To secure FTP and connection, the standard is to use SSL and Digital Certificates.
But under specific circumstances, you may want to secure your FTP connection other alternatives besides user/password and SSL.
Before securing FTP with passtickets, we must understand how passtickets work.
What is a Passticket?
It's an alternative to the mainframe password that permits workstations and client machines to communicate with the host. It allows a user to gain access to the host system without sending the mainframe password across the network.
PassTickets are cryptographically-generated, single-use, short-lifespan password substitutes. They are inherently more secure than passwords.
The Passticket is valid for a period of plus or minus 10 minutes (as measured on the GMT clock of the "central" system). It cannot be replayed. It is always a 8-character string (for example 6MP534fG could be the value of a Passticket).
Passtickets in CA Top Secret can be used with FTP and here are the steps required:
- Access to the FTP site must be done through an application that will request a passticket and pass it at connection time. A sample application is attached to this document.
- The application name and session key must be defined to the CA Top Secret NDT.
Example:APPLICATION = OMVSAPPL SESSION KEY = 123456789ABCDEF0
tss add(ndt) pstkappl(omvsappl) sesskey(123456789ABCDEF0)
To remove it:
tss rem(ndt) pstkappl(omvsappl)
- By default, the default application name is passed on parameter 'APPL=' of the:
by FTP to CA Top Secret at connection.
It has the following format:
FTPDx where 'x' can be '1' '2' etc...
Modify the FTP STC in order to have the application name, you have chosen to be passed by FTP with the 'APPL=' parameter. See sample as follows:
//FTPD1 PROC PARMS='ENVAR("_BPX_JOBNAME=OMVSAPPL")' //FTPD EXEC PGM=FTPD,REGION=0M,TIME=NOLIMIT, // PARM='&PARMS/POSIX(ON) ALL31(ON)'
- An alternative to step 3 is to use the CA Top Secret Installation Exit TSSINSTX PRE-INIT entry to change the application name in the RACROUTE parameter list. Please see the following example:
PREINIT DS 0H ICM R3,15,TXA#@RFP @@PLIST BZ EXIT0 ICM R3,15,0(R3) @PLIST BZ EXIT0 ICM R3,15,48(R3) @APPL Get application address BZ EXIT0 CLC 0(4,R3),=C'FTPD' Application starts with FTPD BNE EXIT0 MVC 0(8,R3),=C'OMVSAPPL' B EXIT0
All samples given have been ONLY tested in test environments.
All sample given are for information purposes and CANNOT be considered as a CA extended product feature. Creation, maintenance and troubleshooting are the sole responsibility of the user.
Please see the CA Top Secret User Guide for more details about CA Top Secret Installation Exit 'TSSINSTX'.