IBM's secure FTP server (FTPS)

To download files from IBM's secure FTP server, it is necessary to enable SSL/TLS in the z/OS® Communications Server FTP client program. To enable the FTP client program for SSL/TLS, there are several statements in the FTP.DATA file that must be considered as follows: 
SECURE_FTP        ALLOWED 
SECURE_MECHANISM  TLS
TLSRFCLEVEL       CCCNONOTIFY
TLSMECHANISM      FTP
SECURE_DATACONN   PRIVATE
KEYRING           keyringname
EPSV4             TRUE
SECURE_FTP
This statement specifies whether a security mechanism is optional or required by the FTP client. ALLOWED indicates a security mechanism is optional and the FTP client will allow both secure traffic and non-secure traffic. PRIVATE indicates a security mechanism is required and the FTP client will allow only secure traffic. Either ALLOWED or PRIVATE must be specified.
SECURE_MECHANISM
This statement specifies which security mechanism to use when a session is established. The TLS parameter must be specified.
TLSRFCLEVEL
Use this statement to specify the level of RFC 4217 that FTP operations will support. CCCNONOTIFY indicates FTP will properly support the CCC (clear control connection) command and must be specified.
TLSMECHANISM
Use this statement to specify whether TLS is implemented by AT-TLS or by FTP. FTP indicates TLS processing is performed by FTP.
SECURE_DATACONN
This statement indicates the minimum level of security to be used for data connections by the FTP client. NEVER indicates data must never be enciphered during transfer. CLEAR indicates data may be transferred either with no security or may be enciphered, and is the default value. PRIVATE indicates data must be transferred enciphered. The IBM® secure FTP server requires that data be transferred enciphered. Therefore, you must specify PRIVATE for the SECURE_DATACONN statement.
KEYRING
This statement defines the key ring that contains the Certificate Authority certificate to be used during the TLS handshake. You can use the same key ring for both HTTPS and FTPS operations. Specify the name of the keyring defined in Creating key rings on the KEYRING statement. However, IBM's secure FTP server uses a server certificate signed by a different certificate authority. Therefore, you must add the GeoTrust Global CA certificate to your keyring.
  1. Download to your work station the GeoTrust Global CA root certificate (Root 2 - GeoTrust Global CA) from GeoTrust Root Certificates.
  2. Upload the CA certificate to your z/OS system. There are many methods to transfer files from your workstation to your z/OS system. For example, you can upload the certificate file with Personal Communications 3270 or use TCP/IP FTP. The important things to remember are the certificate file must be uploaded to z/OS as text data, the certificate file must be stored in a sequential data set, and the sequential data set must have RECFM=VB and LRECL>=256.
  3. After you have stored the certificate in a sequential data set, add it to your RACF® database using the following RACF command: 
    RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('GeoTrust Global CA') TRUST
    where ca-cert.dataset.name is the name of the sequential data set used to store the certificate received from the GeoTrust web site.
  4. Connect the GeoTrust CA certificate to the key ring using the following RACF command: 
    RACDCERT ID(userid) CONNECT( CERTAUTH RING(keyringname) +
LABEL('GeoTrust Global CA') USAGE(CERTAUTH) )
    where keyringname is the name for the key ring you choose to use for secure FTP operations. This can be the same keyring you use for HTTPS operations and defined in Creating key rings.
EPSV4
This statement directs the FTP client to use the EPSV and EPRT FTP commands during an FTP session. If you have trouble establishing a secure and encrypted data connection to the secure FTP server through a Network Address Translation (NAT) firewall, specifying TRUE for the EPSV4 statement can help.