Re: secure ftp on the mainframe

[Ulrich Boche]

Rafael Fernandez L. wrote:

Nobody mentioned ftp with GSSAPI (kerberos) ?

Ignacio Landín Villegas
 

Probably because there is rarely anyone using it.

Furthermore, it was all but unusable for a long time: although the 
Kerberos ticket provided the cross-reference with the RACF userid, 
support for SECURE_PASSWORD OPTIONAL was not available until, IIRC, 
z/OS V1R7 or V1R8. Nobody wants to go through the installation of 
Kerberos with FTP on z/OS if you don't even get single sign-on.


Also, if you use Kerberos with z/OS and Windows, the only common 
encryption algorithm is DES with 56-bit keys. Windows doesn't support 
Triple DES and z/OS doesn't support RC4. AES support (128- or 256-bit 
keys) requires z/OS V1R9 and Windows Vista and/or Windows Server 2008.


(Sorry, sent my posting just to the newsgroup in my first attempt).
--
Ulrich Boche
SVA GmbH, Germany
IBM Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Rafael Fernandez L.]

Nobody mentioned ftp with GSSAPI (kerberos) ?

Ignacio Landín Villegas
 

-Original Message-
From: IBM Mainframe Discussion List 
[mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
Sent: Tuesday, July 29, 2008 10:39 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

Oh. 

I thought you were switching contexts. Now I see. And thanks 
to Kirk for the additional enlightenment.

A file transfer protocol that isn't FTP is more than a little 
confusing.


Let's see, we have:

FTP
FTP under TLS
SSH packet file mover
FTP under SSH 

But SSH also can be used for other things, like telnet, web 
service, etc, right? 

My head hurts :-)

  

-Original Message-
From: IBM Mainframe Discussion List 
[mailto:[EMAIL PROTECTED] On Behalf Of Walt Farrell
Sent: Tuesday, July 29, 2008 2:13 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt 
[EMAIL PROTECTED]
wrote:

I was referring to the sftp that Walt mentioned. My take was that it
was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication 
protocol.

Perhaps you didn't see the next sentence of that message?  
SFTP here, is a function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access 
instructions, send email to [EMAIL PROTECTED] with the 
message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted 
with it are intended exclusively for the individual or entity 
to which it is addressed. The message, together with any 
attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, 
disclosure or distribution is strictly prohibited. If you have 
received this message in error, please immediately advise the 
sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access 
instructions, send email to [EMAIL PROTECTED] with the 
message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html



Banco de España - Aviso legal
 
Este mensaje, su contenido y cualquier fichero transmitido 
con él está dirigido únicamente a su destinatario y es 
confidencial. Por ello, se informa a quien lo reciba por error o 
tenga conocimiento del mismo sin ser su destinatario, que la 
información contenida en él es reservada y su uso no 
autorizado, por lo que en tal caso le rogamos nos lo comunique 
por la misma vía o por teléfono (+ 34 91 338 66 66), así como 
que se abstenga de reproducir el mensaje mediante cualquier 
medio o remitirlo o entregarlo a otra persona, procediendo a su 
borrado de manera inmediata.

El Banco de España se reserva las acciones legales que le 
correspondan contra todo tercero que acceda de forma 
ilegítima al contenido de cualquier mensaje externo procedente 
del mismo.

Para informacion y consultas visite nuestra web 
http://www.bde.es


Banco de España - Disclaimer
This message, its content and any file attached thereto is for 
the intended recipient only and is confidential. If you have 
received this e-mail in error or had access to it, you should 
note that the information in it is private and any use thereof 
is unauthorised. In such an event please notify us by e-mail or 
by telephone (+ 34 91 338 66 66). Any reproduction of this 
e-mail by whatsoever means and any transmission or dissemination 
thereof to other persons is prohibited. It should be deleted 
immediately from your system.

The Banco de España reserves the right to take legal action 
against any persons unlawfully gaining access to the content of 
any external message it has emitted.

For additional information, please visit our website 
http://www.bde.es

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

Do you have any links to SFTP sources? Google search results were
confusing and ambiguous.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Thursday, July 24, 2008 11:04 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED]
wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention
it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Tuesday, July 29, 2008 10:27 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
 Do you have any links to SFTP sources? Google search results were
 confusing and ambiguous.   

sftp (not SFTP) is a part of SSH.

Try: http://www.openssh.org/manual.html

in particular
http://www.openbsd.org/cgi-bin/man.cgi?query=sftpsektion=1

Or maybe I'm not understanding your question. sftp is a part of SSH. One
thing that might be confusing is that there is not an sftp daemon. The
sftp client talks to the ssh daemon, just like the ssh command does. Or
the scp program, for that matter.

