This is how we have TLS setup for FTP on z/os 1.7. ;******************************************************************** ; SECURITY OPTIONS ;******************************************************************** SECURE_MECHANISM TLS ; prefer tls but handle ssl SECURE_FTP ALLOWED ; ALLOW TSL/SSL CONNECTIONS SECURE_CTRLCONN PRIVATE ; MINIMUM LEVEL FOR CONTROL CONN SECURE_DATACONN PRIVATE ; MINIMUM LEVEL FOR DATA CONN CIPHERSUITE SSL_DES_SHA CIPHERSUITE SSL_3DES_SHA KEYRING FTPD/ftpkeyring ; userid/keyring name FWFRIENDLY TRUE ;Be Firewall Friendly or passive
FTPD is the userid in RACF and must be uppercase. The keyring name 'ftpkeyring' is case sensitive and must match the keyring name in RACF. Attached to that keyring are all certificates for the various CA's being used. Just as a note: FTPD is NOT the userid assigned to the job. By using the userid/keyringname we have a common ftp keyring for all uses. Brad Wissink Information Technology Services Iowa State University 515-294-3088 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Chase, John Sent: Wednesday, October 17, 2007 9:27 AM To: [email protected] Subject: Re: FTPS > -----Original Message----- > From: IBM Mainframe Discussion List On Behalf Of Ron Wells > > Will try cross posting here too.. > > ----- Forwarded by Ron Wells/AGFS/AGFin on 10/17/2007 09:07 AM ----- > > Ron Wells/AGFS/AGFin > 10/17/2007 09:05 AM > > To > IBM TCP/IP List <[EMAIL PROTECTED]> cc > > Subject > Re: FTPS > > > > > > Anyone out there run across following... > Running z/OS1.7... > setting up---trying to...FTPS > Verisign Cert..TLS > > Getting following and not understanding...maybe RACF setup but?? > > BPXF024I (STC1) Oct 17 09:00:26 AGFEI ftps 67109759 : FR2147 ftpAuth: > 716 > TLS init failed with rc = 202 (Error detected while opening the key > database) How have you specified the KEYRING parm in FTP.DATA? It's case-sensitive...... If you've properly configured a keyring in RACF, it should have both the signing CA's cert as "certauth" and the server's "personal" cert as "default". -jc- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
