First, I am going to be the one to tell you to go over to the IBM-TCPIP list: "For IBMTCP-L subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBMTCP-L"
That said: SECURE_FTP is as simple as it says, "ALLOWED" basically states that clients can log in using a security mechanism, but it is NOT REQUIRED. If you code "REQUIRED" then the client MUST log in using a security mechanism, if the client is another z/OS system then " SECURE_MECHANISM TLS" would be the option to look at, other software, well start digging. I personally do not know if access via subnet can be controlled at the z/OS TCP/IP level, but that is mostly because we turned that kind of control over to our network personnel. Al Nims Systems Admin/Programmer 3 UFIT University of Florida (352) 273-1298 -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of SUBSCRIBE IBM-MAIN Mary Vollmer Sent: Monday, August 28, 2017 12:50 PM To: [email protected] Subject: How to require all secure FTP except to one subnet? I am implementing TLS 1.2 via AT-TLS and have a requirement to secure all FTPs using this protocol except for the exchanges occurring via the hipersocket. I am manually coding the policy since I don't have zOSMF configured. In my policy I have a rule for my unsecure connections, coding both LocalAddr and RemoteAddr with that of our hipersocket subnet. It has a priority of 100 and is first in the policy. I also have a rule for secure connections with no LocalAddr or RemoteAddr with a priority of 10. In my FTPDATA: When I specify SECURE_FTP REQUIRED, all unsecure attempts (inbound and outbound) fail - including those via the hipersocket. When I specify SECURE_FTP ALLOWED, all unsecure attempts (inbound and outbound) are successful - even those NOT using the hipersocket. I turned on tracing and see the rules selected are as I would have expected but it appears the SECURE_FTP parm in FTP data rules, regardless of what's in the policy. Does anyone know if it's possible to do what I am trying do to with one TCPIP stack? Thanks, Mary Vollmer ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