--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Dooley, Robert]

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105
.pdf 

from page 14:

OpenSSH's sftp and IBM Communications Server's FTP with System SSL
differ from each other. OpenSSH's sftp is an Open Source implementation
of the IETF Secure Shell (SECSH) SSH File Transfer Protocol  Internet
Draft. OpenSSH uses a statically linked OpenSSL archive library to
perform its cryptographic functions. OpenSSH does not provide key
management facilities, nor is integrated with those provided by IBM.
Password authentication is the only form of authentication where OpenSSH
queries the security product. Public key authentication is currently
overseen by the daemon.

The Communications Server FTP server and client support Transport Layer
Security (TLS). The FTP client and server negotiate the use of TLS based
on a subset of the FTP security negotiation functions documented in RFC
2228. FTP uses z/OS System SSL, and therefore can use the cryptographic
hardware. FTP can also use SAF facilities for key management.

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Hal Merritt
Sent: Tuesday, July 29, 2008 10:27 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

Do you have any links to SFTP sources? Google search results were
confusing and ambiguous.   

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Thursday, July 24, 2008 11:04 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED]
wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention
it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it
are intended
exclusively for the individual or entity to which it is addressed. The
message, 
together with any attachment, may contain confidential and/or privileged
information.
Any unauthorized review, use, printing, saving, copying, disclosure or
distribution 
is strictly prohibited. If you have received this message in error,
please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Kirk Wolf]

sftp usually refers to the file transfer protocol that works as an
ssh subsystem (although some use the term to refer to FTP/TLS).
In the OpenSSH implementation, sftp and sftp-server are separate
binaries that are shipped as part of OpenSSH.

The sources for sftp and sftp-server are available from:
http://www.openssh.com/
It is  possible to port these to z/OS and use them with IBM's port of
ssh and sshd.   It is very easy to configure sshd to use a different
sftp-server.

The later versions of OpenSSH rely on a newer version of the GNU
autoconf tool chain, which is not available for z/OS, so that
complicates things.
And of course, adding in the z/OS specific patches, especially to
support datasets, PDSs, etc, is a big job.

Kirk Wolf
Dovetailed Technologies

On Tue, Jul 29, 2008 at 10:27 AM, Hal Merritt [EMAIL PROTECTED] wrote:
 Do you have any links to SFTP sources? Google search results were
 confusing and ambiguous.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

I was referring to the sftp that Walt mentioned. My take was that it was
neither TLS nor SSH.   

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.



-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Dooley, Robert
Sent: Tuesday, July 29, 2008 10:34 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

http://www-03.ibm.com/servers/eserver/zseries/zos/unix/pdf/docs/fotza105
.pdf 

 
..snip 

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED] wrote:

I was referring to the sftp that Walt mentioned. My take was that it was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.

Perhaps you didn't see the next sentence of that message?  SFTP here, is a
function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Kirk Wolf]

Its all a little confusing...

SSH is a tool/protocol for providing a secure connection over IP networks.
Once you have a connection, you can have multiple channels routed over
it.   Channels could be interactive terminal sessions (to replace telnet),
port-forwarding channels, command redirection channels, and subsystem
channels (which are a special case of command channels).

Here's the main RFC for SSH:  http://www.ietf.org/rfc/rfc4251.txt

A *separate* tool distributed with most SSH implementations is sftp, which
runs as an SSH subsystem.  The sftp protocol is a packet protocol for file
transfer that *assumes* that you already have a secure connection, and by
default the sftp command line tool simply invokes the command line tool to
setup its secure channel.  sftp doesn't have connection setup,
authentication, encryption, compression, etc - it relys in SSH to do that.

Here's the main RFC for SFTP:
http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/

Another spin on this is that you can also use SSH to setup a secure channel
and a SOCKS proxy and then use an *FTP* client over the secure SSH channel
via the proxy.  This is an alternative to FTP/TLS, which can be a nightmare
for firewalls and NAT routers due to its use of multiple sockets which, when
encrypted, can't be snooped to setup the data port connection.

FWIW, we use SSH subsystem channels in our (free) Co:Z product to setup a
secure connection from a batch job to a remote Unix/Windows process.
Additional channels are setup via port forwarding if the remote process
wants to access z/OS datasets from the launching job.

Anyway, the SSH protocol is very cool, and the OpenSSH project is some of
the most useful free software available.   If you really want to be in the
club, support them by buying one of their cool tee shirts (
http://www.openssh.org/tshirts.html)

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

Oh. 

I thought you were switching contexts. Now I see. And thanks to Kirk for
the additional enlightenment.

