This guide describes the overall process to use the Secure Sockets z/OS FTP client to securely connect to a MOVEit DMZ FTP Server.
Step 1 - Check firewall issues using MOVEit Freely. Download and install MOVEit Freely from the MOVEit Freely web site. Try connecting to a MOVEit DMZ host using this client. If you can connect successfully than there should not be any firewall issues.
*There is a known problem with FTP over SSL and Checkpoint firewalls. For more information, please see Checkpoint support article sk9930.
Step 2 - Install Digital Certificates on the mainframe. There are two method for installing Digital Certificates into z/OS. First, using RACF you can use RACDCERT and a useful guide to use is http://publibz.boulder.ibm.com/epubs/pdf/ichza441.pdf.
A second way to work with certificates (and usually a more fruitful way) is to use a utility called gskkyman which is a shell-based program. A useful guide can be found in Chapter 10 of Secure Sockets Programming. http://publibfp.boulder.ibm.com/epubs/pdf/gska1a21.pdf
Step 3 - Change settings in FTP Client Parms file. You can find an example of the parm file below.
Step 4 - Use explicit mode (TCP port 21) and passive to connect and transfer. These should be the default settings when using the z/OS FTP client.
Step 5 - To get file transfers to work, you have to request passive mode transfers in the z/OS client. You have to add the following command before any transfers: "LOCSITE FWF" That's FWF for "FireWallFriendly".
In more recent versions, it would appear that two new options, TLSPORT and SECUREIMPLICITZOS, have been added to allow z/OS mainframes to perform implicit FTP over SSL transfers. Despite appearances to the contrary, the SECUREIMPLICITZOS parameter MUST be set to FALSE when connecting to a MOVEit DMZ FTP server. (It should only be set to TRUE if the remote FTP server is another z/OS.)
TLSPORT 990 SECUREIMPLICITZOS FALSE
;***********************************************************************
; *
; Name of File: SEZAINST(FTCDATA) *
; *
; Descriptive Name: FTP.DATA (for FTP Client) *
; *
; SMP/E Distribution Name: EZAFTPAC *
; *
; Copyright: Licensed Materials - Property of IBM *
; *
; "Restricted Materials of IBM" *
; *
; 5694-A01 *
; *
; (C) Copyright IBM Corp. 1977, 2002 *
; *
; US Government Users Restricted Rights - *
; Use, duplication or disclosure restricted by *
; GSA ADP Schedule Contract with IBM Corp. *
; *
; Status: CSV1R4 *
; *
; *
; This FTP.DATA file is used to specify default file and disk *
; parameters used by the FTP client. *
; *
; Note: For an example of an FTP.DATA file for the FTP server, *
; see the FTPSDATA example. *
; *
; Syntax Rules for the FTP.DATA Configuration File: *
; *
; (a) All characters to the right of and including a ; will be *
; treated as a comment. *
; *
; (b) Blanks and <end-of-line> are used to delimit tokens. *
; *
; (c) The format for each statement is: *
; *
; parameter value *
; *
; *
; The FTP.DATA options are grouped into the following groups in *
; this sample FTP client FTP.DATA configuration data set: *
; *
; 1. Basic configuration options (timers, conditional options, etc.) *
; 2. Defaults for MVS data set creation *
; 3. Code page conversion options *
; 4. DB2 (SQL) interface options *
; 5. Security options *
; 6. Debug (trace) options *
; *
; For options that have a pre-selected set of values, a (D) indicates *
; the default value for the option. *
; *
; Options that can be changed via LOCSITE subcommands are identified *
; with an (S). *
; * ;***********************************************************************
; ---------------------------------------------------------------------
;
; 1. Basic FTP client configuration options -
; Timeout values, conversion options,
; and conditional processing options
;
; ---------------------------------------------------------------------
ASATRANS FALSE ; (S) Conversion of ASA print
; control characters
; TRUE = Use C conversion
; FALSE = Do not convert (D)
AUTOMOUNT TRUE ; (S) Automatic mount of unmounted
; DASD volumes
; TRUE = Mount volumes (D)
; FALSE = Do not mount volumes
AUTORECALL TRUE ; (S) Automatic recall of
; migrated data sets
; TRUE = Recall them (D)
; FALSE = Do not recall them
AUTOTAPEMOUNT TRUE ; Automatic mount of unmounted
; tape volumes
; TRUE = Mount volumes (D)
; FALSE = Do not mount volumes
BUFNO 5 ; (S) Specify number of access
; method buffers
; Valid range is from 1 through
; 35 - default value is 5
CCONNTIME 30 ; Timeout value for successful
; close of control connection.
