This guide describes the overall process to use the "Secure Sockets" z/OS FTP client to securely connect to a MOVEit DMZ FTP Server.
Step 1 - Check firewall issues using MOVEit Freely. Download and install MOVEit Freely from the MOVEit Freely web site. Try connecting to a MOVEit DMZ host using this client. If you can connect successfully than there should not be any firewall issues.
*There is a known problem with FTP over SSL and Checkpoint firewalls. For more information, please see Checkpoint support article sk9930.
Step 2 - Install Digital Certificates on the mainframe. There are two method for installing Digital Certificates into z/OS. First, using RACF you can use RACDCERT and a useful guide to use is http://publibz.boulder.ibm.com/epubs/pdf/ichza441.pdf.
A second way to work with certificates (and usually a more fruitful way) is to use a utility called gskkyman which is a shell-based program. A useful guide can be found in Chapter 10 of Secure Sockets Programming. http://publibfp.boulder.ibm.com/epubs/pdf/gska1a21.pdf
Step 3 - Change settings in "FTP Client Parms" file. You can find an example of the parm file below.
Step 4 - Use explicit mode (TCP port 21) and passive to connect and transfer. These should be the default settings when using the z/OS FTP client.
Step 5 - To get file transfers to work, you have to request passive mode transfers in the z/OS client. You have to add the following command before any transfers: "LOCSITE FWF" That's FWF for "FireWallFriendly".
In more recent versions, it would appear that two new options, "TLSPORT" and "SECUREIMPLICITZOS", have been added to allow z/OS mainframes to perform implicit FTP over SSL transfers. Despite appearances to the contrary, the "SECUREIMPLICITZOS" parameter MUST be set to "FALSE" when connecting to a MOVEit DMZ FTP server. (It should only be set to "TRUE" if the remote FTP server is another z/OS.)
TLSPORT 990 SECUREIMPLICITZOS FALSE
;*********************************************************************** ; * ; Name of File: SEZAINST(FTCDATA) * ; * ; Descriptive Name: FTP.DATA (for FTP Client) * ; * ; SMP/E Distribution Name: EZAFTPAC * ; * ; Copyright: Licensed Materials - Property of IBM * ; * ; "Restricted Materials of IBM" * ; * ; 5694-A01 * ; * ; (C) Copyright IBM Corp. 1977, 2002 * ; * ; US Government Users Restricted Rights - * ; Use, duplication or disclosure restricted by * ; GSA ADP Schedule Contract with IBM Corp. * ; * ; Status: CSV1R4 * ; * ; * ; This FTP.DATA file is used to specify default file and disk * ; parameters used by the FTP client. * ; * ; Note: For an example of an FTP.DATA file for the FTP server, * ; see the FTPSDATA example. * ; * ; Syntax Rules for the FTP.DATA Configuration File: * ; * ; (a) All characters to the right of and including a ; will be * ; treated as a comment. * ; * ; (b) Blanks and <end-of-line> are used to delimit tokens. * ; * ; (c) The format for each statement is: * ; * ; parameter value * ; * ; * ; The FTP.DATA options are grouped into the following groups in * ; this sample FTP client FTP.DATA configuration data set: * ; * ; 1. Basic configuration options (timers, conditional options, etc.) * ; 2. Defaults for MVS data set creation * ; 3. Code page conversion options * ; 4. DB2 (SQL) interface options * ; 5. Security options * ; 6. Debug (trace) options * ; * ; For options that have a pre-selected set of values, a (D) indicates* ; the default value for the option. * ; * ; Options that can be changed via LOCSITE subcommands are identified * ; with an (S). * ; * ;*********************************************************************** ; --------------------------------------------------------------------- ; ; 1. Basic FTP client configuration options - ; Timeout values, conversion options, ; and conditional processing options ; ; --------------------------------------------------------------------- ASATRANS FALSE ; (S) Conversion of ASA print ; control characters ; TRUE = Use C conversion ; FALSE = Do not convert (D) AUTOMOUNT TRUE ; (S) Automatic mount of unmounted ; DASD volumes ; TRUE = Mount volumes (D) ; FALSE = Do not mount volumes AUTORECALL TRUE ; (S) Automatic recall of ; migrated data sets ; TRUE = Recall them (D) ; FALSE = Do not recall them AUTOTAPEMOUNT TRUE ; Automatic mount of unmounted ; tape volumes ; TRUE = Mount volumes (D) ; FALSE = Do not mount volumes BUFNO 5 ; (S) Specify number of access ; method buffers ; Valid range is from 1 through ; 35 - default value is 5 CCONNTIME 30 ; Timeout value for successful ; close of control connection. ; Default value is 30 seconds. ; Valid range is 15 through 720. CHKPTINT 0 ; (S) Specify the checkpoint interval ; in number of records. ; NB: checkpointing only works ; with datatype EBCDIC and block ; or compressed transfer mode. ; 0 = no checkpoints (D) CONDDISP CATLG ; (S) Disposition of a new data set ; when transfer ends prematurely ; CATLG = Keep and catalog (D) ; DELETE = Delete data set DATACTTIME 120 ; Timeout for send/receive data ; operations. ; Default value is 120 seconds. ; Valid range is 15 through 720. DCONNTIME 120 ; Timeout value for successful ; close of data connection. ; Default value is 120 seconds. ; Valid range is 15 through 720. DIRECTORYMODE FALSE ; (S) Specifies how to view the MVS ; data set structure: ; FALSE = All qualifiers below ; (D) LCWD are treated as ; entries in the directory ; TRUE = Qualifiers immediately ; below the LCWD are ; treated as entries in the ; directory ;EXTENSIONS UTF8 ; Enable RFC 2640 support. EXTENSIONS AUTH_TLS ; Default is disabled. ; Control connection starts as ; 7bit ASCII and switches to UTF-8 ; encoding when LANG command ; processed successfully. CCTRANS ; and CTRLCONN are ignored. FILETYPE SEQ ; (S) Client mode of operation ; SEQ = transfer data sets or ; files (D) ; SQL = submit queries to DB2 INACTTIME 300 ; The time in seconds to wait for ; an expected response from the ; server. ; Default value is 300 seconds. ; Valid range is 15 through 720. ISPFSTATS FALSE ; TRUE = create/update PDS ; statistics ; FALSE =does not create/update ; PDS statistics MIGRATEVOL MIGRAT ; (S) Migration volume VOLSER to ; identify migrated data sets ; under control of non-HSM ; storage management products. ; Default value is MIGRAT. MYOPENTIME 60 ; Connection timeout value in ; seconds. ; Default value is 60 seconds. ; Valid range is 15 through 720. QUOTESOVERRIDE TRUE ; (S) How to treat quotes at the ; beginning or surrounding file ; names. ; TRUE = Override current working ; directory (D) ; FALSE = Treat quotes as part of ; file name RDW FALSE ; (S) Specify whether Record ; Descriptor Words (RDWs) are ; discarded or retained. ; TRUE = Retain RDWs and transfer ; as part of data ; FALSE = Discard RDWs when ; transferring data (D) ;SOCKSCONFIGFILE /etc/socks.conf ; file path for SOCKS configuration ; file. The SOCKS configuration ; file specifies which FTP servers ; should be accessed via SOCKS TRAILINGBLANKS FALSE ; (S) How to handle trailing blanks ; in fixed format data sets during ; text transfers. ; TRUE = Retain trailing blanks ; (include in transfer) ; FALSE = Strip off trailing ; blanks (D) UMASK 027 ; (S) Octal UMASK to restrict setting ; of permission bits when creating ; new HFS files ; Default value is 027. WRAPRECORD FALSE ; (S) Specify what to do if no new-line ; is encountered before reaching ; the MVS data set record length ; limit as defined by LRECL when ; transferring data to MVS. ; TRUE = Wrap data to new record ; FALSE = Truncate data (D) ; --------------------------------------------------------------------- ; ; 2. Default MVS data set creation attributes ; ; --------------------------------------------------------------------- BLKSIZE 6233 ; (S) New data set allocation block size ;DATACLASS SMSDATA ; (S) SMS data class name ; There is no default ;MGMTCLASS SMSMGNT ; (S) SMS mgmtclass name ; There is no default ;STORCLASS SMSSTOR ; (S) SMS storclass name ; There is no default ;DCBDSN MODEL.DCB ; (S) New data set allocation ; model DCB name - must be a ; fully qualified data set name ; There is no default DIRECTORY 27 ; (S) Number of directory blocks in ; new PDS/PDSE data sets. ; Default value is 27. ; Range is from 1 to 16777215. LRECL 256 ; (S) New data set allocation LRECL. ; Default value is 256. ; Valid range 0 through 32760. PRIMARY 1 ; (S) New data set allocation ; primary space units according ; to the value of SPACETYPE. ; Default value is 1. ; Valid range 1 through 16777215. RECFM VB ; (S) New data set allocation ; record format. ; Default value is VB. ; Value may be specified as certain ; combinations of: ; A - ASA print control ; B - Blocked ; F - Fixed length records ; M - Machine print control ; S - Spanned (V) or Standard (F) ; U - Undefined record length ; V - Variable length records RETPD ; (S) New data set retention ; period in days. ; Blank = no retention period (D) ; 0 = expire today ; Valid range 0 through 9999. ; NB: Note the difference between ; a blank value and a value ; of zero. SECONDARY 1 ; (S) New data set allocation ; secondary space units according ; to the value of SPACETYPE. ; Default value is 1. ; Valid range 1 through 16777215. SPACETYPE TRACK ; (S) New data set allocation ; space type. ; TRACK (D) ; BLOCK ; CYLINDER UCOUNT ; (S) Sets the unit count for an ; allocation. ; If this option is not specified ; or is specified with a value of ; blank, the unit count attribute ; is not used on an allocation (D) ; Valid range is 1 through 59 or ; the character P for parallel ; mount requests ;UNITNAME SYSDA ; (S) New data set allocation unit ; name. ; There is no default. VCOUNT 59 ; (S) Volume count for an ; allocation. ; Valid range is 1 through 255. ; Default value is 59. ;VOLUME WRKLB1,WRKLB2 ; (S) Volume serial number(s) to ; use for allocating a data set. ; Specify either a single VOLSER ; or a list of VOLSERs ; separated with commas ; --------------------------------------------------------------------- ; ; 3. Text code page conversion options ; ; --------------------------------------------------------------------- ;CCTRANS dsn_qual ; Control connection translate ; table data set qualifier. ; Used to search for ; a) userid.dsn_qual.TCPXLBIN ; b) hlq.dsn_qual.TCPXLBIN ; If CTRLCONN is specified, that ; value overrides CCTRANS. ;CTRLCONN 7BIT ; (S) ASCII code page for ; control connection. ; 7BIT is the default if CTRLCONN ; is not specified AND no TCPXLBIN ; translation table data set found. ; Can be specified as any iconv ; supported ASCII code page, such ; as IBM-850 ;ENCODING SBCS ; (S) Specifies whether multi-byte or ; single-byte data conversion is ; to be performed on ASCII data ; transfers. ; MBCS = Use multi-byte ; SBCS = Use single-byte (D) ; ;MBDATACONN (IBM-1388,IBM-5488) ; (S) Specifies the conversion table ; names for the data connection ; when ENCODING has a value of ; MBCS. The names are the file ; system code page name and the ; network transfer code page name. ;SBDATACONN (IBM-1047,IBM-850) ; (S) file system/network transfer ; code pages for data connection. ; Either a fully-qualified MVS ; data set name or HFS file name ; built with the CONVXLAT utility - ; HLQ.MY.TRANS.DATASET ; /u/user1/my.trans.file ; Or a file system code page name ; followed by a network transfer ; code page name according to ; iconv supported code pages - ; for example ; (IBM-1047,IBM-850) ; If the SYSFTSX DD-name is present ; it will override SBDATACONN. ; If neither SYSFTSX nor ; SBDATACONN are present, std. ; search order for a default ; translation table data set will ; be used. ;SBSUB FALSE ; Specifies whether untranslatable ; data bytes should be replaced ; with SBSUBCHAR when detected ; during SBCS data transfer. ; TRUE = Replace each ; untranslatable byte with ; SBSUBCHAR. ; FALSE = Terminate transfer (D) ; when untranslatable bytes are ; detected ;SBSUBCHAR nn ; Specifies