Hey Charles,
No nuclear secrets here. I've been pulled kicking & screaming into adding this
level of security anyway.
I'm shooting for the absolute easiest way to give any z/OS and z/VSE customer
the ability to upload a file to a server that requires a secured connection. I
don't see a way around the certificates, but at least I have been able to set
up a single job a RACF admin could run to set up a keyring they can use. But I
couldn't find a combination of parameters that would get SSL or TLS 1.1 working
with this particular server (that I don't control).
I used the info from that URL because one of the last things I want to do is
require customers to set up a TLS policy just to upload a file. By forcing TLS
1.2 and these other SYSFTPD parameters, I think I can at least keep away from
having to get into any (other than RACF) system-type files:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
// PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING TCPIP/MACK.FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
//*
//INPUT DD *
(Normal, non-FTPS commands still go here)
(Bernd, you were spot-on. I answered my own question the same way about
midnight last night.)
I'm just glad it works!
Wendell
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