; Default value is 30 seconds.
; Valid range is 15 through 720.
CHKPTINT 0 ; (S) Specify the checkpoint interval
; in number of records.
; NB: checkpointing only works
; with datatype EBCDIC and block
; or compressed transfer mode.
; 0 = no checkpoints (D)
CONDDISP CATLG ; (S) Disposition of a new data set
; when transfer ends prematurely
; CATLG = Keep and catalog (D)
; DELETE = Delete data set
DATACTTIME 120 ; Timeout for send/receive data
; operations.
; Default value is 120 seconds.
; Valid range is 15 through 720.
DCONNTIME 120 ; Timeout value for successful
; close of data connection.
; Default value is 120 seconds.
; Valid range is 15 through 720.
DIRECTORYMODE FALSE ; (S) Specifies how to view the MVS
; data set structure:
; FALSE = All qualifiers below
; (D) LCWD are treated as
; entries in the directory
; TRUE = Qualifiers immediately
; below the LCWD are
; treated as entries in the
; directory
;EXTENSIONS UTF8 ; Enable RFC 2640 support.
EXTENSIONS AUTH_TLS ; Default is disabled.
; Control connection starts as
; 7bit ASCII and switches to UTF-8
; encoding when LANG command
; processed successfully. CCTRANS
; and CTRLCONN are ignored.
FILETYPE SEQ ; (S) Client mode of operation
; SEQ = transfer data sets or
; files (D)
; SQL = submit queries to DB2
INACTTIME 300 ; The time in seconds to wait for
; an expected response from the
; server.
; Default value is 300 seconds.
; Valid range is 15 through 720.
ISPFSTATS FALSE ; TRUE = create/update PDS
; statistics
; FALSE =does not create/update
; PDS statistics
MIGRATEVOL MIGRAT ; (S) Migration volume VOLSER to
; identify migrated data sets
; under control of non-HSM
; storage management products.
; Default value is MIGRAT.
MYOPENTIME 60 ; Connection timeout value in
; seconds.
; Default value is 60 seconds.
; Valid range is 15 through 720.
QUOTESOVERRIDE TRUE ; (S) How to treat quotes at the
; beginning or surrounding file
; names.
; TRUE = Override current working
; directory (D)
; FALSE = Treat quotes as part of
; file name
RDW FALSE ; (S) Specify whether Record
; Descriptor Words (RDWs) are
; discarded or retained.
; TRUE = Retain RDWs and transfer
; as part of data
; FALSE = Discard RDWs when
; transferring data (D)
;SOCKSCONFIGFILE /etc/socks.conf ; file path for SOCKS configuration
; file. The SOCKS configuration
; file specifies which FTP servers
; should be accessed via SOCKS
TRAILINGBLANKS FALSE ; (S) How to handle trailing blanks
; in fixed format data sets during
; text transfers.
; TRUE = Retain trailing blanks
; (include in transfer)
; FALSE = Strip off trailing
; blanks (D)
UMASK 027 ; (S) Octal UMASK to restrict setting
; of permission bits when creating
; new HFS files
; Default value is 027.
WRAPRECORD FALSE ; (S) Specify what to do if no new-line
; is encountered before reaching
; the MVS data set record length
; limit as defined by LRECL when
; transferring data to MVS.
; TRUE = Wrap data to new record
; FALSE = Truncate data (D)
; --------------------------------------------------------------------- ;
; 2. Default MVS data set creation attributes
;
; ---------------------------------------------------------------------
BLKSIZE 6233 ; (S) New data set allocation block size
;DATACLASS SMSDATA ; (S) SMS data class name
; There is no default
;MGMTCLASS SMSMGNT ; (S) SMS mgmtclass name
; There is no default
;STORCLASS SMSSTOR ; (S) SMS storclass name
; There is no default
;DCBDSN MODEL.DCB ; (S) New data set allocation
; model DCB name - must be a
; fully qualified data set name
; There is no default
DIRECTORY 27 ; (S) Number of directory blocks in
; new PDS/PDSE data sets.
