How to setup FTPS for clients sharing a keyring in ACF2
search cancel

How to setup FTPS for clients sharing a keyring in ACF2

book

Article ID: 12441

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction

How can FTPS be setup for clients sharing a keyring in ACF2?

Environment

Release:
Component: ACF2MS

Resolution

In this example a company wants to allow its employees to make FTP requests from z/OS to three FTP servers out on the Internet. The CA certificates for the three FTP servers were already obtained and reside in the following three data sets: 'FTPD.CACERT1', 'FTPD.CACERT2', and 'FTPD.CACERT3'.

Sample Keyring

KEYRING / SHAREID.RING LAST CHANGED BY USER002 ON 10/24/16-11:54  
                  DEFAULT() RINGNAME(RING01)

The following certificates are connected to this key ring:          

CERTDATA record    Label                                     Usage          
FTPD.CACERT1        CA for FTP Server 1               CERTAUTH      
FTPD.CACERT2        CA for FTP Server 2               CERTAUTH      
FTPD.CACERT3        CA for FTP Server 3               CERTAUTH

Authorize access to the shared key ring for the ring owner (SHAREID) and for the z/OS users (USER01 and USER02) who need to communicate with the external FTP servers. Do this by administering a profile in either the FACILITY or the RDATALIB class.

Using the FACILITY class:

SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER001) SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER002) SERVICE(UPDATE) ALLOW)

Using the RDATALIB class:

SET RESOURCE(RDA)
RECKEY SHAREID ADD( RING01.LST UID(***USER001) SERVICE(READ) ALLOW)
RECKEY SHAREID ADD( RING01.LST UID(***USER002) SERVICE(READ) ALLOW)

Configure the FTP client to use the shared key ring by specifying its fully qualified name for the KEYRING directive syntax: KEYRING ringowner/ringname:

KEYRING SHAREID/RING01