A file transfer protocol that isn't FTP is more than a little confusing.


Let's see, we have:

FTP
FTP under TLS
SSH packet file mover 
FTP under SSH 

But SSH also can be used for other things, like telnet, web service,
etc, right? 

My head hurts :-)

  

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Walt Farrell
Sent: Tuesday, July 29, 2008 2:13 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

On Tue, 29 Jul 2008 11:22:16 -0500, Hal Merritt [EMAIL PROTECTED]
wrote:

I was referring to the sftp that Walt mentioned. My take was that it
was
neither TLS nor SSH.

SFTP is not FTP at all.  It is a secure, FTP-like communication
protocol.

Perhaps you didn't see the next sentence of that message?  SFTP here,
is a
function provided by the ssh protocols.

--   
  Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[R.S.]

Kurt Eastwood wrote:

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also use SFTP on the UNIX boxes to send files to various sites. I am looking for any information or help on using SFTP, which I understand to be 'secure ftp' on the mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 


There are several flavours of secure ftp.
It can be FTP over SSL/TLS, it's sometimes called FTPS - this is what 
you surely have.
It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and 
unsupported tool. AFAIK it supports HFS files only (I mean anu Unix 
file, regardless of filesystem type: ZFS, HFS,e tc.)
I vaguely remain some other type of secure ftp, but I can't remember 
any details.


HTH

--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2008 r. kapita zakadowy BRE Banku SA  wynosi 
118.642.672 zote i zosta w caoci wpacony.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Wissink, Brad [ITSYS]]

We run FTP with SSL and FTP with SSH.  FTP/SSL is part of TCPIP, while sftp 
(FTP/SSH) is part of IBM Ported Tools (free for the download).  We run both 
from batch procedure.  We have RACF control the certificates and keyrings for 
FTP/SSL.  Then you use the SYSFTPD DD statement to tell FTP if SSL is to be 
used, what ciphers to use and where to find the keyring.   FTP/SSL works with 
MVS data sets, while sftp does not.  Sftp only works with HFS files.  So our 
batch procedure transfers the MVS data set to a HFS file before it invokes 
sftp.  You will also need a .ssh directory under the home directory for the 
userid of the job.  Inside that directory you will need a known.hosts file that 
must contain the keys from the outside clients.  You need the keys because 
batch sftp does not allow you to use a userid/password.  

Good Luck.

Brad Wissink
Information Technology Services
Iowa State University
515-294-3088

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt 
Eastwood
Sent: Thursday, July 24, 2008 10:01 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: secure ftp on the mainframe

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also 
use SFTP on the UNIX boxes to send files to various sites. I am looking for any 
information or help on using SFTP, which I understand to be 'secure ftp' on the 
mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 
 
Can SFTP be used on the mainframe and if so can anyone give some guidance on 
how they use it and what is needed to begin using it?
 
Is SFTP for the mainframe an additional program that you have to purchase?
 
I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the 
mainframe.

Thank you in advance for your help.
Kurt


  

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
[EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at 
http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Chase, John]

 -Original Message-
 From: IBM Mainframe Discussion List On Behalf Of Kurt Eastwood
 
 Hello,
  
 First off let me say I am not an FTP expert.
  
 We currently use FTP on the mainframe to send files to 
 various sites. We also use SFTP on the UNIX boxes to send 
 files to various sites. I am looking for any information or 
 help on using SFTP, which I understand to be 'secure ftp' on 
 the mainframe to send files with sensitive information in them.
  
 Is SFTP really a 'secure ftp'? 

Yes, if you accept encrypted transfers as secure.

 Can SFTP be used on the mainframe and if so can anyone give 
 some guidance on how they use it and what is needed to begin using it?

Yes.  Many posts on the subject in the IBM-MAIN archives.

 Is SFTP for the mainframe an additional program that you have 
 to purchase?

Yes.  The price is $ZERO.

 I find FTP in TCPIP.SEZALOAD but cannot find any reference to 
 SFTP on the mainframe.

It's included in the z/OS Unix Ported Tools product, which is available at no 
charge via ShopzSeries.

-jc-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Hal Merritt]

As another posted, 'sftp' is not a unique enough name. There is a 'speedy' FTP 
that uses a propriety protocol, for example. 

The short answer to your question is that there are several 'flavors' of data 
encryption offered on z/os. The two main types are TLS (transport layer 
security, formally known as 'secure sockets layer' or SSL) and SSH (secure 
shell).

SSH is very popular in tinkertoyland, but is currently a huge PITA to implement 
on z/os. SSH uses only the *nix side of the house and data has to be copied to 
and from z/fs. Hopefully someday regular z/os datasets will be directly 
supported. 

