Anything SFTP on Open/SSH will never use AT-TLS

FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, 
setup to force authentication and use AT/TLS for encryption

MS
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Tom 
Brennan
Sent: Tuesday, June 30, 2020 1:19 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions

Do you know if either of those require AT-TLS?  When I installed and configured 
SSHD last (a couple of years ago) it did its own encryption. 
I never worked with anything called FTPS.

On 6/30/2020 10:12 AM, Marshall Stone wrote:
> There are 2 types of FTP in use today on most mainframes.
> 
> SFTP  - which uses Open/SSH (SSHAGNT as client and SSHD as a server) 
> and the encryption/authentication is generally provided by the use of 
> RSA/DSA public/private key pairs. The public keys are exchanged and 
> stored in known_hosts files (if acting as client) or authorized_keys 
> file (if acting as server) - Uses Server PORT 22 and ephemeral ports
> 
> FTPS - completely different mechanism the AT/TLS functions are 
> provided by ICSF and policy agent (PAGENT) - You must configure an 
> FTPS TLS rule to allow the connection and the partner side also will 
> require a similar rule. The encryption/authentication come from the 
> PAGENT rule and the use of x.509 certificates.  These are exchanged 
> between partners and loaded onto the RACF keyring. The PAGNET rule 
> points back to the keyring. - Uses Server PORT 990 by an old implicit 
> default most sites use a different port and connect clients with 
> ephemeral port ranges. FTPS handles MVS datasets better if possible 
> use FTPS for MF to MF and use SFTP for MF to Other 
> platforms(MS,UNIX,etc)
> 
> MS
> 
> -----Original Message-----
> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On 
> Behalf Of Tom Brennan
> Sent: Tuesday, June 30, 2020 12:58 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions
> 
> I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar 
> last week, but I'm still missing what I imagine are important background 
> points.  Maybe someone here can explain things, but don't worry too much 
> about it.
> 
> Client and server programs like SSH/SSHD call programs such as OpenSSL 
> to handle the encryption handshake and processing.  So when you set 
> those up, there is no AT-TLS needed for encryption.  Same with the
> TN3270 server and client, as long as you set that up with keys and parameters 
> on the host side, and settings on the client side.
> 
> I'm thinking because of the name "Application Transparent" that AT-TLS was 
> made for programs that DON'T have their own logic to call OpenSSL (or 
> whatever) to do their own encryption.  Let's use clear-text FTP as an 
> example.  So somehow, AT-TLS hooks into the processing and provides an 
> encrypted "tunnel", kind of like VPN does, but only for that one application. 
>  Does that sound correct?
> 
> If so, then the encryption is "transparent" to the FTP server code and FTP 
> does not need to be changed, which I think is the whole idea here.
> Yet we now have an encrypted session.  Does that sound correct?
> 
> Then if so, what happens on the FTP client side?  I certainly can't use the 
> Windows FTP command, for example, because it's not setup for any kind of 
> encryption.  That's kind of my big question here.
> 
> On 6/30/2020 1:44 AM, Lionel B Dyck wrote:
>> Sweet - thank you
>>
>>
>> Lionel B. Dyck <sdg><
>> Website: https://www.lbdsoftware.com
>>
>> "Worry more about your character than your reputation.  Character is 
>> what you are, reputation merely what others think you are." - John 
>> Wooden
>>
>> -----Original Message-----
>> From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On 
>> Behalf Of kekronbekron
>> Sent: Tuesday, June 30, 2020 2:34 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: AT-TLS ?
>>
>> Hi LBD!,
>>
>> Check these out-
>>
>>
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415
>> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414
>>
>> - KB
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck <lbd...@gmail.com> wrote:
>>
>>> Anyone have any pointers for configuring AT-TLS on z/OS?
>>>
>>> Lionel B. Dyck <sdg><
>>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com
>>>
>>> "Worry more about your character than your reputation. Character is 
>>> what you are, reputation merely what others think you are." - John 
>>> Wooden
>>>
>>>
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> -----
>>>
>>> For IBM-MAIN subscribe / signoff / archive access instructions, send 
>>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> ---------------------------------------------------------------------
>> - For IBM-MAIN subscribe / signoff / archive access instructions, 
>> send email to lists...@listserv.ua.edu with the message: INFO 
>> IBM-MAIN
>>
>> ---------------------------------------------------------------------
>> - For IBM-MAIN subscribe / signoff / archive access instructions, 
>> send email to lists...@listserv.ua.edu with the message: INFO 
>> IBM-MAIN
>>
>>
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 
> This message (including any attachments) is intended only for the use of the 
> individual or entity to which it is addressed and may contain information 
> that is non-public, proprietary, privileged, confidential, and exempt from 
> disclosure under applicable law or may constitute as attorney work product. 
> If you are not the intended recipient, you are hereby notified that any use, 
> dissemination, distribution, or copying of this communication is strictly 
> prohibited. If you have received this communication in error, notify us 
> immediately by telephone and (i) destroy this message if a facsimile or (ii) 
> delete this message immediately if this is an electronic communication. Thank 
> you.
> 
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> 

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to