With permission of the author, David Boyes of Sine Nomine, I'm copying this, largely unedited. CHANGE ALL 'z/VM' 'z/OS' and it's mostly relevant.
Some feedback: Good news, your z/VM systems support secure FTP (RFC 4217). The FTPS functions don't work without some kind of certificate infrastructure, which isn't configured in the base. Ditto for tn3270. The System z boxes are the only systems we have that ship with unencrypted transports as the default implementation, which isn't a good thing politically or technically. Can I suggest that IBM ship the SSL server fully configured by default (with a self-signed certificate in place) at least one full release before the SSL FTP requirement kicks in for VM? The current SSL server is a royal PITA to understand, install and configure, and secure transport shouldn't be something that the user has to consciously think about -- it should "just happen". You could always replace the self-signed cert once VM is installed, and if the goal is to improve security and/or authentication, it should work in the default configuration. Getting that first implementation to work is the hard part, but if it came that way, I think that would be a Good Thing. > So here are a few things you need to be thinking about: > 1. You will need the SSL server up and running. You've been wanting to do > it, > but have been avoiding it. I know. > 2. Your corporate "deep inspection" firewalls will need to support RFC 4217. > 3. You will need to learn how to do secure FTP transfers and to use the CCC > subcommand. > 4. Don't believe anyone who tells you that we really mean "sftp". No, we > don't. We mean "ftps". Instead of asking customers to spend a lot of time, money and grief on certificates, isn't it about time we stop fighting the FTPS vs SFTP battle? SFTP clearly prevails, and it doesn't require special firewall processing or a complex and expensive to implement certificate infrastructure. Clearly sftp CAN be delivered for CMS and z/OS completely in user space (been there, done that), and having this much dependent infrastructure involved in something as conceptually simple as securing file transfer seems somewhat pointless. Teaching sftp/scp to preserve file structure shouldn't be too hard (worst case, can always unload structured files to NETDATA with DMSDDL before transmitting). ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