; Default value is 27.
; Range is from 1 to 16777215.
LRECL 256 ; (S) New data set allocation LRECL.
; Default value is 256.
; Valid range 0 through 32760.
PRIMARY 1 ; (S) New data set allocation
; primary space units according
; to the value of SPACETYPE.
; Default value is 1.
; Valid range 1 through 16777215.
RECFM VB ; (S) New data set allocation
; record format.
; Default value is VB.
; Value may be specified as certain
; combinations of:
; A - ASA print control
; B - Blocked
; F - Fixed length records
; M - Machine print control
; S - Spanned (V) or Standard (F)
; U - Undefined record length
; V - Variable length records
RETPD ; (S) New data set retention
; period in days.
; Blank = no retention period (D)
; 0 = expire today
; Valid range 0 through 9999.
; NB: Note the difference between
; a blank value and a value
; of zero.
SECONDARY 1 ; (S) New data set allocation
; secondary space units according
; to the value of SPACETYPE.
; Default value is 1.
; Valid range 1 through 16777215.
SPACETYPE TRACK ; (S) New data set allocation
; space type.
; TRACK (D)
; BLOCK
; CYLINDER
UCOUNT ; (S) Sets the unit count for an
; allocation.
; If this option is not specified
; or is specified with a value of
; blank, the unit count attribute
; is not used on an allocation (D)
; Valid range is 1 through 59 or
; the character P for parallel
; mount requests
;UNITNAME SYSDA ; (S) New data set allocation unit
; name.
; There is no default.
VCOUNT 59 ; (S) Volume count for an
; allocation.
; Valid range is 1 through 255.
; Default value is 59.
;VOLUME WRKLB1,WRKLB2 ; (S) Volume serial number(s) to
; use for allocating a data set.
; Specify either a single VOLSER
; or a list of VOLSERs
; separated with commas
; ---------------------------------------------------------------------
;
; 3. Text code page conversion options
;
; ---------------------------------------------------------------------
;CCTRANS dsn_qual ; Control connection translate
; table data set qualifier.
; Used to search for
; a) userid.dsn_qual.TCPXLBIN
; b) hlq.dsn_qual.TCPXLBIN
; If CTRLCONN is specified, that
; value overrides CCTRANS.
;CTRLCONN 7BIT ; (S) ASCII code page for
; control connection.
; 7BIT is the default if CTRLCONN
; is not specified AND no TCPXLBIN
; translation table data set found.
; Can be specified as any iconv
; supported ASCII code page, such
; as IBM-850
;ENCODING SBCS ; (S) Specifies whether multi-byte or
; single-byte data conversion is
; to be performed on ASCII data
; transfers.
; MBCS = Use multi-byte
; SBCS = Use single-byte (D)
;
;MBDATACONN (IBM-1388,IBM-5488) ; (S) Specifies the conversion table
; names for the data connection
; when ENCODING has a value of
; MBCS. The names are the file
; system code page name and the
; network transfer code page name.
;SBDATACONN (IBM-1047,IBM-850) ; (S) file system/network transfer
; code pages for data connection.
; Either a fully-qualified MVS
; data set name or HFS file name
; built with the CONVXLAT utility -
; HLQ.MY.TRANS.DATASET
; /u/user1/my.trans.file
; Or a file system code page name
; followed by a network transfer
; code page name according to
; iconv supported code pages -
; for example
; (IBM-1047,IBM-850)
; If the SYSFTSX DD-name is present
; it will override SBDATACONN.
; If neither SYSFTSX nor
; SBDATACONN are present, std.
; search order for a default
; translation table data set will
; be used.
;SBSUB FALSE ; Specifies whether untranslatable
; data bytes should be replaced
; with SBSUBCHAR when detected
; during SBCS data transfer.
; TRUE = Replace each
; untranslatable byte with
; SBSUBCHAR.
; FALSE = Terminate transfer (D)
; when untranslatable bytes are
; detected
;SBSUBCHAR nn ; Specifies the substitution char
; for SBCS data transfer when
; SBSUB is TRUE.
; nn = hexadecimal value from
; 0x'00' to 0x'FF'.
; SPACE = x'40' when target code
; set is EBCDIC, and
; x'20' when target code
; set is ASCII. (D)
;SBTRANS dsn_qual ; Data connection translate
; table data set qualifier.
