Hi Billy.
I don't know what other companies "normally" do. The problem we have with
customers using SFTP to get to our FTP site is that it requires both a keyring
on z/OS, and changes to their policy agent configuration.)
There needs to be a keyring on the customer's system that contains the
certificate the server will use to set up the secure communication. And
normally (I think) they would need a rule in their pagent configuration.
I did come up with a way to invoke the FTP client on z/OS without requiring
changes to their policy agent. Here's some sample JCL:
//FTPS EXEC PGM=FTP,REGION=4M,COND=(0,LT),
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.yourco.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//* GSK_TRACE=0xFFFF
//* GSK_TRACE_FILE=/tmp/gskmack.trc
//* The 2 stmts above can be temporarily uncommented for debugging
//SYSFTPD DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING &KEYOWNR/&KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* DEBUG SEC
//* TRACE
//* The 2 stmts above can be temporarily uncommented for debugging
//*
//XMIFILE DD DISP=SHR,DSN=*.TRANSMIT.XMIFILE
//OUTPUT DD SYSOUT=&OUTCLS
//INPUT DD *,SYMBOLS=(JCLONLY)
youruser
yourpwd
sendsite
(your normal cd/put/get/binary cmds here)
QUIT
//*
(Sorry I don't know how to post something using a fixed font.)
The keys to this are the PARMS values on the EXEC statement, the SYSFTPD
commands (so it doesn't depend on their own FTPDATA settings), and the KEYRING
being set up with the server's certificate and the CA chain.
Afaik this will only work with TLS v1.2--I think I read you won't be able to
set up TLS 1.3 this way.
Hth,
Wendell
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