TLS is certificate based (a very widely used strategy) and fits right into your 
regular z/os batch solutions.

Getting the infrastructure up and running for encrypted FTP and TN3270 under 
TLS is almost trivial. A few entries in TCPPARMS and you are there. Certificate 
management, on the other hand, is likely the second most confusing things 
you'll ever run in to. (Women are first on that list :-D ) 

Just to confuse things even more, the definition of 'secure' may be changing. 
Heretofore, 'secure' meant only that data (to include login passwords) not flow 
in the open over a network. A recent audit 'issue' is that we implement both 
client as well as server authentication over and beyond logon credentials (the 
familiar ID and password). The root issue is to protect against a 'man in the 
middle' attack. 

But wait! There's more! Keep in mind that, no matter what you choose, the other 
host has to be doing the same thing and you may have little or no control over 
that host. 

HTH and good luck.   









-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Kurt 
Eastwood
Sent: Thursday, July 24, 2008 10:01 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: secure ftp on the mainframe

Hello,
 
First off let me say I am not an FTP expert.
 
We currently use FTP on the mainframe to send files to various sites. We also 
use SFTP on the UNIX boxes to send files to various sites. I am looking for any 
information or help on using SFTP, which I understand to be 'secure ftp' on the 
mainframe to send files with sensitive information in them.
 
Is SFTP really a 'secure ftp'? 
 
Can SFTP be used on the mainframe and if so can anyone give some guidance on 
how they use it and what is needed to begin using it?
 
Is SFTP for the mainframe an additional program that you have to purchase?
 
I find FTP in TCPIP.SEZALOAD but cannot find any reference to SFTP on the 
mainframe.

Thank you in advance for your help.
Kurt


  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

NOTICE: This electronic mail message and any files transmitted with it are 
intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged 
information.
Any unauthorized review, use, printing, saving, copying, disclosure or 
distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[McKown, John]

 -Original Message-
 From: IBM Mainframe Discussion List 
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Thursday, July 24, 2008 10:47 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
[snip]
 
 SSH is very popular in tinkertoyland, but is currently a huge 
 PITA to implement on z/os. SSH uses only the *nix side of the 
 house and data has to be copied to and from z/fs. Hopefully 
 someday regular z/os datasets will be directly supported. 

I agree. I wish that IBM had supplied their patches to OpenSSH so that
others could look at extending sftp to legacy datasets. I will also
mention that Dovetailed Technologies Co:Z can do file transfers over
OpenSSH which will access (read/write) legacy datasets. It is not sftp,
but it is over an SSH encrypted channel.

 
[snip]
 
 HTH and good luck.   


--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage
Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged
and/or confidential.  It is for intended addressee(s) only.  If you are
not the intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is
strictly prohibited and could, in certain circumstances, be a criminal
offense.  If you have received this e-mail in error, please notify the
sender by reply and delete this message without copying or disclosing
it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Itschak Mugzach]

And you may consider file transfer over MQ, of course.

ITschak  


| Itschak Mugzach | Director | SecuriTeam Software |
| Email: [EMAIL PROTECTED] | Mob: +972 522 986404 | Skype: Itschak
Mugzach | Web: www.Securiteam.co.il  | 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of McKown, John
Sent: Thursday, July 24, 2008 5:49 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: secure ftp on the mainframe

 -Original Message-
 From: IBM Mainframe Discussion List
 [mailto:[EMAIL PROTECTED] On Behalf Of Hal Merritt
 Sent: Thursday, July 24, 2008 10:47 AM
 To: IBM-MAIN@BAMA.UA.EDU
 Subject: Re: secure ftp on the mainframe
 
[snip]
 
 SSH is very popular in tinkertoyland, but is currently a huge PITA to 
 implement on z/os. SSH uses only the *nix side of the house and data 
 has to be copied to and from z/fs. Hopefully someday regular z/os 
 datasets will be directly supported.

I agree. I wish that IBM had supplied their patches to OpenSSH so that
others could look at extending sftp to legacy datasets. I will also mention
that Dovetailed Technologies Co:Z can do file transfers over OpenSSH which
will access (read/write) legacy datasets. It is not sftp, but it is over an
SSH encrypted channel.

 
[snip]
 
 HTH and good luck.   


--
John McKown
Senior Systems Programmer
HealthMarkets
Keeping the Promise of Affordable Coverage Administrative Services Group
Information Technology

The information contained in this e-mail message may be privileged and/or
confidential.  It is for intended addressee(s) only.  If you are not the
intended recipient, you are hereby notified that any disclosure,
reproduction, distribution or other use of this communication is strictly
prohibited and could, in certain circumstances, be a criminal offense.  If
you have received this e-mail in error, please notify the sender by reply
and delete this message without copying or disclosing it.  

