Or don't transfer files and shift toward "in place" computing, APIs, microservices, database interfaces, MQ messages, and so forth -- "online" computing, broadly speaking. You might currently be using FTP, FTPS, SFTP, and/or NFS to lash together two or more information processing systems, but maybe that choice was never the best option for the mission.
If you don't like FTPS or SFTP, if you like (or at least genuinely need) FTP, and if you need to get that in-flight data encrypted, then you can use the IBM Encryption Facility for z/OS together with any OpenPGP-compliant communicating system. Indeed, in many ways the Encryption Facility for z/OS is a better, more secure option -- even if you have implemented/in conjunction with FTPS and/or SFTP -- because you can encrypt different files with different keys and keep them encrypted through the entire transport loop, even if it's multi-hop. You can even have a .zip (or comparable) archive file containing multiple files, each encrypted with Encryption Facility for z/OS, each encrypted with a separate key. Another transport-level encryption option (only) is unencrypted FTP (or NFS) over an encrypted IPSec tunnel. IPSec works best if you have a permanent or semi-permanent, reasonably finite set of communicating systems. z/OS IPSec is a substantially zIIP-eligible workload. Yet another option is TLS/SSL encrypted SMTP (e-mail) transmission. You can do that straight from CICS Transaction Server using IBM SupportPac CA1Y, available at no additional charge: http://www.ibm.com/support/docview.wss?uid=swg24033197 SupportPac CA1Y is, at least in principle, bi-directional. That is, CICS Transaction Server can both send mail (SMTP) and retrieve mail (IMAP or POP3). The latter is not something IBM has tested in this particular environment, but there are no known issues. CA1Y is using JavaMail, a common codebase. Thus SupportPac CA1Y is substantially zIIP-eligible workload. z/OS CSSMTP is another option, and it can send mail unidirectionally outbound, from z/OS to a SMTP server. It too supports TLS/SSL encrypted connections, at least via z/OS AT-TLS. There are LOTS of options to improve your security posture...and you should have made those improvements long ago, but better late than never. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA E-Mail: [email protected] ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
