that I have not yet studied. One suggested: http://www-306.ibm.com/software/network/commserver/zos/library/ Another from Wai Choi - RACF Development. I will post that separately. NOTE: THE FOLLOWING IS FROM MY TESTING NOTES. TEST RESULTS ARE ENCOURAGING, BUT I HAVE NO IDEA IF/HOW THIS WOULD APPLY TO ANYONE ELSE. I STILL DON'T KNOW IF THIS IS THE CORRECT PROCESS. YMMV. IF YOU ARE ANY OF YOUR STAFF ARE CAUGHT OR KILLED, THE SECRETARY WILL DISAVOW... oops, sorry, wrong disclaimer. ICSF is not required, but highly recommended. The invocation (last steps below) still needs polishing. The DEBUG statements may not be appropriate for prime time. My notes: 1. Build CA CERT RACDCERT CERTAUTH GENCERT - SUBJECTSDN( - . 2. Build personal certs a. FTPD RACDCERT ID(FTPD) GENCERT - SUBJECTSDN( - SIGNWITH(CERTAUTH - LABEL('from above')) b. User RACDCERT ID(myid) GENCERT - SUBJECTSDN( - .. SIGNWITH(CERTAUTH - LABEL('from above')) 3. Activate and RACLIST classes DIGTCERT DIGTRING 4. Add FACILITY IRR.DIGTCERT.LISTRING and permit. 5. Build key rings. a. FTPD b. User 6. Connect both CA and personal certs to keyrings. 7. Add to server SYS1.TCPPARMS(FTPSDATA): DEBUG SEC ; Helpful ACCESSERRORMSGS ; Send detailed login failure replies KEYRING thekeyringname ; Cert keyring for the server FTPDx EXTENSIONS AUTH_TLS ; Activate SSL support 8. Add to client //SYSFTPD DD DISP=SHR,DSN=my.parmlib(FTPSSL1) which contains: DEBUG SOC(2) CLIENTERRCODES TRUE KEYRING mykeyring SECURE_DATACONN PRIVATE SECURE_MECHANISM TLS 9. Invoke FTP: //S001 EXEC PGM=FTP,PARM='-v -d -e -r TLS' -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
And here is the cross posing from the RACF list as promised: QUOTE: This is a foil that I presented in SHARE and Vanguard. People think this helps them to clear things out. Would it help you? Given: ? CA1 is the CA cert which signed the server cert S ? CA2 is the CA cert which signed the client cert C ? Ring X is the server?s key ring, ring Y is the client?s key ring Question: What cert(s) needed in ring X? in ring Y? ? For Server authentication Ring X: CA1, S Ring Y: CA1 ? For Client authentication (implies server authentication too) Ring X: CA1, S, CA2 Ring Y: CA2, C, CA1 Further thinking: Would it be simpler (for which case?) if both the server and client certs were signed by the same CA cert, say CA1? How do the rings look like? Regards, Wai Wai Choi - RACF Development Tie-line:295-7623 External: (845)435-7623 Internet: [EMAIL PROTECTED] END QUOTE. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
I've just recently done both secure FTP and TN3270 in z/OS 1.4 I used the redbook volume 7. I found gskkyman just as confusing as RACF, so I used RACF :) I also need to thank Sam for pointing out Filezilla, which is a good FTP client and supports TLS One recomendation I would make is to set up your RACDCERT command in batch TSO JCL. It's a lot easier to see the errors. At 12:41 PM 5/26/2005 -0400, you wrote: Nothing wrong with using RACF for the CERT stuff but you can generate CERTS from OMVS using gskkyman. Maybe it is better to learn to crawl first rather than trying to run. [EMAIL PROTECTED] 05/26/05 12:32PM And here is the cross posing from the RACF list as promised: Dave Gibney[EMAIL PROTECTED] System Programmer(509) 335-7359 Information Technology Washington State University Pullman, WA 99164-1222 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
