Anything SFTP on Open/SSH will never use AT-TLS FTPS - Is IBM's FTP program not using PORT 21 and running in secured mode, setup to force authentication and use AT/TLS for encryption
MS -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Tom Brennan Sent: Tuesday, June 30, 2020 1:19 PM To: [email protected] Subject: Re: [EXTERNAL] Re: AT-TLS ? Very Basic Questions Do you know if either of those require AT-TLS? When I installed and configured SSHD last (a couple of years ago) it did its own encryption. I never worked with anything called FTPS. On 6/30/2020 10:12 AM, Marshall Stone wrote: > There are 2 types of FTP in use today on most mainframes. > > SFTP - which uses Open/SSH (SSHAGNT as client and SSHD as a server) > and the encryption/authentication is generally provided by the use of > RSA/DSA public/private key pairs. The public keys are exchanged and > stored in known_hosts files (if acting as client) or authorized_keys > file (if acting as server) - Uses Server PORT 22 and ephemeral ports > > FTPS - completely different mechanism the AT/TLS functions are > provided by ICSF and policy agent (PAGENT) - You must configure an > FTPS TLS rule to allow the connection and the partner side also will > require a similar rule. The encryption/authentication come from the > PAGENT rule and the use of x.509 certificates. These are exchanged > between partners and loaded onto the RACF keyring. The PAGNET rule > points back to the keyring. - Uses Server PORT 990 by an old implicit > default most sites use a different port and connect clients with > ephemeral port ranges. FTPS handles MVS datasets better if possible > use FTPS for MF to MF and use SFTP for MF to Other > platforms(MS,UNIX,etc) > > MS > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Tom Brennan > Sent: Tuesday, June 30, 2020 12:58 PM > To: [email protected] > Subject: [EXTERNAL] Re: AT-TLS ? Very Basic Questions > > I've tried to skim some of the AT-TLS doc, and even attended an IBM webinar > last week, but I'm still missing what I imagine are important background > points. Maybe someone here can explain things, but don't worry too much > about it. > > Client and server programs like SSH/SSHD call programs such as OpenSSL > to handle the encryption handshake and processing. So when you set > those up, there is no AT-TLS needed for encryption. Same with the > TN3270 server and client, as long as you set that up with keys and parameters > on the host side, and settings on the client side. > > I'm thinking because of the name "Application Transparent" that AT-TLS was > made for programs that DON'T have their own logic to call OpenSSL (or > whatever) to do their own encryption. Let's use clear-text FTP as an > example. So somehow, AT-TLS hooks into the processing and provides an > encrypted "tunnel", kind of like VPN does, but only for that one application. > Does that sound correct? > > If so, then the encryption is "transparent" to the FTP server code and FTP > does not need to be changed, which I think is the whole idea here. > Yet we now have an encrypted session. Does that sound correct? > > Then if so, what happens on the FTP client side? I certainly can't use the > Windows FTP command, for example, because it's not setup for any kind of > encryption. That's kind of my big question here. > > On 6/30/2020 1:44 AM, Lionel B Dyck wrote: >> Sweet - thank you >> >> >> Lionel B. Dyck <sdg>< >> Website: https://www.lbdsoftware.com >> >> "Worry more about your character than your reputation. Character is >> what you are, reputation merely what others think you are." - John >> Wooden >> >> -----Original Message----- >> From: IBM Mainframe Discussion List <[email protected]> On >> Behalf Of kekronbekron >> Sent: Tuesday, June 30, 2020 2:34 AM >> To: [email protected] >> Subject: Re: AT-TLS ? >> >> Hi LBD!, >> >> Check these out- >> >> >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5416 >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5415 >> http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/PRS5414 >> >> - KB >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Monday, June 29, 2020 3:56 AM, Lionel B Dyck <[email protected]> wrote: >> >>> Anyone have any pointers for configuring AT-TLS on z/OS? >>> >>> Lionel B. Dyck <sdg>< >>> Website: https://www.lbdsoftware.com https://www.lbdsoftware.com >>> >>> "Worry more about your character than your reputation. Character is >>> what you are, reputation merely what others think you are." - John >>> Wooden >>> >>> >>> -------------------------------------------------------------------- >>> - >>> - >>> -------------------------------------------------------------------- >>> - >>> - >>> ----- >>> >>> For IBM-MAIN subscribe / signoff / archive access instructions, send >>> email to [email protected] with the message: INFO IBM-MAIN >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO >> IBM-MAIN >> >> --------------------------------------------------------------------- >> - For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO >> IBM-MAIN >> >> > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > This message (including any attachments) is intended only for the use of the > individual or entity to which it is addressed and may contain information > that is non-public, proprietary, privileged, confidential, and exempt from > disclosure under applicable law or may constitute as attorney work product. > If you are not the intended recipient, you are hereby notified that any use, > dissemination, distribution, or copying of this communication is strictly > prohibited. If you have received this communication in error, notify us > immediately by telephone and (i) destroy this message if a facsimile or (ii) > delete this message immediately if this is an electronic communication. Thank > you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