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html


__ NOD32 3280 (20080718) Information __

This message was checked by NOD32 antivirus system.
http://www.eset.com

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Thu, 24 Jul 2008 17:05:40 +0200, R.S. [EMAIL PROTECTED] wrote:
It can be sftp - AFAIK ftp over SSH. It is available on z/OS as free and
unsupported tool. AFAIK it supports HFS files only (I mean anu Unix
file, regardless of filesystem type: ZFS, HFS,e tc.)
I vaguely remain some other type of secure ftp, but I can't remember
any details.

The IBM Ported Tools for z/OS provides a free, and as far as I know
supported, implementation of OpenSSH for z/OS.  That will give sftp support,
and other ssh functionality.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: secure ftp on the mainframe

[Walt Farrell]

On Thu, 24 Jul 2008 08:00:55 -0700, Kurt Eastwood [EMAIL PROTECTED] wrote:
Is SFTP really a 'secure ftp'? 

SFTP is not FTP at all.  It is a secure, FTP-like communication protocol. 
(SFTP here, is a function provided by the ssh protocols.)  I'm not sure
anyone has really stated that in this thread, so I thought I'd mention it. 
Others have discussed additional details that I don't need to repeat.

-- 
  Walt Farrell, CISSP
  IBM STSM, z/OS Security Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Mark Vitale]

I believe the software looks for the key database password
in the stash file.  When I ran into this recently, I was using
gskkyman to manage my key file, and there's an option in gskkyman
10 - Store database password to create the stash file.  

Once I did that, the TLS handshake moved on to the next error 8-( ...

-Mark Vitale 
Senior Software Engineer
Telephone 610.865.0300 (ext. 126) 

ISM - The power behind great IT decisions
Visit us at www.perfman.com 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

I don't agree. The OMVS setup looked to be more complicated and would
result in a less secure environment. 

Do stay away from the ISPF panels and do the cert generation in batch.  

My $0.02 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Richard Pinion
Sent: Thursday, May 26, 2005 11:42 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Secure FTP on the Mainframe

Nothing wrong with using RACF for the CERT stuff but you can generate
CERTS from OMVS using gskkyman.  Maybe it is better to learn to crawl
first rather than trying to run.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Ulrich Boche]

Howard Rifkind wrote:

Ulrich,
 
Can sFTP and FTP reside within the same z/OS partition and be used at the same time?
 
For instance, one person is FPT'ing a secure document using sFTP and another is using just plain old FTP for something else




You could use three different kinds of file transfer on the same LPAR at 
the same time:


The FTP server can be used for unencrypted FTP, ftp: or plain old 
FTP) and for encrypted file transfer, ftps:. You can use the same 
ftpd server, typically with two different ports for ftp: and ftps:.


To use sftp:, you need to install the IBM Ported Tools for z/OS UNIX. 
This is an official and supported IBM port of OpenSSH. It is independent 
of the ftpd server and can coexist with it (different port numbers are 
used).

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Craig Kittendorf]

Hi,

I followed Share Session 3925 to set up my ftp server on one z/OS v1.4 LPAR
(CDCU).  I then exported the certificate to another LPAR (CDCT) and imported
the certificated into its key data base.

When trying ftp from the second lpar to the first I get the following:

EZA1450I IBM FTP CS V1R4
EZA1772I FTP: EXIT has been set.
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
EZA1554I Connecting to: CDCU 205.145.225.134 port: 21.
220-FTPD1 IBM FTP CS V1R4 at CDCU, 10:03:13 on 2005-05-29.
220 Connection will close if idle for more than 5 minutes.
 FC0159 ftpAuth: security values: mech=TLS, sFTP=A, sCC=C, sDC=P 
FC0182 ftpAuth:  cipherspecs = 03040506090A 
FC0215 ftpAuth: keyring  =/u/jsysxxx/SSL/cdcu_self_signed.crt 
FC0216 ftpAuth: stashFile=/u/jsysxxx/SSL/cdcu_self_signed.sth
FC0223 ftpAuth: environment_open() 
FC0341 ftpAuth: environment_init() 
FC0345 ftpAuth: TLS init failed with rc = 201 (No key database password
supplied
FC0786 endSecureEnv: entered
EZA2897I Authentication negotiation failed 
EZA1701I  USER jxx 
534 Server requires authentication before USER command 
EZA1735I FTP Return Code = 26534, Error Code = 2

Where would the key database password be supplied?

Thanks,
Craig 

-Original Message-
 
Subject: Re: Secure FTP on the Mainframe

 We would like to install Secure FTP in our maiframes TCP/IP configuration
and I have no idea how to do this.
 
