Thanks! I took a look at my keyring for SMPE and found that I don't have the GeoTrust Global CA but I do have the Equifax Secure CA and DigiCert Global Root CA attached. Using the SYSFTPD DD, I was able to use my existing SMPE keyring to successfully connect and secure FTP to testcase.boulder.ibm.com. Thanks for the tip to use those same certs. I really believe that should be documented at https://www-05.ibm.com/de/support/ecurep/send_ftp.html#ftp.
Now to wait for a link to get a UID/token... Andrew Arentsen Senior Mainframe Systems Engineer From: "Jousma, David" <[email protected]> To: [email protected] Date: 05/24/2018 09:37 AM Subject: Re: File transfer Red Alert Sent by: "IBM Mainframe Discussion List" <[email protected]> I know your question wasn't about SMPE, but the setup to do TLS encrypted (or FTPs) file transfer is the same with regards to the FTP client setup portion. Here it is, they say download files, but the same is true for UPLOAD as well. IBM's secure FTP server (FTPS) SMP/E for z/OS User's Guide SA23-2277-01 To download files from IBM's secure FTP server, it is necessary to enable SSL/TLS in the z/OS® Communications Server FTP client program. To enable the FTP client program for SSL/TLS, there are several statements in the FTP.DATA file that must be considered as follows: SECURE_FTP ALLOWED SECURE_MECHANISM TLS TLSRFCLEVEL CCCNONOTIFY TLSMECHANISM FTP SECURE_DATACONN PRIVATE KEYRING keyringname EPSV4 TRUE SECURE_FTPThis statement specifies whether a security mechanism is optional or required by the FTP client. ALLOWED indicates a security mechanism is optional and the FTP client will allow both secure traffic and non-secure traffic. PRIVATE indicates a security mechanism is required and the FTP client will allow only secure traffic. Either ALLOWED or PRIVATE must be specified. SECURE_MECHANISMThis statement specifies which security mechanism to use when a session is established. The TLS parameter must be specified.TLSRFCLEVELUse this statement to specify the level of RFC 4217 that FTP operations will support. CCCNONOTIFY indicates FTP will properly support the CCC (clear control connection) command and must be specified.TLSMECHANISMUse this statement to specify whether TLS is implemented by AT-TLS or by FTP. FTP indicates TLS processing is performed by FTP.SECURE_DATACONNThis statement indicates the minimum level of security to be used for data connections by the FTP client. NEVER indicates data must never be enciphered during transfer. CLEAR indicates data may be transferred either with no security or may be enciphered, and is the default value. PRIVATE indicates data must be transferred enciphered. The IBM® secure FTP server requires that data be transferred enciphered. Therefore, you must specify PRIVATE for the SECURE_DATACONN statement. KEYRINGThis statement defines the key ring that contains the Certificate Authority certificate to be used during the TLS handshake. You can use the same key ring for both HTTPS and FTPS operations. Specify the name of the keyring defined in Creating key rings on the KEYRING statement. However, IBM's secure FTP server uses a server certificate signed by a different certificate authority. Therefore, you must add the GeoTrust Global CA certificate to your keyring. 1.Download to your work station the GeoTrust Global CA root certificate (Root 2 - GeoTrust Global CA) from the GeoTrust website at https://www.geotrust.com/resources/root-certificates/index.html. 2.Upload the CA certificate to your z/OS system. There are many methods to transfer files from your workstation to your z/OS system. For example, you can upload the certificate file with Personal Communications 3270 or use TCP/IP FTP. The important things to remember are the certificate file must be uploaded to z/OS as Start of changetextEnd of change data, the certificate file must be stored in a sequential data set, and the sequential data set must have RECFM=VB and LRECL>=256. 3.After you have stored the certificate in a sequential data set, add it to your RACF® database using the following RACF command: RACDCERT CERTAUTH ADD('ca-cert.dataset.name') + WITHLABEL('GeoTrust Global CA') TRUST where ca-cert.dataset.name is the name of the sequential data set used to store the certificate received from the GeoTrust web site. 4.Connect the GeoTrust CA certificate to the key ring using the following RACF command: RACDCERT ID(userid) CONNECT( CERTAUTH RING(keyringname) + LABEL('GeoTrust Global CA') USAGE(CERTAUTH) ) where keyringname is the name for the key ring you choose to use for secure FTP operations. This can be the same keyring you use for HTTPS operations and defined in Creating key rings. EPSV4This statement directs the FTP client to use the EPSV and EPRT FTP commands during an FTP session. If you have trouble establishing a secure and encrypted data connection to the secure FTP server through a Network Address Translation (NAT) firewall, specifying TRUE for the EPSV4 statement can help. _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Andrew Arentsen Sent: Thursday, May 24, 2018 10:32 AM To: [email protected] Subject: Re: File transfer Red Alert **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** My question was not about SMPE, rather it was for uploading data to testcase.boulder.ibm.com. I have SMPE setup for internet delivery and did in fact need to do a certificate exchange to get it to work. I had to go to ShopZseries and "order" a certificate which I imported into RACF and attached it to the keyring "FtpSecur" which you mention in your configuration. Wouldn't I need to do a similar certificate exchange with IBM to enable FTPS to testcase.boulder.ibm.com? Andrew Arentsen Senior Mainframe Systems Engineer From: "Jousma, David" <[email protected]> To: [email protected] Date: 05/24/2018 09:23 AM Subject: Re: File transfer Red Alert Sent by: "IBM Mainframe Discussion List" <[email protected]> No keys need to be manually exchanged. The needed setup is buried in the SMPE Receive from network guide for the FTP client(your end) parm changes that are needed. Then there is the needed firewall rules on your end(if applicable) to setup. Then on this page: https://www-05.ibm.com/de/support/ecurep/help_ftp.html a blurb about the required port ranges that your firewall people have to open up between your site IP and the IP of testcase.boulder.ibm.com (if you are in the US). My FTP client is using passive FTP, but the session still hangs after the ls, dir, put or get commands. Ask your firewall administrator to allow connections to the port range 65024 - 65535 for our FTP server. Or, alternatively, your company might use some sort of Proxy, to provide the access, but you still need the appropriate FTP client options. //SYSFTPD DD * SECURE_FTP ALLOWED SECURE_MECHANISM TLS TLSRFCLEVEL CCCNONOTIFY TLSMECHANISM FTP SECURE_DATACONN PRIVATE KEYRING FtpSecur EPSV4 TRUE _________________________________________________________________ Dave Jousma Manager Mainframe Engineering, Assistant Vice President [email protected] 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f 616.653.2717 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Andrew Arentsen Sent: Thursday, May 24, 2018 10:14 AM To: [email protected] Subject: Re: File transfer Red Alert **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** While I still can't find a link on IBM's ECuRep to create an ID/token to upload files, I also cannot find any documentation on the implementation of FTPS. I'm assuming there needs to be some sort of key exchange so that I can setup my AT-TLS rules to secure the FTP to testcase.boulder.ibm.com. Does anyone know if such keys or documentation exists for this? Andrew Arentsen Senior Mainframe Systems Engineer ********************************************************************** This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail and delete the document. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ********************************************************************** This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail and delete the document. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ********************************************************************** This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail and delete the document. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