; Used to search for
; a) userid.dsn_qual.TCPXLBIN
; b) hlq.dsn_qual.TCPXLBIN
; If SBDATACONN is specified, that
; value overrides SBTRANS
;UCSHOSTCS code_set ; (S) Specify the EBCDIC code set
; to be used for data conversion
; to or from Unicode.
; If UCSHOSTCS is not specified,
; the current EBCDIC code page
; for the data connection is used.
UCSSUB FALSE ; (S) Specify whether Unicode-to-EBCDIC
; conversion should use the EBCDIC
; substitution character or
; cause the data transfer to be
; terminated if a Unicode
; character cannot be converted to
; a character in the target
; EBCDIC code set
; TRUE = Use substitution char
; FALSE = Terminate transfer (D)
UCSTRUNC FALSE ; (S) Specify whether the transfer
; of Unicode data should be
; aborted if truncation
; occurs at the MVS host
; TRUE = Truncation allowed
; FALSE = Terminate transfer (D)
; ---------------------------------------------------------------------
;
; 4. DB2 (SQL) interface options
;
; ---------------------------------------------------------------------
DB2 DB2 ; (S) DB2 subsystem name
; The default name is DB2
DB2PLAN EZAFTPMQ ; DB2 plan name for FTP client
; The default name is EZAFTPMQ
SPREAD FALSE ; (S) SQL spreadsheet output format
; TRUE = Spreadsheet format
; FALSE = Not spreadsheet
; format (D)
SQLCOL NAMES ; (S) SQL output headings
; NAMES = Use column names (D)
; LABELS = Use column labels
; ANY = Use label if defined,
; else use name
; ---------------------------------------------------------------------
;
; 5. Security options
;
; ---------------------------------------------------------------------
SECURE_MECHANISM TLS ; Name of the security mechanism
; that the client uses when it
; sends an AUTH command to the
; server.
; GSSAPI = Kerberos support
; TLS = TLS
SECURE_FTP ALLOWED ; Authentication indicator
SECURE_LOGIN REQUIRED
; ALLOWED (D)
; REQUIRED
SECURE_CTRLCONN PRIVATE ; Minimum level of security for
; the control connection
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_DATACONN PRIVATE ; Minimum level of security for
; the data connection
; NEVER
; CLEAR (D)
; SAFE
; PRIVATE
;SECURE_PBSZ 16384 ; Kerberos maximum size of the
; encoded data blocks
; Default value is 16384
; Valid range is 512 through 32768
; Name of a ciphersuite that can be passed to the partner during
; the TLS handshake. None, some, or all of the following may be
; specified. The number to the far right is the cipherspec id
; that corresponds to the ciphersuite's name.
CIPHERSUITE SSL_NULL_MD5 ; 01
CIPHERSUITE SSL_NULL_SHA ; 02
CIPHERSUITE SSL_RC4_MD5_EX ; 03
CIPHERSUITE SSL_RC4_MD5 ; 04
CIPHERSUITE SSL_RC4_SHA ; 05
CIPHERSUITE SSL_RC2_MD5_EX ; 06
CIPHERSUITE SSL_DES_SHA ; 09
CIPHERSUITE SSL_3DES_SHA ; 0A
KEYRING /SSLselfsigned/key.kdb
; It can be the name of an HFS
; file (name starts with /) or
; a resource name in the security
; product (e.g., RACF)
;TLSTIMEOUT 100 ; Maximum time limit between full
; TLS handshakes to protect data
; connections
; Default value is 100 seconds.
; Valid range is 0 through 86400
; ---------------------------------------------------------------------
;
; 6. Debug (trace) options
;
; ---------------------------------------------------------------------
;DEBUG TIME ; time stamp client trace entries
;DEBUG ALL ; activate all traces
;DEBUG BAS ; active basic traces (marked with *)
;DEBUG FLO ; function flow
;DEBUG CMD ; * command trace
;DEBUG PAR ; parser details
;DEBUG INT ; * program initialization and termination
;DEBUG ACC ; access control (logging in)
;DEBUG SEC ; security processing
;DEBUG UTL ; utility functions
;DEBUG FSC(1) ; * file services
;DEBUG SOC(1) ; * socket services
;DEBUG SQL ; special SQL processing