 Would some one be kind enough to point me in the right direction where to
start and what manuals to check out, and what to be aware of.
 
 I'm not really prime time with TCP/IP. Thanks.
 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Steve Bireley]

Howard Rifkind wrote.
Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install
Secure FTP in our maiframes TCP/IP configuration and I have no idea how
to do this.

Would some one be kind enough to point me in the right direction where
to start and what manuals to check out, and what to be aware of.

I'm not really prime time with TCP/IP. Thanks.


Howard,

Something to be aware of when using SSL/TLS with FTP is how these
sessions will make it through a firewall.  If your users will be coming
through the Internet to your mainframe FTP server, you may have some
difficulty unless you plan for it up front.  The FTP protocol requires
two connections, a Control connection and a Data connection.  Normally,
a firewall scans the data on the control port looking for the PASV
response from the server that tells the client how to connect the data
port.  Since the data stream is encrypted, the firewall cannot get this
information.  This issue is further compounded when you add Network
Address Translation in the firewall.

To handle the first case, your FTP server must be able to define a
narrow range of ports that it will assign as data ports for the data
connection.  This can be one or more ports. These ports must then be
open on the firewall.  The PASV response from the host will contain the
IP address and port the client to which the client will connect the data
port.  The firewall will have an open range of ports to accommodate the
data connection.

If NAT it enabled in the firewall, then the FTP server will send back
its true IP address and port, in the PASV response, rather than the
public IP address and port.  Since the firewall cannot see the PASV
response, it cannot fix it on way as it does with clear text FTP.  To
get around this, some FTP clients and servers support EPSV rather than
PASV. In this case, the FTP server only returns the port number and the
client assumes the IP address to be the same as the control port. In
other cases, the FTP client can be configured to always connect the data
connection to the same IP as the control connection.

Both of these situations can be handled using a Secure FTP Proxy server
that sits in front of a non secure FTP server.  

Good Luck!

Steve Bireley
Vice-President
Product Development
Seagull Software
www.seagullsoftware.com

Seagull Free FTP
BlueZone Secure FTP
BlueZone Terminal Emulation
Seagull Security Server

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Howard Rifkind]

Ulrich,
 
Can sFTP and FTP reside within the same z/OS partition and be used at the same 
time?
 
For instance, one person is FPT'ing a secure document using sFTP and another is 
using just plain old FTP for something else

Ulrich Boche [EMAIL PROTECTED] wrote:
Howard Rifkind wrote:

 We would like to install Secure FTP in our maiframes TCP/IP configuration and 
 I have no idea how to do this.
 
 Would some one be kind enough to point me in the right direction where to 
 start and what manuals to check out, and what to be aware of.
 
 I'm not really prime time with TCP/IP. Thanks.
 

Which kind of secure FTP are you looking for? There are two:

1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps:

2. SFTP, a secure file transfer protocol implemented by OpenSSH.

The protocols are incompatible but both are available on z/OS. The UNIX 
people usually prefer SFTP.
-- 
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html


-
Do You Yahoo!?
 Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Richard Pinion]

Would you be interested in using FTP with SSL/TLS support?  If so, it is 
already installed.   You need some parms and commands which I or other users of 
ibm-main can provide. 

 [EMAIL PROTECTED] 05/26/05 10:21AM 
We would like to install Secure FTP in our maiframes TCP/IP configuration and I 
have no idea how to do this.
 
Would some one be kind enough to point me in the right direction where to start 
and what manuals to check out, and what to be aware of.
 
I'm not really prime time with TCP/IP.  Thanks.


-
Discover Yahoo!
 Get on-the-go sports scores, stock quotes, news  more. Check it out!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

The information in this e-mail message, including any attachments, may 
contain confidential and privileged information that is protected by 
law. It is intended for the sole use of the recipient named above. If 
you are not the intended recipient or the agent responsible for 
delivering it to the intended recipient, you are hereby notified that 
any unauthorized review, use, dissemination or copying is strictly 
prohibited. If you have received this electronic mail transmission in 
error please notify us immediately at [EMAIL PROTECTED]
and delete any copies from your system.

GWAVAsig

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

The manuals are confusing as they seem to be focused on Websphere and
assume that is what you want to do. So far, I have achieved a secure
transfer, or at least so say the messages. I created the CA cert on one
system, then exported/imported it to another. Both systems are z/os 1.4
but do not share RACF. Changing the FTPSDATA requires a recycle of FTP
(P FTPD1, S FTPD). 

