How do you setup CA ACF2 for FTPS as described in The "Connectivity_README_2.1_Secure" Document ?

book

Article ID: 38012

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Question:  

How do you setup CA ACF2 for FTPS as described in The "Connectivity_README_2.1_Secure" Document ?

Answer:  

IBM statements specify that as of October 19th, 2014, it will NO longer be possible to download IBM s/w and service using FTP. 
At that time, ONLY FTPS will be allowed.

Here it is an ACF2 translation of "Connectivity_README_2.1_Secure" document.

*** Top Of Data ***

Customized Offerings Connectivity Test

You may need to create a new root signing certificate in order to access the secure zone where the test file is located. The following instructions assume you are using CA ACF2. If you are using an equivalent security product, you should refer to that product's documentation to understand the equivalent actions.

You will need to allow access to the necessary resources in the FACILITY resource class and use the related ACF2 commands to define/add certificates and define the keyring.

Use of these TSO ACF commands requires appropriate permission to the IRR.DIGTCERT.function resource under the FACILITY resource class. In general, READ access is required to manipulate your own certificates and key rings, ACF2 SECURITY privilege is required to manipulate them for other users, and to manipulate CERTAUTH (certificate authority) certificates. Therefore, you can use the following sample TSO ACF RECKEY commands to define the necessary resources in the FACILITY resource class and to give you access to use the related TSO ACF commands to define/add certificates and define the keyring:

Here are the RACF commands:

RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)  
RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)  
RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE)      
RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)    
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)        
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 

There are no equivalent to the RACF RDEFINE. Where a resource is not protected by default, RDEFINE is used in RACF to define resources. There is no counterpart to this in CA ACF2. CA ACF2 uses a default protection scheme, which assumes that the resource is protected.

Next set of RACF commands:

PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACCESS(READ)            
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACCESS(READ)        
PERMIT IRR.DIGTCERT.ALTER CLASS(FACILITY) ID(userid) ACCESS(READ)          
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACCESS(UPDATE)      
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid)ACCESS(READ)            
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACCESS(READ)

Next set of ACF2 commands:

ACF
SET RESOURCE(FAC)
RECKEY IRR ADD(DIGTCERT.ADD UID(UID string for userid) -    
 SERVICE(READ) ALLOW)                                          
RECKEY IRR ADD(DIGTCERT.ADDRING UID(UID string for userid) -      
 SERVICE(READ) ALLOW)                                          
RECKEY IRR ADD(DIGTCERT.ALTER UID(UID string for userid) -      
 SERVICE(READ) ALLOW)                                          
RECKEY IRR ADD(DIGTCERT.CONNECT UID(UID string for userid) -    
 SERVICE(READ) ALLOW)                                          
RECKEY IRR ADD(DIGTCERT.LIST UID(UID string for userid) -
 SERVICE(READ) ALLOW)                                          
RECKEY IRR ADD(DIGTCERT.LISTRING UID(UID string for userid) -  
 SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)                                          

Where USERID is your ACF2 TSO LOGONID or any LOGONID you want to use.

Notes:

  1. UPDATE access is required to the IRR.DIGTCERT.CONNECT profile in the FACILITY resource class in order to connect a certificate authority (CA) certificate to your key ring. 

  2. To use the SMP/E RECEIVE ORDER command, access is required only to the IRR.DIGTCERT.LIST and IRR.DIGTCERT.LISTRING profiles. Access to the other resources is required to create and manipulate key rings and digital certificates. 

    When your user ID has the proper authorization you will be able to create the digital certificate. 

    To create the certificate, 

      1. Download the Root 2 - GeoTrust Global CA (Base-64 encoded x.509) certificate from: 
        https://www.geotrust.com/resources/root-certificates/index.html

      2. Allocate a partitioned sequential dataset on your z/OS host to store the certificate. For example, tsouid.GEOTRUST.CERT: 
        Organization . . . : PS 
        Record format . . . : VB 
        Record length . . . : 256 
        Block size . . . . : 27998 
        Allocated blocks . : 2 
        Allocated extents . : 1 

      3. Transfer, in ASCII mode, the GeoTrust Global CA certificate to your dataset tsouid.GEOTRUST.CERT. 

      4. Add the GeoTrust Global CA certificate to your ACF2 database with TRUST status:
     
    Here is the RACF command: 
      RACDCERT CERTAUTH ADD('tsouid.GEOTRUST.CERT') HIGHTRUST - 
        WITHLABEL('GeoTrust Global CA') 

          Here is the TSO ACF command:
            ACF
              SET PROFILE(USER) DIV(CERTDATA)
                INSERT certauth.geotrust DSN('tsouid.GEOTRUST.CERT2') -
                   LABEL(GeoTrust Global CA) TRUST

                  1. Create a key ring in RACF to be used for secure FTP . 

                    For example, FtpSecur: 

                    Here is the RACF command: 

                    RACDCERT ID(tsouid) ADDRING(FtpSecur) 

                    Here is the TSO ACF command: 

                    ACF
                    SET PROFILE(USER) DIV(KEYRING)
                    PROFILE
                    INSERT TSOUID.ring RINGNAME(FtpSecur)

                    Where TSOUID is your ACF2 TSO LOGONID or any LOGONID you want to use. 
                     

                  2. Connect the GeoTrust Global CA certificate to your keyring FtpSecur 

                    Here is the RACF command: 

                    RACDCERT ID(tsouid) CONNECT(CERTAUTH LABEL('GeoTrust Global CA') - 
                    RING(FtpSecur) USAGE(CERTAUTH) DEFAULT) 

                    Here is the TSO ACF command: 

                    ACF
                    SET PROFILE(USER) DIV(KEYRING) 
                    PROFILE 
                    CONNECT CERTDATA(certauth.geotrust) KEYRING(TSOUID.ring) DEFAULT - 
                    USAGE(CERTAUTH)  

                  3. Refresh the RACListed profiles. 

                    Here is the RACF command: 

                    SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH 

                    Here is the TSO ACF commands:

                    ACF
                    F ACF2,REBUILD(USR),CLASS(P)
                    F ACF2,OMVS 

                  4. Update your tsouid.FTP.DATA dataset to point to the new keyring: 

                    KEYRING FtpSecur 

                  5. You will need to have the SSL Security Level 3 FMID installed on your driving system in order to successfully complete the SSL handshake.

                  *** End Of Data ****

                  In addition to the above, you must check your IP ports! You must enable them for FTPS to work correctly. 
                  For this topic, they are usually ports 989 and 990.

                  Environment

                  Release:
                  Component: ACF2MS