Set Up FTP Server Authentication - Mainframe to PC With Top Secret
search cancel

Set Up FTP Server Authentication - Mainframe to PC With Top Secret

book

Article ID: 27746

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

What is needed to setup FTP SERVER AUTHENTICATION with TOP SECRET generated self-signed DIGITAL CERTIFICATES?

Resolution

The following example shows how to setup FTP SERVER AUTHENTICATION with TOP SECRET generated self-signed DIGITAL CERTIFICATES.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. Generate the FTP server's certificate with the TSS GENCERT command: 
          TSS GENCERT(FTPS) DIGICERT(FTPSCERT) -
          SUBJECTN('o="COMPANYA" CN="FTPS certificate" -
          OU="SYSTEMS" C="US" ')
    • In this example, 'FTPS ' is the FTP started task region acid.

    • FTPSCERT is the digital certificate name in TOP SECRET.

  2. Create the FTP server's KEYRING with the TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) LABLRING(FTPSRING)

    Note: No blank spaces in the LABLRING.

  3. Add the FTP server's certificate to the FTP server's KEYRING with the TSS ADD command: 
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(FTPS, FTPSCERT) -
          DEFAULT USEAGE(PERSONAL)
  4. Copy the FTP server's certificate to a dataset with the TSS EXPORT command: 
          TSS EXPORT(FTPS) DIGICERT(FTPSCERT) -
          DCDSN('FTPS.SERVER.CERT')

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged.

  5. Copy it to the FTP server's certificate 'FTPS.SERVER.CERT' to the FTP client's Trusted Authorities database via FTP.

  6. Permit FTP acid to SSL KEYRING, certificates and mappings via TSS PERMIT command: 
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
  7. Update IBM's FTP parameter 'KEYRING' requires the FTPS server's KEYRING LABEL 'FTPRING'. The parameter can be found in IBM's FTPS.DATA member.

  8. Update IBM's FTP parameter 'SECURE_LOGIN NO_CLIENT_AUTH' parameter can be found in IBM's FTPS.DATA member.

  9. IBM's FTP parameter 'SECURE_FTP REQUIRED' needs to be specified. The parameter can be found in IBM's FTPS.DATA member.

FTP Client Authentication -- Mainframe to PC

The following example shows how to setup FTP CLIENT AUTHENTICATION with TOP SECRET generated self-signed DIGITAL CERTIFICATES.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. FTP Client Authentication is optional and not required for FTP Server Authentication. However, FTP Client Authentication does require FTP Server Authentication. Before activating FTP Client Authentication, please test and verify that your FTP Server Authentication is working.

  2. Copy the FTP server's certificate to a dataset called ' FTPS.SERVER.CERT' via TSS EXPORT command. If the certificate dataset was already created when setting up FTP SERVER AUTHENTICATION, this step can be skipped. 
          TSS EXPORT(FTPS) DIGICERT(FTPSCERT) -
          DCDSN('FTPS.SERVER.CERT')

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged.

  3. Send the certificate dataset to the PC and bring it into the FTP client's Trusted Authorities database.

  4. Generate the FTP client certificate with the TSS GENCERT command: 
          TSS GENCERT(USERA) DIGICERT(USRACERT) -
          SUBJECTN('o="COMPANYA" CN="USERA self-signed ftp cert" -
          OU="SYSTEMSDEPT" C="US"') LABELCERT('USERA CERT') TRUST
  5. Create the KEYRING for the FTP client acid with the TSS ADD command: 
      TSS ADD(USERA) KEYRING(USRARING) LABLRING(USRARING)
  6. Add the FTP client's certificate to the FTP client's KEYRING with the TSS ADD command: 
          TSS ADD(USERA) KEYRING(USRARING) -
          RINGDATA(USERA,USRACERT) DEFAULT USEAGE(PERSONAL)
  7. Add FTP client's certificate to FTP server's KEYRING with CERTAUTH authority via TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(USERA,USRACERT) -       USEAGE(CERTAUTH)
  8. Export FTP client's certificate to dataset 'USERA.CERT' via TSS EXPORT command. 
          TSS EXPORT(USERA) DIGICERT(USRACERT) DCDSN(USERA.CERT)

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged by TOP SECRET.

  9. Export the FTP client certificate 'USERA.CERT' to the PC and bring it into the FTP client's Trusted Authorities database via FTP.

  10. Update IBM's FTP parameter 'SECURE_LOGIN VERIFY_USER'. The parameter can be found in IBM's FTPS.DATA member.
Powered by Wolken Software