FTP Server Authentication - Mainframe to Mainframe in TSS
search cancel

FTP Server Authentication - Mainframe to Mainframe in TSS

book

Article ID: 27863

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

 How do you setup FTP Server and Client Authentication with a TOP SECRET generated self-signed Digital Certificate?

Resolution

 FTP SERVER AUTHENTICATION with a TOP SECRET generated self-signed Digital Certificate.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. Generate the FTP server's with the TSS GENCERT command: 
          TSS GENCERT(FTPS) DIGICERT(FTPSCERT) -
          SUBJECTN('o="COMPANYA" CN="FTPS certificate" - 
          OU="SYSTEMS" C="US" ')
    • In this example 'FTPS ' is the FTP started task region acid.

    • FTPSCERT is the digital certificate name in TOP SECRET.

  2. Create the FTP server's KEYRING with the TSS ADD command: 
          TSS ADD(FTPS) KEYRING(FTPSRING) LABLRING(FTPSRING)

    Note: No blank spaces in the LABLRING.

  3. Add the FTP server's certificate to the FTP server's KEYRING with the TSS ADD command: 
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(FTPS, FTPSCERT) -
          DEFAULT USEAGE(PERSONAL)
  4. Copy the FTP server's certificate to a dataset with the TSS EXPORT command:
          TSS EXPORT(FTPS) DIGICERT(FTPSCERT)-
          DCDSN('FTPS.SERVER.CERT')

    Note: Dataset should not be formatted. It is automatically created and cataloged.

  5. Copy FTP server's certificate to the FTP client's KEYRING with the TSS ADD command:
          TSS ADD(USERA) KEYRING(USRARING) -
          RINGDATA(FTPS,FTPSCERT) DEFAULT USAGE(PERSONAL)
  6. Permit FTP server's region acid and the FTP client acid to SSL KEYRING, certificates and mappings with the TSS PERMIT 
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
          TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
  7. Update IBM's FTP parameter 'KEYRING' requires the FTPS server's KEYRING LABEL 'FTPRING'. The parameter can be found in IBM's FTPS.DATA member.

  8. Update IBM's FTP parameter 'SECURE_LOGIN NO_CLIENT_AUTH'. The parameter can be found in IBM's FTPS.DATA member.

  9. Update IBM's FTP parameter 'SECURE_FTP REQUIRED'. The parameter can be found in IBM's FTPS.DATA member.

FTP Client Authentication - Mainframe to Mainframe

The following example shows how to setup FTP CLIENT AUTHENTICATION with  a TOP SECRET generated self-signed Digital Certificate

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. FTP Client Authentication is optional and not required for FTP Server Authentication. However, FTP Client Authentication does require FTP Server Authentication. Before activating FTP Client Authentication, please test and verify that your FTP Server Authentication is working.

  2. Generate FTP client TOP SECRET self-signed certificate with the TSS GENECERT command: 
          TSS GENCERT(USERA) DIGICERT(USRACERT) -
          SUBJECTN('o="COMPANYA" CN="USERA self-signed ftp cert"
          OU="DEPTA" - C="US"') LABELCERT('USERACERT') TRUST
    • In this example 'USERA' is the client's acid.

    • 'USERACERT' is the digital certificate name in TOP SECRET.

  3. Create the KEYRING for the FTP client acid with the TSS ADD command: 
          TSS ADD(USERA) KEYRING(USRARING) LABLRING(USRARING)
  4. Add the FTP client's certificate to the FTP client's KEYRING with the TSS ADD command: 
          TSS ADD(USERA) KEYRING(USRARING) -
          RINGDATA(USERA,USRACERT) DEFAULT USEAGE(PERSONAL)
  5. Add FTP client's certificate to FTP Server's KEYRING with CERTAUTH authority with the TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(USERA,USRACERT) -
          DEFAULT USEAGE(CERTAUTH)
  6. Copy FTP server's certificate to the FTP client's KEYRING with the TSS ADD command: 
          TSS ADD(USERA) KEYRING(USRARING) -
          RINGDATA(FTPS,FTPSCERT) USAGE(PERSONAL)
  7. Update IBM's FTP parameter 'SECURE_LOGIN VERIFY_USER'. The parameter can be found in IBM's FTPS.DATA member.
Powered by Wolken Software