Using secure FTP
The ThruPut Manager FTP server from Compuware (ftp.mvssol.com) supports explicit secure FTP connections using port 21 for the control channel and passive port range: 50000-50009 for secure data connections.
If an FTP client requests secure authentication when connecting to ftp.mvssol.com, the server will respond with the certificate signed by Thawte. If the FTP client trusts Thawte, it will proceed with a login attempt to ftp.mvssol.com, otherwise configuration changes will be required.
With a PC-based FTP client, a dialog should prompt the user during the connection process, asking whether or not to accept the certificate as valid.
For mainframe host FTP, the Thawte Primary Root CA certificate must be saved as a sequential data set with DCB: RECFM=VB, LRECL=80, BLKSIZE=6160 and added to a KEYRING (RACF/ACF2/TOP SECRET).
The following JCL is used to add the Thawte Primary Root CA certificate to a RACF KEYRING.
Adjust indicated fields to suit the local RACF environment and change FTPUSER to the RACF userid that will be used by the FTP JCL:
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTSIN DD *
/* Here we add the Thawte CA Certificate
*/ RACDCERT CERTAUTH ADD(‘YOUR.THAWTE.CERT.DSN’) +
TRUST WITHLABEL(‘THAWTE PRIMARY’)
/* Here we define a ring for the user FTPD */
/* Use any ID that matches the KEYRING value in FTPDATA */
RACDCERT ADDRING(MVSSSSL) ID(FTPD)
/* Here we add the Thawte CA to the FTPD Ring */
RACDCERT ID(FTPD) CONNECT(CERTAUTH LABEL(‘THAWTE PRIMARY’) +
RING(MVSSSSL) USAGE(CERTAUTH) DEFAULT)
/* Confirm our changes */
RACDCERT CERTAUTH LIST(LABEL(‘THAWTE PRIMARY’))
RACDCERT LISTRING(MVSSSSL) ID(FTPD)
SETROPTS RACLIST(FACILITY, DIGTCERT, DIGTRING) REFRESH
/* Give the user running FTP Client UPDATE Access */
/* The FTP Job may get ICH408I ACCESS INTENT(UPDATE) */
/* ACCESS ALLOWED(READ) if permissions are not correct */
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(FTPUSER) ACCESS(UPDATE)
SETR RACLIST(FACILITY) REFRESH
/*
Once the certificate is active in the RACF KEYRING, you can execute your FTP JCL. The Compuware ThruPut Manager team recommends appending the following to your FTP.DATA settings, which you can override in your FTP job using the SYSFTPD DD statement:
EXTENSIONS | AUTH_TLS | ; Enable RFC 2640 support. |
TLSMECHANISM |
| ; Use AT-TLS |
SECURE_MECHANISM | TLS | ; Name of the security mechanism |
SECURE_FTP | REQUIRED | ; Authentication indicator |
SECURE_CTRLCONN | PRIVATE | ; Minimum level of security for |
SECURE_DATACONN | PRIVATE | ; SAFE and PRIVATE same for TLS |
FWFRIENDLY | TRUE | ; (S) Use firewall friendly protocol |
KEYRING | FTPD/MVSSSSL | ; User/keyring syntax seems to be required; each user needs update to IRR.DIGTCERT.LISTRING (FACILITY) |