I am still baffled by the certificate process. I posed a plea for help
on the RACF list, and received two replies that I have not yet studied.
One suggested: 
http://www-306.ibm.com/software/network/commserver/zos/library/  

Another from Wai Choi - RACF Development. I will post that separately.  

NOTE: THE FOLLOWING IS FROM MY TESTING NOTES. TEST RESULTS ARE
ENCOURAGING, BUT I HAVE NO IDEA IF/HOW THIS WOULD APPLY TO ANYONE ELSE.
I STILL DON'T KNOW IF THIS IS THE CORRECT PROCESS. YMMV.  

IF YOU ARE ANY OF YOUR STAFF ARE CAUGHT OR KILLED, THE SECRETARY WILL
DISAVOW... oops, sorry, wrong disclaimer. 

ICSF is not required, but highly recommended.

The invocation (last steps below) still needs polishing. The DEBUG
statements may not be appropriate for prime time. My notes:   

1. Build CA CERT

  RACDCERT CERTAUTH GENCERT -  
SUBJECTSDN( -  
 .
   
2. Build personal certs
   a.   FTPD

  RACDCERT ID(FTPD) GENCERT - 
SUBJECTSDN( - 
  
   SIGNWITH(CERTAUTH -
  LABEL('from above'))   

   b.   User

  RACDCERT ID(myid) GENCERT -   
SUBJECTSDN( -  
 ..
   SIGNWITH(CERTAUTH - 
  LABEL('from above'))


3. Activate and RACLIST classes DIGTCERT DIGTRING
4. Add FACILITY IRR.DIGTCERT.LISTRING and permit.
5. Build key rings.
   a. FTPD
   b.   User
6. Connect both CA and personal certs to keyrings.
7. Add to server SYS1.TCPPARMS(FTPSDATA):

DEBUG SEC ; Helpful

 ACCESSERRORMSGS  ; Send detailed login failure replies   
 KEYRING thekeyringname   ; Cert keyring for the server FTPDx

 EXTENSIONS AUTH_TLS  ; Activate SSL support  

8. Add to client //SYSFTPD DD DISP=SHR,DSN=my.parmlib(FTPSSL1) which
contains:

  DEBUG SOC(2)  
  CLIENTERRCODES TRUE   
  KEYRING mykeyring 
  SECURE_DATACONN PRIVATE   
  SECURE_MECHANISM  TLS   

9.  Invoke FTP:

//S001 EXEC PGM=FTP,PARM='-v -d -e -r TLS'

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Hal Merritt]

And here is the cross posing from the RACF list as promised:

QUOTE:
This is a foil that I presented in SHARE and Vanguard. People think this
helps them to clear things out.  Would it help you?

Given: 
?   CA1 is the CA cert which signed the server cert S
?   CA2 is the CA cert which signed the client cert C
?   Ring X is the server?s key ring, ring Y is the client?s key ring

Question:
What cert(s) needed in ring X? in ring Y?
?   For Server authentication
Ring X: CA1, S  Ring Y: CA1
?   For Client authentication (implies server authentication too)
Ring X: CA1, S, CA2 Ring Y: CA2, C, CA1
Further thinking:
Would it be simpler (for which case?) if both the server and client
certs were signed by the same CA cert, say CA1? How do the rings look
like?

Regards,
Wai 


Wai Choi - RACF Development
Tie-line:295-7623
External: (845)435-7623
Internet: [EMAIL PROTECTED]

END QUOTE.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Dave Gibney]

   I've just recently done both secure FTP and TN3270 in z/OS 1.4
I used the redbook volume 7. I found gskkyman just as confusing as RACF, so 
I used RACF :)
   I also need to thank Sam for pointing out Filezilla, which is a good 
FTP client and supports TLS
   One recomendation I would make is to set up your RACDCERT command in 
batch TSO JCL.

It's a lot easier to see the errors.

At 12:41 PM 5/26/2005 -0400, you wrote:
Nothing wrong with using RACF for the CERT stuff but you can generate 
CERTS from OMVS using gskkyman.  Maybe it is better to learn to crawl 
first rather than trying to run.


 [EMAIL PROTECTED] 05/26/05 12:32PM 
And here is the cross posing from the RACF list as promised:



Dave Gibney[EMAIL PROTECTED]
System Programmer(509) 335-7359
Information Technology
Washington State University
Pullman, WA 99164-1222

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Richard Pinion]

I can't remember what I had to do to activate gskkyman.  Oh yes, I had to add 
GSK.SGSKLOAD
to PROG00 for APF and LNKLIST.  Run gskkyman from TSO/OMVS.  Once I had done 
the z/OS setup
as below I had to work with the network guys to punch a hole thru our firewall 
to allow FTP SSL.

