So one of our system programmers found an alternative to using AT-TLS to enable use of TLS v1.2 with the z/OS FTP client. All you have to do is set an LE environment variable GSK_PROTOCOL_TLSV1_2=1. Since the default (non ATTLS) SSL/TLS for FTP uses z/OS System SSL it is affected by (I assume) all of the "GSK environment variables" (see the "Environment variables" section of the "z/OS Cryptographic Services System SSL Programming manual".)
In order to set this variable in a JCL environment you simply do the following: //DOFTP EXEC PGM=FTP,PARM='your.ftps.server (EXIT' //CEEOPTS DD * ENVAR("GSK_PROTOCOL_TLSV1_2=1") /* Works like a charm! Wish it was more explicitly documented somewhere. Frank ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Frank Swarbrick <frank.swarbr...@outlook.com> Sent: Tuesday, April 11, 2017 9:24 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options I'll pass that along to those in charge of such things. :-) Thanks. ________________________________ From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Tom Conley <pinnc...@rochester.rr.com> Sent: Monday, April 10, 2017 9:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: FTP TLS options On 4/10/2017 7:04 PM, Frank Swarbrick wrote: > I'm guessing there's a bit more to it than that, yes? Such as actually > configuring Policy Agent? > Frank, Sorry, thought you already configured PAGENT, but missed the PROFILE member, like I did the first time I tried it. If you run z/OSMF, you can config pagent.conf fairly easily with Configuration Assistant. If not, you can try the samples in (WTW): /usr/lpp/tcpip/samples/pagent_TTLS.conf Good luck, Tom Conley ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN