To download files from IBM's secure FTP server, it is necessary
to enable SSL/TLS in the z/OS® Communications
Server FTP client program. To enable the FTP client program for SSL/TLS,
there are several statements in the FTP.DATA file that must be considered
as follows:
SECURE_FTP ALLOWED
SECURE_MECHANISM TLS
TLSRFCLEVEL CCCNONOTIFY
TLSMECHANISM FTP
SECURE_DATACONN PRIVATE
KEYRING keyringname
EPSV4 TRUE
- SECURE_FTP
- This statement specifies whether a security mechanism is optional
or required by the FTP client. ALLOWED indicates a security mechanism
is optional and the FTP client will allow both secure traffic and
non-secure traffic. PRIVATE indicates a security mechanism is required
and the FTP client will allow only secure traffic. Either ALLOWED
or PRIVATE must be specified.
- SECURE_MECHANISM
- This statement specifies which security mechanism to use when
a session is established. The TLS parameter must be specified.
- TLSRFCLEVEL
- Use this statement to specify the level of RFC 4217 that FTP operations
will support. CCCNONOTIFY indicates FTP will properly support the
CCC (clear control connection) command and must be specified.
- TLSMECHANISM
- Use this statement to specify whether TLS is implemented by AT-TLS
or by FTP. FTP indicates TLS processing is performed by FTP.
- SECURE_DATACONN
- This statement indicates the minimum level of security to be used
for data connections by the FTP client. NEVER indicates data must
never be enciphered during transfer. CLEAR indicates data may be transferred
either with no security or may be enciphered, and is the default value.
PRIVATE indicates data must be transferred enciphered. The IBM® secure FTP server requires that
data be transferred enciphered. Therefore, you must specify PRIVATE
for the SECURE_DATACONN statement.
- KEYRING
- This statement defines the key ring that contains
the Certificate Authority certificate to be used during the TLS handshake.
You can use the same key ring for both HTTPS and FTPS operations.
Specify the name of the keyring defined in Creating key rings on the KEYRING statement. However,
IBM's secure FTP server uses a server certificate signed by a different
certificate authority. Therefore, you must add the GeoTrust Global
CA certificate to your keyring.
- Download to your work station the GeoTrust Global CA root certificate
(Root 2 - GeoTrust Global CA) from the GeoTrust website at https://www.geotrust.com/resources/root-certificates/index.html.
- Upload the CA certificate to your z/OS system.
There are many methods to transfer files from your workstation to
your z/OS system. For example,
you can upload the certificate file with Personal Communications 3270
or use TCP/IP FTP. The important things to remember are the certificate
file must be uploaded to z/OS as text data, the certificate file must be stored in
a sequential data set, and the sequential data set must have RECFM=VB
and LRECL>=256.
- After you have stored the certificate in a sequential data set,
add it to your RACF® database
using the following RACF command:
RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('GeoTrust Global CA') TRUST
where ca-cert.dataset.name is
the name of the sequential data set used to store the certificate
received from the GeoTrust web site.
- Connect the GeoTrust CA certificate to the key ring using the
following RACF command:
RACDCERT ID(userid) CONNECT( CERTAUTH RING(keyringname) +
LABEL('GeoTrust Global CA') USAGE(CERTAUTH) )
where keyringname is
the name for the key ring you choose to use for secure FTP operations.
This can be the same keyring you use for HTTPS operations and defined
in Creating key rings.
- EPSV4
- This statement directs the FTP client to use the EPSV and EPRT
FTP commands during an FTP session. If you have trouble establishing
a secure and encrypted data connection to the secure FTP server through
a Network Address Translation (NAT) firewall, specifying TRUE for
the EPSV4 statement can help.