What I have may not be the best. This is my first attempt at this. And, I'm no expert in this area. If you see things that I shouldn't be using, please let me know. This is what I cobbled together from the zOSMF Network thing, and Googling. So, please be kind in your criticism.
TTLSRule FTPRule { LocalPortRange 0 Direction Both TTLSGroupActionRef FTPGroup TTLSEnvironmentActionRef FTPEnvironment TTLSConnectionActionRef FTPConnectAct } TTLSGroupAction FTPGroup { TTLSEnabled On Trace 254 } TTLSEnvironmentAction FTPEnvironment { HandshakeRole ServerWithClientAuth TTLSKeyRingParms { Keyring /usr/local/certificates/BCI.kdb KeyringStashFile /usr/local/certificates/BCI.sth } } TTLSConnectionAction FTPConnectAct { TTLSConnectionAdvancedParmsRef FTPAdvPrm Trace 254 } TTLSConnectionAdvancedParms FTPAdvPrm { SecondaryMap On ApplicationControlled On TLSv1 On TLSv1.1 On TLSv1.2 On } -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Marshall Stone Sent: Wednesday, October 28, 2020 11:09 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client certificates [External Email. Exercise caution when clicking links or opening attachments.] Reply with your PAGENT rules for FTPS - you need a client and a server rule -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of PINION, RICHARD W. Sent: Wednesday, October 28, 2020 10:43 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifing client certificates I've been working with z/OS 2.4's FTP server using AT-TLS with certificates for the last few days. PAGENT is setup, and it seems to be functioning correctly. I've finally gotten to the point of the client sending in a certificate and logging on without having to specify a password, which is what I wanted. I'm using Core FTP LE as my ftp client. I'm almost through the door, so to speak, but when I get to the point of getting a directory listing on Core FTP, on the z/OS side I get this error. protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error. (errno2=0x77B70291) At this point the TLS negotiation fails, and the data connection is closed. Below the EDC8148I message text are my FTP Server options. One more piece of information, z/OS 2.4 is running under VM. Looking up EDC8184I, EDC8148I Protocol error. Explanation A protocol error occurred. This error is device-specific, but is usually not caused by a hardware failure. System action The request fails. The application continues to run. Programmer response Proceed with cleanup of the application resources, and then close the socket. When the socket has been freed, the application may begin the process again. My z/OS FTP server options are, TLSMECHANISM ATTLS EXTENSIONS AUTH_TLS ; Enable TLS authentication ; Default is disabled. SECURE_FTP ALLOWED ; Authentication indicator ; ALLOWED (D) ; REQUIRED SECURE_LOGIN VERIFY_USER ; Authorization level indicator ; for TLS ; NO_CLIENT_AUTH (D) ; REQUIRED ; VERIFY_USER SECURE_PASSWORD OPTIONAL ; REQUIRED (D) - User must enter password ; OPTIONAL - User does not have to ; enter a password ; This setting has meaning only ; for TLS when implementing client ; certificate authentication SECURE_CTRLCONN PRIVATE ; Minimum level of security for ; the control connection ; CLEAR (D) ; SAFE ; PRIVATE SECURE_DATACONN PRIVATE ; Minimum level of security for ; the data connection ; NEVER ; CLEAR (D) ; SAFE ; PRIVATE SECURE_PBSZ 16384 ; Kerberos maximum size of the ; encoded data blocks ; Default value is 16384 ; Valid range is 512 through 32768 SECURE_SESSION_REUSE REQUIRED ; Specify whether session reuse is ; required when SSL/TLS is being ; used to protect the connections ; ALLOWED (D) password ; OPTIONAL - User does not have to ; enter a password ; This setting has meaning only ; for TLS when implementing client ; certificate authentication CIPHERSUITE SSL_NULL_MD5 ; 01 CIPHERSUITE SSL_NULL_SHA ; 02 CIPHERSUITE SSL_RC4_MD5_EX ; 03 CIPHERSUITE SSL_RC4_MD5 ; 04 CIPHERSUITE SSL_RC4_SHA ; 05 CIPHERSUITE SSL_RC2_MD5_EX ; 06 CIPHERSUITE SSL_DES_SHA ; 09 CIPHERSUITE SSL_3DES_SHA ; 0A CIPHERSUITE SSL_AES_128_SHA ; 2F CIPHERSUITE SSL_AES_256_SHA ; 35 KEYRING /usr/local/certificates/BCI.kdb ; Name of the keyring for TLS ; It can be the name of an HFS x ; file (name starts with /) or ; a resource name in the security ; product (e.g., RACF) TLSTIMEOUT 100 ; Maximum time limit between full ; TLS handshakes to protect data ; connections ; Default value is 100 seconds. ; Valid range is 0 through 86400 TLSRFCLEVEL DRAFT ; Specify what level of RFC 4217, ; On Securing FTP with TLS, is ; supported. ; DRAFT (D) Internet Draft level ; RFC4217 RFC level TLSCERTCROSSCHECK TRUE ; Specify TLS certificate ; cross-checking ; TRUE (D) - cross-checking is ; enabled ; FALSE - cross-checking is ; disabled SECUREIMPLICITZOS TRUE ; Specify when the FTP server ; expects the security handshake ; to occur. ; TRUE (D) FTP server expects ; security handshake to occur after ; it sends the reply 220. ; FALSE FTP server expects ; the security handshake before ; it sends the reply 220. Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN