What I have may not be the best. This is my first attempt at this.
And, I'm no expert in this area. If you see things that I shouldn't
be using, please let me know. This is what I cobbled together
from the zOSMF Network thing, and Googling. So, please be
kind in your criticism.
TTLSRule FTPRule
{
LocalPortRange 0
Direction Both
TTLSGroupActionRef FTPGroup
TTLSEnvironmentActionRef FTPEnvironment
TTLSConnectionActionRef FTPConnectAct
}
TTLSGroupAction FTPGroup
{
TTLSEnabled On
Trace 254
}
TTLSEnvironmentAction FTPEnvironment
{
HandshakeRole ServerWithClientAuth
TTLSKeyRingParms
{
Keyring /usr/local/certificates/BCI.kdb
KeyringStashFile /usr/local/certificates/BCI.sth
}
}
TTLSConnectionAction FTPConnectAct
{
TTLSConnectionAdvancedParmsRef FTPAdvPrm
Trace 254
}
TTLSConnectionAdvancedParms FTPAdvPrm
{
SecondaryMap On
ApplicationControlled On
TLSv1 On
TLSv1.1 On
TLSv1.2 On
}
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Marshall Stone
Sent: Wednesday, October 28, 2020 11:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client
certificates
[External Email. Exercise caution when clicking links or opening attachments.]
Reply with your PAGENT rules for FTPS - you need a client and a server rule
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
PINION, RICHARD W.
Sent: Wednesday, October 28, 2020 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifing client
certificates
I've been working with z/OS 2.4's FTP server using AT-TLS with certificates for
the last few days. PAGENT is setup, and it seems to be functioning correctly.
I've finally gotten to the point of the client sending in a certificate and
logging on without having to specify a password, which is what I wanted.
I'm using Core FTP LE as my ftp client.
I'm almost through the door, so to speak, but when I get to the point of
getting a directory listing on Core FTP, on the z/OS side I get this error.
protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error.
(errno2=0x77B70291)
At this point the TLS negotiation fails, and the data connection is closed.
Below the EDC8148I message text are my FTP Server options. One more piece of
information, z/OS 2.4 is running under VM.
Looking up EDC8184I,
EDC8148I Protocol error.
Explanation
A protocol error occurred. This error is device-specific, but is usually not
caused by a hardware failure.
System action
The request fails. The application continues to run.
Programmer response
Proceed with cleanup of the application resources, and then close the socket.
When the socket has been freed, the application may begin the process again.
My z/OS FTP server options are,
TLSMECHANISM ATTLS
EXTENSIONS AUTH_TLS ; Enable TLS authentication
; Default is disabled.
SECURE_FTP ALLOWED ; Authentication indicator
; ALLOWED (D)
; REQUIRED
SECURE_LOGIN VERIFY_USER ; Authorization level indicator
; for TLS
; NO_CLIENT_AUTH (D)
; REQUIRED
; VERIFY_USER
SECURE_PASSWORD OPTIONAL ; REQUIRED (D) - User must enter
password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
SECURE_CTRLCONN PRIVATE ; Minimum level of security for
; the control connection
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_DATACONN PRIVATE ; Minimum level of security for
; the data connection
; NEVER
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_PBSZ 16384 ; Kerberos maximum size of the
; encoded data blocks
; Default value is 16384
; Valid range is 512 through 32768
SECURE_SESSION_REUSE REQUIRED ; Specify whether session reuse is
; required when SSL/TLS is being
; used to protect the connections
; ALLOWED (D)
password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
CIPHERSUITE SSL_NULL_MD5 ; 01
CIPHERSUITE SSL_NULL_SHA ; 02
CIPHERSUITE SSL_RC4_MD5_EX ; 03
CIPHERSUITE SSL_RC4_MD5 ; 04
CIPHERSUITE SSL_RC4_SHA ; 05
CIPHERSUITE SSL_RC2_MD5_EX ; 06
CIPHERSUITE SSL_DES_SHA ; 09
CIPHERSUITE SSL_3DES_SHA ; 0A
CIPHERSUITE SSL_AES_128_SHA ; 2F
CIPHERSUITE SSL_AES_256_SHA ; 35
KEYRING /usr/local/certificates/BCI.kdb ; Name of the keyring for TLS
; It can be the name of an HFS x
; file (name starts with /) or
; a resource name in the security
; product (e.g., RACF)
TLSTIMEOUT 100 ; Maximum time limit between full
; TLS handshakes to protect data
; connections
; Default value is 100 seconds.
; Valid range is 0 through 86400
TLSRFCLEVEL DRAFT ; Specify what level of RFC 4217,
; On Securing FTP with TLS, is
; supported.
; DRAFT (D) Internet Draft level
; RFC4217 RFC level
TLSCERTCROSSCHECK TRUE ; Specify TLS certificate
; cross-checking
; TRUE (D) - cross-checking is
; enabled
; FALSE - cross-checking is
; disabled
SECUREIMPLICITZOS TRUE ; Specify when the FTP server
; expects the security handshake
; to occur.
; TRUE (D) FTP server expects
; security handshake to occur after
; it sends the reply 220.
; FALSE FTP server expects
; the security handshake before
; it sends the reply 220.
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged
and/or confidential information. If you are not the intended recipient(s), or
the employee or agent responsible for delivery of this message to the intended
recipient(s), you are hereby notified that any dissemination, distribution, or
copying of this e-mail message is strictly prohibited. If you have received
this message in error, please immediately notify the sender and delete this
e-mail message from your computer.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information that
is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If
you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication. Thank
you.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
