It is certainly possible with one TCP/IP stack.........We do it!!!
However, we do use two separate FTP tasks, one is secure (FTPS) and one
is NOT (FTPD). You could then code a FTCHKIP exit for the non-secure FTP task
to only allow login from the hipersocket address range.
If the two FTP tasks run on the same LPAR, then they will need
different ports!!
Hth
Tony
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of SUBSCRIBE IBM-MAIN Mary Vollmer
Sent: Monday, August 28, 2017 12:50 PM
To: [email protected]
Subject: How to require all secure FTP except to one subnet?
I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs
using this protocol except for the exchanges occurring via the hipersocket.
I am manually coding the policy since I don't have zOSMF configured. In my
policy I have a rule for my unsecure connections, coding both LocalAddr and
RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and
is first in the policy. I also have a rule for secure connections with no
LocalAddr or RemoteAddr with a priority of 10.
In my FTPDATA:
When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and
outbound) fail - including those via the hipersocket.
When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and
outbound) are successful - even those NOT using the hipersocket.
I turned on tracing and see the rules selected are as I would have expected but
it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the
policy.
Does anyone know if it's possible to do what I am trying do to with one TCPIP
stack?
Thanks,
Mary Vollmer
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN