Previous Topic

Next Topic

Book Contents

Book Index

FTP - Specific Clients - z/OS

This guide describes the overall process to use the Secure Sockets z/OS FTP client to securely connect to a MOVEit DMZ FTP Server.

Procedure

Step 1 - Check firewall issues using MOVEit Freely. Download and install MOVEit Freely from the MOVEit Freely web site. Try connecting to a MOVEit DMZ host using this client. If you can connect successfully than there should not be any firewall issues.
*There is a known problem with FTP over SSL and Checkpoint firewalls. For more information, please see Checkpoint support article sk9930.

Step 2 - Install Digital Certificates on the mainframe. There are two method for installing Digital Certificates into z/OS. First, using RACF you can use RACDCERT and a useful guide to use is http://publibz.boulder.ibm.com/epubs/pdf/ichza441.pdf.

A second way to work with certificates (and usually a more fruitful way) is to use a utility called gskkyman which is a shell-based program. A useful guide can be found in Chapter 10 of Secure Sockets Programming. http://publibfp.boulder.ibm.com/epubs/pdf/gska1a21.pdf

  1. Install any root certificates (e.g. Thawte) on the mainframe.
  2. Install any intermediate certificates that might be use on the mainframe, this may be optional.
  3. Install any server-certificates (e.g., mydmzhost.com) on the mainframe.

Step 3 - Change settings in FTP Client Parms file. You can find an example of the parm file below.

  1. Change the value of SECURE_CTRLCONN from CLEAR to PRIVATE.
  2. Change the value of SECURE_DATACONN from CLEAR to PRIVATE.

Step 4 - Use explicit mode (TCP port 21) and passive to connect and transfer. These should be the default settings when using the z/OS FTP client.

Step 5 - To get file transfers to work, you have to request passive mode transfers in the z/OS client. You have to add the following command before any transfers: "LOCSITE FWF" That's FWF for "FireWallFriendly".

Implicit Mode

In more recent versions, it would appear that two new options, TLSPORT and SECUREIMPLICITZOS, have been added to allow z/OS mainframes to perform implicit FTP over SSL transfers. Despite appearances to the contrary, the SECUREIMPLICITZOS parameter MUST be set to FALSE when connecting to a MOVEit DMZ FTP server. (It should only be set to TRUE if the remote FTP server is another z/OS.)

TLSPORT 990 SECUREIMPLICITZOS FALSE

Sample z/OS FTP Client Parms File

;***********************************************************************
;                                                                      *
;  Name of File:            SEZAINST(FTCDATA)                          *
;                                                                      *
;  Descriptive Name:        FTP.DATA (for FTP Client)                  *
;                                                                      *
;  SMP/E Distribution Name: EZAFTPAC                                   *
;                                                                      *
;  Copyright:   Licensed Materials - Property of IBM                   *
;                                                                      *
;               "Restricted Materials of IBM"                          *
;                                                                      *
;               5694-A01                                               *
;                                                                      *
;               (C) Copyright IBM Corp. 1977, 2002                     *
;                                                                      *
;               US Government Users Restricted Rights -                *
;               Use, duplication or disclosure restricted by           *
;               GSA ADP Schedule Contract with IBM Corp.               *
;                                                                      *
;  Status:      CSV1R4                                                 *
;                                                                      *
;                                                                      *
;  This FTP.DATA file is used to specify default file and disk         *
;  parameters used by the FTP client.                                  *
;                                                                      *
;  Note: For an example of an FTP.DATA file for the FTP server,        *
;  see the FTPSDATA example.                                           *
;                                                                      *
;  Syntax Rules for the FTP.DATA Configuration File:                   *
;                                                                      *
;  (a) All characters to the right of and including a ; will be        *
;      treated as a comment.                                           *
;                                                                      *
;  (b) Blanks and <end-of-line> are used to delimit tokens.            *
;                                                                      *
;  (c) The format for each statement is:                               *
;                                                                      *
;      parameter value                                                 *
;                                                                      *
;                                                                      *
;  The FTP.DATA options are grouped into the following groups in       *
;  this sample FTP client FTP.DATA configuration data set:             *
;                                                                      *
;  1. Basic configuration options (timers, conditional options, etc.)  *
;  2. Defaults for MVS data set creation                               *
;  3. Code page conversion options                                     *
;  4. DB2 (SQL) interface options                                      *
;  5. Security options                                                 *
;  6. Debug (trace) options                                            *
;                                                                      *
;  For options that have a pre-selected set of values, a (D) indicates *
;  the default value for the option.                                   *
;                                                                      *
;  Options that can be changed via LOCSITE subcommands are identified  *
;  with an (S).                                                        *
;                                                                      * ;*********************************************************************** 

; --------------------------------------------------------------------- 
;                                                                      
; 1. Basic FTP client configuration options - 
; Timeout values, conversion options, 
; and conditional processing options 
; 
; --------------------------------------------------------------------- 

ASATRANS         FALSE           ; (S) Conversion of ASA print 
                                     ; control characters 
                                     ; TRUE = Use C conversion 
                                     ; FALSE = Do not convert (D) 

AUTOMOUNT        TRUE            ; (S) Automatic mount of unmounted 
                                     ; DASD volumes 
                                     ; TRUE = Mount volumes (D) 
                                     ; FALSE = Do not mount volumes 

AUTORECALL       TRUE            ; (S) Automatic recall of 
                                     ; migrated data sets 
                                     ; TRUE = Recall them (D) 
                                     ; FALSE = Do not recall them 

AUTOTAPEMOUNT    TRUE                ; Automatic mount of unmounted 
                                     ; tape volumes 
                                     ; TRUE = Mount volumes (D) 
                                     ; FALSE = Do not mount volumes 
 
BUFNO            5               ; (S) Specify number of access 
                                     ; method buffers 
                                     ; Valid range is from 1 through 
                                     ; 35 - default value is 5 

CCONNTIME        30                  ; Timeout value for successful 
                                     ; close of control connection. 
                                     ; Default value is 30 seconds. 
                                     ; Valid range is 15 through 720. 
  
CHKPTINT         0               ; (S) Specify the checkpoint interval 
                                     ; in number of records. 
                                     ; NB: checkpointing only works
                                     ; with datatype EBCDIC and block 
                                     ; or compressed transfer mode. 
                                     ; 0 = no checkpoints (D) 

CONDDISP         CATLG           ; (S) Disposition of a new data set 
                                     ; when transfer ends prematurely 
                                     ; CATLG = Keep and catalog (D) 
                                     ; DELETE = Delete data set 

DATACTTIME       120                 ; Timeout for send/receive data 
                                     ; operations. 
                                     ; Default value is 120 seconds. 
                                     ; Valid range is 15 through 720. 

DCONNTIME        120                 ; Timeout value for successful 
                                     ; close of data connection. 
                                     ; Default value is 120 seconds. 
                                     ; Valid range is 15 through 720. 

DIRECTORYMODE    FALSE           ; (S) Specifies how to view the MVS 
                                     ; data set structure: 
                                     ; FALSE = All qualifiers below 
                                     ;    (D)  LCWD are treated as 
                                     ;         entries in the directory 
                                     ; TRUE  = Qualifiers immediately 
                                     ;         below the LCWD are 
                                     ;         treated as entries in the 
                                     ;         directory 

;EXTENSIONS      UTF8                ; Enable RFC 2640 support. 
EXTENSIONS AUTH_TLS                  ; Default is disabled. 
                                     ; Control connection starts as 
                                     ; 7bit ASCII and switches to UTF-8 
                                     ; encoding when LANG command 
                                     ; processed successfully. CCTRANS 
                                     ; and CTRLCONN are ignored. 

FILETYPE         SEQ             ; (S) Client mode of operation 
                                     ; SEQ = transfer data sets or 
                                     ;       files (D) 
                                     ; SQL = submit queries to DB2 

INACTTIME        300                 ; The time in seconds to wait for 
                                     ; an expected response from the 
                                     ; server. 
                                     ; Default value is 300 seconds. 
                                     ; Valid range is 15 through 720. 

ISPFSTATS        FALSE               ; TRUE = create/update PDS 
                                     ;        statistics 
                                     ; FALSE =does not create/update 
                                     ; PDS statistics 

MIGRATEVOL       MIGRAT          ; (S) Migration volume VOLSER to 
                                     ; identify migrated data sets 
                                     ; under control of non-HSM 
                                     ; storage management products. 
                                     ; Default value is MIGRAT. 

MYOPENTIME       60                  ; Connection timeout value in 
                                     ; seconds. 
                                     ; Default value is 60 seconds. 
                                     ; Valid range is 15 through 720.

QUOTESOVERRIDE   TRUE            ; (S) How to treat quotes at the 
                                     ; beginning or surrounding file 
                                     ; names. 
                                     ; TRUE = Override current working 
                                     ;        directory (D) 
                                     ; FALSE = Treat quotes as part of 
                                     ; file name 

RDW              FALSE           ; (S) Specify whether Record 
                                     ; Descriptor Words (RDWs) are 
                                     ; discarded or retained. 
                                     ; TRUE = Retain RDWs and transfer 
                                     ;        as part of data 
                                     ; FALSE = Discard RDWs when 
                                     ;         transferring data (D)
;SOCKSCONFIGFILE /etc/socks.conf     ; file path for SOCKS configuration 
                                     ; file. The SOCKS configuration 
                                     ; file specifies which FTP servers 
                                     ; should be accessed via SOCKS
 
TRAILINGBLANKS   FALSE           ; (S) How to handle trailing blanks 
                                     ; in fixed format data sets during 
                                     ; text transfers. 
                                     ; TRUE = Retain trailing blanks 
                                     ;        (include in transfer) 
                                     ; FALSE = Strip off trailing 
                                     ;         blanks (D) 
 
UMASK            027             ; (S) Octal UMASK to restrict setting 
                                     ; of permission bits when creating 
                                     ; new HFS files 
                                     ; Default value is 027. 

WRAPRECORD       FALSE           ; (S) Specify what to do if no new-line 
                                     ; is encountered before reaching 
                                     ; the MVS data set record length 
                                     ; limit as defined by LRECL when 
                                     ; transferring data to MVS. 
                                     ; TRUE = Wrap data to new record 
                                     ; FALSE = Truncate data (D) 

; --------------------------------------------------------------------- ;
; 2. Default MVS data set creation attributes 
; 
; --------------------------------------------------------------------- 

 BLKSIZE      6233               ; (S) New data set allocation block size
 
;DATACLASS    SMSDATA            ; (S) SMS data class name 
                                    ; There is no default 

;MGMTCLASS    SMSMGNT            ; (S) SMS mgmtclass name 
                                     ; There is no default 

;STORCLASS    SMSSTOR            ; (S) SMS storclass name 
                                     ; There is no default 

;DCBDSN       MODEL.DCB          ; (S) New data set allocation 
                                     ; model DCB name - must be a 
                                     ; fully qualified data set name 
                                     ; There is no default 

 DIRECTORY    27                 ; (S) Number of directory blocks in 
                                     ; new PDS/PDSE data sets. 
                                     ; Default value is 27. 
                                     ; Range is from 1 to 16777215. 

 LRECL        256                 ; (S) New data set allocation LRECL. 
                                     ; Default value is 256. 
                                     ; Valid range 0 through 32760. 

 PRIMARY      1                  ; (S) New data set allocation 
                                     ; primary space units according 
                                     ; to the value of SPACETYPE. 
                                     ; Default value is 1. 
                                     ; Valid range 1 through 16777215. 

 RECFM        VB                 ; (S) New data set allocation 
                                     ; record format. 
                                     ; Default value is VB. 
                                     ; Value may be specified as certain 
                                     ; combinations of: 
                                     ; A - ASA print control 
                                     ; B - Blocked 
                                     ; F - Fixed length records 
                                     ; M - Machine print control 
                                     ; S - Spanned (V) or Standard (F) 
                                     ; U - Undefined record length 
                                     ; V - Variable length records 

 RETPD                           ; (S) New data set retention 
                                     ; period in days. 
                                     ; Blank = no retention period (D) 
                                     ; 0 = expire today 
                                     ; Valid range 0 through 9999. 
                                     ; NB: Note the difference between 
                                     ;     a blank value and a value 
                                     ;     of zero. 

 SECONDARY     1                 ; (S) New data set allocation 
                                     ; secondary space units according 
                                     ; to the value of SPACETYPE. 
                                     ; Default value is 1. 
                                     ; Valid range 1 through 16777215. 

 SPACETYPE     TRACK             ; (S) New data set allocation 
                                     ; space type. 
                                     ; TRACK (D) 
                                     ; BLOCK 
                                     ; CYLINDER 

 UCOUNT                          ; (S) Sets the unit count for an 
                                     ; allocation. 
                                     ; If this option is not specified 
                                     ; or is specified with a value of 
                                     ; blank, the unit count attribute 
                                     ; is not used on an allocation (D) 
                                     ; Valid range is 1 through 59 or 
                                     ; the character P for parallel 
                                     ; mount requests 

;UNITNAME      SYSDA             ; (S) New data set allocation unit 
                                     ; name. 
                                     ; There is no default. 

VCOUNT         59                ; (S) Volume count for an 
                                     ; allocation. 
                                     ; Valid range is 1 through 255. 
                                     ; Default value is 59. 

;VOLUME        WRKLB1,WRKLB2     ; (S) Volume serial number(s) to 
                                     ; use for allocating a data set. 
                                     ; Specify either a single VOLSER 
                                     ; or a list of VOLSERs 
                                     ; separated with commas 

; --------------------------------------------------------------------- 
; 
; 3. Text code page conversion options 
; 
; --------------------------------------------------------------------- 
;CCTRANS       dsn_qual             ; Control connection translate 
                                    ; table data set qualifier. 
                                    ; Used to search for 
                                    ;   a) userid.dsn_qual.TCPXLBIN 
                                    ;   b) hlq.dsn_qual.TCPXLBIN 
                                    ; If CTRLCONN is specified, that 
                                    ; value overrides CCTRANS. 

;CTRLCONN      7BIT             ; (S) ASCII code page for 
                                    ; control connection. 
                                    ; 7BIT is the default if CTRLCONN 
                                    ; is not specified AND no TCPXLBIN 
                                    ; translation table data set found. 
                                    ; Can be specified as any iconv 
                                    ; supported ASCII code page, such 
                                    ; as IBM-850 

;ENCODING      SBCS             ; (S) Specifies whether multi-byte or  
                                    ; single-byte data conversion is 
                                    ; to be performed on ASCII data 
                                    ; transfers. 
                                    ; MBCS = Use multi-byte 
                                    ; SBCS = Use single-byte   (D) 
                                    ; 

;MBDATACONN (IBM-1388,IBM-5488) ; (S) Specifies the conversion table 
                                    ; names for the data connection 
                                    ; when ENCODING has a value of 
                                    ; MBCS. The names are the file 
                                    ; system code page name and the 
                                    ; network transfer code page name. 

;SBDATACONN (IBM-1047,IBM-850)  ; (S) file system/network transfer 
                                    ; code pages for data connection. 
                                    ; Either a fully-qualified MVS 
                                    ; data set name or HFS file name 
                                    ; built with the CONVXLAT utility - 
                                    ;     HLQ.MY.TRANS.DATASET 
                                    ;     /u/user1/my.trans.file 
                                    ; Or a file system code page name 
                                    ; followed by a network transfer 
                                    ; code page name according to 
                                    ; iconv supported code pages - 
                                    ; for example 
                                    ;     (IBM-1047,IBM-850) 
                                    ; If the SYSFTSX DD-name is present 
                                    ; it will override SBDATACONN. 
                                    ; If neither SYSFTSX nor 
                                    ; SBDATACONN are present, std. 
                                    ; search order for a default 
                                    ; translation table data set will 
                                    ; be used. 

;SBSUB        FALSE                 ; Specifies whether untranslatable 
                                    ; data bytes should be replaced 
                                    ; with SBSUBCHAR when detected 
                                    ; during SBCS data transfer. 
                                    ; TRUE = Replace each 
                                    ;  untranslatable byte with 
                                    ;  SBSUBCHAR. 
                                    ; FALSE = Terminate transfer (D) 
                                    ;  when untranslatable bytes are 
                                    ;  detected 

;SBSUBCHAR    nn                    ; Specifies the substitution char 
                                    ; for SBCS data transfer when 
                                    ; SBSUB is TRUE. 
                                    ; nn    = hexadecimal value from 
                                    ;         0x'00' to 0x'FF'. 
                                    ; SPACE = x'40' when target code 
                                    ;         set is EBCDIC, and 
                                    ;         x'20' when target code 
                                    ;         set is ASCII. (D) 

;SBTRANS      dsn_qual              ; Data connection translate 
                                    ; table data set qualifier. 
                                    ; Used to search for 
                                    ;   a) userid.dsn_qual.TCPXLBIN 
                                    ;   b) hlq.dsn_qual.TCPXLBIN 
                                    ; If SBDATACONN is specified, that 
                                    ; value overrides SBTRANS 

;UCSHOSTCS    code_set          ; (S) Specify the EBCDIC code set 
                                    ; to be used for data conversion 
                                    ; to or from Unicode. 
                                    ; If UCSHOSTCS is not specified, 
                                    ; the current EBCDIC code page 
                                    ; for the data connection is used.

UCSSUB        FALSE             ; (S) Specify whether Unicode-to-EBCDIC 
                                    ; conversion should use the EBCDIC 
                                    ; substitution character or 
                                    ; cause the data transfer to be 
                                    ; terminated if a Unicode 
                                    ; character cannot be converted to 
                                    ; a character in the target 
                                    ; EBCDIC code set 
                                    ; TRUE = Use substitution char 
                                    ; FALSE = Terminate transfer (D) 

UCSTRUNC      FALSE             ; (S) Specify whether the transfer 
                                    ; of Unicode data should be 
                                    ; aborted if truncation 
                                    ; occurs at the MVS host 
                                    ; TRUE = Truncation allowed 
                                    ; FALSE = Terminate transfer (D) 

; --------------------------------------------------------------------- 
; 
; 4. DB2 (SQL) interface options 
; 
; --------------------------------------------------------------------- 

DB2           DB2               ; (S) DB2 subsystem name 
                                    ; The default name is DB2 

DB2PLAN       EZAFTPMQ              ; DB2 plan name for FTP client 
                                    ; The default name is EZAFTPMQ 

SPREAD        FALSE             ; (S) SQL spreadsheet output format 
                                    ; TRUE = Spreadsheet format 
                                    ; FALSE = Not spreadsheet 
                                    ;         format (D) 

SQLCOL        NAMES             ; (S) SQL output headings 
                                    ; NAMES = Use column names (D) 
                                    ; LABELS = Use column labels 
                                    ; ANY = Use label if defined, 
                                    ;       else use name 

; --------------------------------------------------------------------- 
; 
; 5. Security options 
; 
; ---------------------------------------------------------------------

SECURE_MECHANISM   TLS              ; Name of the security mechanism 
                                    ; that the client uses when it 
                                    ; sends an AUTH command to the 
                                    ; server. 
                                    ; GSSAPI = Kerberos support 
                                    ; TLS = TLS 

SECURE_FTP         ALLOWED          ; Authentication indicator 
SECURE_LOGIN      REQUIRED          
                                     ; ALLOWED        (D) 
                                     ; REQUIRED 

SECURE_CTRLCONN    PRIVATE           ; Minimum level of security for 
                                     ; the control connection 
                                     ; CLEAR          (D) 
                                     ; SAFE 
                                     ; PRIVATE 

SECURE_DATACONN    PRIVATE           ; Minimum level of security for 
                                     ; the data connection 
                                     ; NEVER 
                                     ; CLEAR          (D) 
                                     ; SAFE 
                                     ; PRIVATE 

;SECURE_PBSZ       16384             ; Kerberos maximum size of the 
                                     ; encoded data blocks 
                                     ; Default value is 16384 
                                     ; Valid range is 512 through 32768 

; Name of a ciphersuite that can be passed to the partner during 
; the TLS handshake. None, some, or all of the following may be 
; specified. The number to the far right is the cipherspec id 
; that corresponds to the ciphersuite's name. 
CIPHERSUITE        SSL_NULL_MD5      ; 01 
CIPHERSUITE        SSL_NULL_SHA      ; 02 
CIPHERSUITE        SSL_RC4_MD5_EX    ; 03 
CIPHERSUITE        SSL_RC4_MD5       ; 04 
CIPHERSUITE        SSL_RC4_SHA       ; 05 
CIPHERSUITE        SSL_RC2_MD5_EX    ; 06 
CIPHERSUITE        SSL_DES_SHA       ; 09 
CIPHERSUITE        SSL_3DES_SHA      ; 0A 

KEYRING            /SSLselfsigned/key.kdb 
                                      ; It can be the name of an HFS 
                                      ; file (name starts with /) or 
                                      ; a resource name in the security 
                                      ; product (e.g., RACF) 

;TLSTIMEOUT         100               ; Maximum time limit between full 
                                      ; TLS handshakes to protect data 
                                      ; connections 
                                      ; Default value is 100 seconds. 
                                      ; Valid range is 0 through 86400 

; --------------------------------------------------------------------- 
; 
; 6. Debug (trace) options 
; 
; --------------------------------------------------------------------- 

;DEBUG             TIME    ;    time stamp client trace entries 
;DEBUG             ALL     ;    activate all traces 
;DEBUG             BAS     ;    active basic traces (marked with *) 
;DEBUG             FLO     ;    function flow 
;DEBUG             CMD     ; *  command trace 
;DEBUG             PAR     ;    parser details 
;DEBUG             INT     ; *  program initialization and termination
;DEBUG             ACC     ;    access control (logging in) 
;DEBUG             SEC     ;    security processing 
;DEBUG             UTL     ;    utility functions 
;DEBUG             FSC(1)  ; *  file services 
;DEBUG             SOC(1)  ; *  socket services 
;DEBUG             SQL     ;    special SQL processing