To secure FTP and connection, the standard is to use SSL and Digital Certificates.

But under specific circumstances, you may want to secure your FTP connection using other alternatives besides user/password and SSL.

Release:
Component: AWAGNT

Before securing FTP with passtickets, we must understand how passtickets work.

What is a Passticket?

It's an alternative to the mainframe password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the mainframe password across the network.

PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords.

The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be reused. It is always a 8-character string (for example 6MP534fG could be the value of a Passticket).

Passtickets in Top Secret can be used with FTP and here are the steps required:

1. Access to the FTP site must be done through an application that will request a passticket and pass it at connection time. A sample application is attached to this document.
   
   
2. The application name and session key must be defined to the Top Secret NDT.
   
   Example:APPLICATION = OMVSAPPL          SESSION KEY = 123456789ABCDEF0
   
   tss add(ndt) pstkappl(omvsappl) sesskey(123456789ABCDEF0)
   
   To remove it:
   
   tss rem(ndt) pstkappl(omvsappl)
   
   
3. By default, the default application name is passed on parameter 'APPL=' of the:
   
   RACROUTE REQUEST=VERIFY,ENVIR=CREATE
   
   by FTP to Top Secret at connection.
   
   It has the following format:
   
   FTPDx where 'x' can be '1' '2' etc...
   
   Modify the FTP STC in order to have the application name, you have chosen to be passed by FTP with the 'APPL=' parameter. See sample as follows:

        //FTPD1    PROC PARMS='ENVAR("_BPX_JOBNAME=OMVSAPPL")'     //FTPD     EXEC PGM=FTPD,REGION=0M,TIME=NOLIMIT,         //         PARM='&PARMS/POSIX(ON) ALL31(ON)'

4. An alternative to step 3 is to use the Top Secret Installation Exit TSSINSTX PRE-INIT entry to change the application name in the RACROUTE parameter list. Please see the following example:

        PREINIT  DS    0H                                                             ICM   R3,15,TXA#@RFP           @@PLIST                               BZ    EXIT0                                                          ICM   R3,15,0(R3)              @PLIST                                BZ    EXIT0                                                          ICM   R3,15,48(R3)             @APPL Get application address         BZ    EXIT0                                                          CLC   0(4,R3),=C'FTPD'         Application starts with FTPD          BNE   EXIT0                                                          MVC   0(8,R3),=C'OMVSAPPL'                                           B     EXIT0

Note 1:
All samples given have been ONLY tested in test environments.

Note 2:
All samples given are for informational purposes and CANNOT be considered as a Broadcom extended product feature. Creation, maintenance and troubleshooting are the sole responsibility of the user.

Please see the Top Secret documentation here for more details about Top Secret Installation Exit 'TSSINSTX'.