Classification: Confidential
AT-TLS will also need a =key to perform the initial handshake
-----Original Message-----
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of
Wendell Lovewell
Sent: Thursday, November 14, 2024 9:17 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Help with FTP client using AT-TLS
[CAUTION: This Email is from outside the Organization. Unless you trust the
sender, Don’t click links or open attachments as it may be a Phishing email,
which can steal your Information and compromise your Computer.]
Hi Billy.
I don't know what other companies "normally" do. The problem we have with
customers using SFTP to get to our FTP site is that it requires both a keyring
on z/OS, and changes to their policy agent configuration.)
There needs to be a keyring on the customer's system that contains the
certificate the server will use to set up the secure communication. And
normally (I think) they would need a rule in their pagent configuration.
I did come up with a way to invoke the FTP client on z/OS without requiring
changes to their policy agent. Here's some sample JCL:
//FTPS EXEC PGM=FTP,REGION=4M,COND=(0,LT),
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.yourco.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//* GSK_TRACE=0xFFFF
//* GSK_TRACE_FILE=/tmp/gskmack.trc
//* The 2 stmts above can be temporarily uncommented for debugging //SYSFTPD
DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING &KEYOWNR/&KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* DEBUG SEC
//* TRACE
//* The 2 stmts above can be temporarily uncommented for debugging
//*
//XMIFILE DD DISP=SHR,DSN=*.TRANSMIT.XMIFILE
//OUTPUT DD SYSOUT=&OUTCLS
//INPUT DD *,SYMBOLS=(JCLONLY)
youruser
yourpwd
sendsite
(your normal cd/put/get/binary cmds here) QUIT
//*
(Sorry I don't know how to post something using a fixed font.)
The keys to this are the PARMS values on the EXEC statement, the SYSFTPD
commands (so it doesn't depend on their own FTPDATA settings), and the KEYRING
being set up with the server's certificate and the CA chain.
Afaik this will only work with TLS v1.2--I think I read you won't be able to
set up TLS 1.3 this way.
Hth,
Wendell
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::
________________________________
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only. E-mail transmission is not guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or may contain viruses in transmission.
The e mail and its contents (with or without referred errors) shall therefore
not attach any liability on the originator or HCL or its affiliates. Views or
opinions, if any, presented in this email are solely those of the author and
may not necessarily reflect the views or opinions of HCL or its affiliates. Any
form of reproduction, dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written
consent of authorized representative of HCL is strictly prohibited. If you have
received this email in error please delete it and notify the sender
immediately. Before opening any email and/or attachments, please check them for
viruses and other defects.
________________________________
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
