What I have may not be the best. This is my first attempt at this.
And, I'm no expert in this area. If you see things that I shouldn't
be using, please let me know. This is what I cobbled together
from the zOSMF Network thing, and Googling. So, please be
kind in your criticism.
TTLSRule FTPRule
{
LocalPortRange 0
Direction Both
TTLSGroupActionRef FTPGroup
TTLSEnvironmentActionRef FTPEnvironment
TTLSConnectionActionRefFTPConnectAct
}
TTLSGroupAction FTPGroup
{
TTLSEnabledOn
Trace 254
}
TTLSEnvironmentAction FTPEnvironment
{
HandshakeRole ServerWithClientAuth
TTLSKeyRingParms
{
Keyring /usr/local/certificates/BCI.kdb
KeyringStashFile/usr/local/certificates/BCI.sth
}
}
TTLSConnectionAction FTPConnectAct
{
TTLSConnectionAdvancedParmsRef FTPAdvPrm
Trace 254
}
TTLSConnectionAdvancedParms FTPAdvPrm
{
SecondaryMapOn
ApplicationControlled On
TLSv1 On
TLSv1.1 On
TLSv1.2 On
}
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Marshall Stone
Sent: Wednesday, October 28, 2020 11:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client
certificates
[External Email. Exercise caution when clicking links or opening attachments.]
Reply with your PAGENT rules for FTPS - you need a client and a server rule
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
PINION, RICHARD W.
Sent: Wednesday, October 28, 2020 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifing client
certificates
I've been working with z/OS 2.4's FTP server using AT-TLS with certificates for
the last few days. PAGENT is setup, and it seems to be functioning correctly.
I've finally gotten to the point of the client sending in a certificate and
logging on without having to specify a password, which is what I wanted.
I'm using Core FTP LE as my ftp client.
I'm almost through the door, so to speak, but when I get to the point of
getting a directory listing on Core FTP, on the z/OS side I get this error.
protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error.
(errno2=0x77B70291)
At this point the TLS negotiation fails, and the data connection is closed.
Below the EDC8148I message text are my FTP Server options. One more piece of
information, z/OS 2.4 is running under VM.
Looking up EDC8184I,
EDC8148I Protocol error.
Explanation
A protocol error occurred. This error is device-specific, but is usually not
caused by a hardware failure.
System action
The request fails. The application continues to run.
Programmer response
Proceed with cleanup of the application resources, and then close the socket.
When the socket has been freed, the application may begin the process again.
My z/OS FTP server options are,
TLSMECHANISM ATTLS
EXTENSIONSAUTH_TLS ; Enable TLS authentication
; Default is disabled.
SECURE_FTPALLOWED ; Authentication indicator
; ALLOWED(D)
; REQUIRED
SECURE_LOGIN VERIFY_USER ; Authorization level indicator
; for TLS
; NO_CLIENT_AUTH (D)
; REQUIRED
; VERIFY_USER
SECURE_PASSWORD OPTIONAL ; REQUIRED (D) - User must enter
password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
SECURE_CTRLCONN PRIVATE ; Minimum level of security for
; the control connection
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_DATACONN PRIVATE ; Minimum level of security for
; the data connection
; NEVER
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_PBSZ 16384 ; Kerberos maximum size of the