I can't remember what I had to do to activate gskkyman. Oh yes, I had to add GSK.SGSKLOAD to PROG00 for APF and LNKLIST. Run gskkyman from TSO/OMVS. Once I had done the z/OS setup as below I had to work with the network guys to punch a hole thru our firewall to allow FTP SSL. Here are the parms that I have in SYSFTPD //SYSFTPD DD * ; - ; ; 7. Security options ; ; - SECURE_MECHANISM TLS ; Name of the security mechanism ; that the client uses when it ; sends an AUTH command to the ; server. ; GSSAPI = Kerberos support ; TLS= TLS SECURE_FTPREQUIRED ; Authentication indicator ; ALLOWED(D) ; REQUIRED SECURE_CTRLCONN private ; Minimum level of security for ; the control connection ; CLEAR (D) ; SAFE ; PRIVATE SECURE_DATACONN private ; Minimum level of security for ; the data connection ; NEVER ; CLEAR (D) ; SAFE ; PRIVATE ;SECURE_PBSZ 16384 ; Kerberos maximum size of the ; encoded data blocks ; Default value is 16384 ; Valid range is 512 through 32768 ; Name of a ciphersuite that can be passed to the partner during ; the TLS handshake. None, some, or all of the following may be ; specified. The number to the far right is the cipherspec id ; that corresponds to the ciphersuite's name. CIPHERSUITE SSL_DES_SHA ; 09 CIPHERSUITE SSL_3DES_SHA ; 0A CIPHERSUITE SSL_NULL_MD5 ; 01 CIPHERSUITE SSL_NULL_SHA ; 02 CIPHERSUITE SSL_RC4_MD5_EX; 03 CIPHERSUITE SSL_RC4_MD5 ; 04 CIPHERSUITE SSL_RC4_SHA ; 05 CIPHERSUITE SSL_RC2_MD5_EX; 06 KEYRING /ftp/ssl/mykeyring ; Name of the keyring for TLS ; It can be the name of an HFS ; file (name starts with /) or ; a resource name in the security ; product (e.g., RACF) TLSTIMEOUT060 ; Maximum time limit between full ; TLS handshakes to protect data ; connections ; Default value is 100 seconds. ; Valid range is 0 through 86400 ;
Re: Secure FTP on the Mainframe
[EMAIL PROTECTED] wrote: There must be something in the air or water, or maybe you have a spy here. I was just asked the same thing. I tried to get a 3270 emulator to support SSL/TLS but was told by our manager that SSL had nothing to do with encryption so forget it. Anyway, I'm in the process of trying to install the ICSF and have also found some keywords in the IP Configuration manual for secure FTP. Craig Sorry to say but your manager is absolutely, positively clueless. SSL or TLS definitely has to do with encryption. From a security standpoint, it is one of the best implementations of encryption methods available today. The TN3270E server on z/OS supports SSL and TLS for encrypted sessions, optionally even to the point of authenticating users with digital certificates. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
Howard Rifkind wrote: We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. Which kind of secure FTP are you looking for? There are two: 1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps: 2. SFTP, a secure file transfer protocol implemented by OpenSSH. The protocols are incompatible but both are available on z/OS. The UNIX people usually prefer SFTP. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Secure FTP on the Mainframe
I think this would really help you to get going with what you want -- http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B340/2.3.10?SHELF=F1A1BK50DT=20040609153838 Please have a look into the following REDBOOK (lists the key ring set up): SG24-6840-00 Communications Server for z/OS V1R2 TCP/IP Implementation Guide Volume 7: Security Chapters 910 mostly i think! Link -- http://www.redbooks.ibm.com/redbooks/pdfs/sg246840.pdf -Vik Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install Secure FTP in our maiframes TCP/IP configuration and I have no idea how to do this. Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of. I'm not really prime time with TCP/IP. Thanks. - Do You Yahoo!? Yahoo! Small Business - Try our new Resources site! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html - Do You Yahoo!? Yahoo! Small Business - Try our new Resources site! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html