Here are the parms that I have in SYSFTPD

//SYSFTPD  DD *   
; -   
; 
; 7. Security options 
; 
; -   
  
 SECURE_MECHANISM  TLS   ; Name of the security mechanism 
 ; that the client uses when it   
 ; sends an AUTH command to the   
 ; server.
 ; GSSAPI = Kerberos support  
 ; TLS= TLS   
  
SECURE_FTPREQUIRED  ; Authentication indicator
 ; ALLOWED(D) 
 ; REQUIRED   
  
 SECURE_CTRLCONN   private   ; Minimum level of security for  
 ; the control connection 
 ; CLEAR  (D) 
 ; SAFE
 ; PRIVATE 
   
 SECURE_DATACONN   private   ; Minimum level of security for   
 ; the data connection 
 ; NEVER   
 ; CLEAR  (D)  
 ; SAFE
 ; PRIVATE 
   
   
;SECURE_PBSZ   16384 ; Kerberos maximum size of the
 ; encoded data blocks 
 ; Default value is 16384  
 ; Valid range is 512 through 32768
   
; Name of a ciphersuite that can be passed to the partner during   
; the TLS handshake. None, some, or all of the following may be
; specified. The number to the far right is the cipherspec id  
; that corresponds to the ciphersuite's name.  
 CIPHERSUITE   SSL_DES_SHA   ; 09  
 CIPHERSUITE   SSL_3DES_SHA  ; 0A  
CIPHERSUITE   SSL_NULL_MD5  ; 01   
CIPHERSUITE   SSL_NULL_SHA  ; 02   
CIPHERSUITE   SSL_RC4_MD5_EX; 03   
CIPHERSUITE   SSL_RC4_MD5   ; 04   
CIPHERSUITE   SSL_RC4_SHA   ; 05   
CIPHERSUITE   SSL_RC2_MD5_EX; 06   
   
KEYRING   /ftp/ssl/mykeyring  ; Name of the keyring for TLS
; It can be the name of an HFS 
; file (name starts with /) or 
; a resource name in the security  
; product (e.g., RACF) 
   
TLSTIMEOUT060   ; Maximum time limit between full  
; TLS handshakes to protect data   
; connections  
; Default value is 100 seconds.
; Valid range is 0 through 86400   
 ; 

Re: Secure FTP on the Mainframe

[Ulrich Boche]

[EMAIL PROTECTED] wrote:

There must be something in the air or water, or maybe you have a spy here.
I was just asked the same thing.

I tried to get a 3270 emulator to support SSL/TLS but was told by our
manager that SSL had nothing to do with encryption so forget it.

Anyway, I'm in the process of trying to install the ICSF and have also found
some keywords in the IP Configuration manual for secure FTP.

Craig



Sorry to say but your manager is absolutely, positively clueless. SSL or 
TLS definitely has to do with encryption. From a security standpoint, it 
is one of the best implementations of encryption methods available today.


The TN3270E server on z/OS supports SSL and TLS for encrypted sessions, 
optionally even to the point of authenticating users with digital 
certificates.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Ulrich Boche]

Howard Rifkind wrote:


We would like to install Secure FTP in our maiframes TCP/IP configuration and I 
have no idea how to do this.
 
Would some one be kind enough to point me in the right direction where to start and what manuals to check out, and what to be aware of.
 
I'm not really prime time with TCP/IP.  Thanks.




Which kind of secure FTP are you looking for? There are two:

1. FTP (the ftpd daemon) with SSL/TLS support, commonly called ftps:

2. SFTP, a secure file transfer protocol implemented by OpenSSH.

The protocols are incompatible but both are available on z/OS. The UNIX 
people usually prefer SFTP.

--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: Secure FTP on the Mainframe

[Vik]

I think this would really help you to get going with what you want --
 
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/F1A1B340/2.3.10?SHELF=F1A1BK50DT=20040609153838
 
Please have a look into the following REDBOOK (lists the key ring set up):
 
SG24-6840-00 Communications Server for z/OS V1R2 TCP/IP Implementation 
Guide Volume 7: Security   Chapters 910 mostly i think! 
 
Link -- http://www.redbooks.ibm.com/redbooks/pdfs/sg246840.pdf
 
-Vik


Howard Rifkind [EMAIL PROTECTED] wrote:We would like to install Secure FTP in 
our maiframes TCP/IP configuration and I have no idea how to do this.

Would some one be kind enough to point me in the right direction where to start 
and what manuals to check out, and what to be aware of.

I'm not really prime time with TCP/IP. Thanks.



-
Do You Yahoo!?
Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html



-
Do You Yahoo!?
 Yahoo! Small Business - Try our new Resources site!

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html