the substitution char ; for SBCS data transfer when ; SBSUB is TRUE. ; nn = hexadecimal value from ; 0x'00' to 0x'FF'. ; SPACE = x'40' when target code ; set is EBCDIC, and ; x'20' when target code ; set is ASCII. (D) ;SBTRANS dsn_qual ; Data connection translate ; table data set qualifier. ; Used to search for ; a) userid.dsn_qual.TCPXLBIN ; b) hlq.dsn_qual.TCPXLBIN ; If SBDATACONN is specified, that ; value overrides SBTRANS ;UCSHOSTCS code_set ; (S) Specify the EBCDIC code set ; to be used for data conversion ; to or from Unicode. ; If UCSHOSTCS is not specified, ; the current EBCDIC code page ; for the data connection is used. UCSSUB FALSE ; (S) Specify whether Unicode-to-EBCDIC ; conversion should use the EBCDIC ; substitution character or ; cause the data transfer to be ; terminated if a Unicode ; character cannot be converted to ; a character in the target ; EBCDIC code set ; TRUE = Use substitution char ; FALSE = Terminate transfer (D) UCSTRUNC FALSE ; (S) Specify whether the transfer ; of Unicode data should be ; aborted if truncation ; occurs at the MVS host ; TRUE = Truncation allowed ; FALSE = Terminate transfer (D) ; --------------------------------------------------------------------- ; ; 4. DB2 (SQL) interface options ; ; --------------------------------------------------------------------- DB2 DB2 ; (S) DB2 subsystem name ; The default name is DB2 DB2PLAN EZAFTPMQ ; DB2 plan name for FTP client ; The default name is EZAFTPMQ SPREAD FALSE ; (S) SQL spreadsheet output format ; TRUE = Spreadsheet format ; FALSE = Not spreadsheet ; format (D) SQLCOL NAMES ; (S) SQL output headings ; NAMES = Use column names (D) ; LABELS = Use column labels ; ANY = Use label if defined, ; else use name ; --------------------------------------------------------------------- ; ; 5. Security options ; ; --------------------------------------------------------------------- SECURE_MECHANISM TLS ; Name of the security mechanism ; that the client uses when it ; sends an AUTH command to the ; server. ; GSSAPI = Kerberos support ; TLS = TLS SECURE_FTP ALLOWED ; Authentication indicator SECURE_LOGIN REQUIRED ; ALLOWED (D) ; REQUIRED SECURE_CTRLCONN PRIVATE ; Minimum level of security for ; the control connection ; CLEAR (D) ; SAFE ; PRIVATE SECURE_DATACONN PRIVATE ; Minimum level of security for ; the data connection ; NEVER ; CLEAR (D) ; SAFE ; PRIVATE ;SECURE_PBSZ 16384 ; Kerberos maximum size of the ; encoded data blocks ; Default value is 16384 ; Valid range is 512 through 32768 ; Name of a ciphersuite that can be passed to the partner during ; the TLS handshake. None, some, or all of the following may be ; specified. The number to the far right is the cipherspec id ; that corresponds to the ciphersuite's name. CIPHERSUITE SSL_NULL_MD5 ; 01 CIPHERSUITE SSL_NULL_SHA ; 02 CIPHERSUITE SSL_RC4_MD5_EX ; 03 CIPHERSUITE SSL_RC4_MD5 ; 04 CIPHERSUITE SSL_RC4_SHA ; 05 CIPHERSUITE SSL_RC2_MD5_EX ; 06 CIPHERSUITE SSL_DES_SHA ; 09 CIPHERSUITE SSL_3DES_SHA ; 0A KEYRING /SSLselfsigned/key.kdb ; It can be the name of an HFS ; file (name starts with /) or ; a resource name in the security ; product (e.g., RACF) ;TLSTIMEOUT 100 ; Maximum time limit between full ; TLS handshakes to protect data ; connections ; Default value is 100 seconds. ; Valid range is 0 through 86400 ; --------------------------------------------------------------------- ; ; 6. Debug (trace) options ; ; --------------------------------------------------------------------- ;DEBUG TIME ; time stamp client trace entries ;DEBUG ALL ; activate all traces ;DEBUG BAS ; active basic traces (marked with *) ;DEBUG FLO ; function flow ;DEBUG CMD ; * command trace ;DEBUG PAR ; parser details ;DEBUG INT ; * program initialization and termination ;DEBUG ACC ; access control (logging in) ;DEBUG SEC ; security processing ;DEBUG UTL ; utility functions ;DEBUG FSC(1) ; * file services ;DEBUG SOC(1) ; * socket services ;DEBUG SQL ; special SQL processing