FTP Server Authentication - Mainframe to Mainframe

Document ID : KB000027863
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How do you setup FTP SERVERAUTHENTICATION with CA TOP SECRET generated selfsigned DIGITAL CERTIFICATES?

Answer:

The following example shows how to setup FTP SERVERAUTHENTICATION with eTrust CA-TOP SECRET generated selfsigned DIGITAL CERTIFICATES.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. Generate the FTP server's with the TSS GENCERT command:
          TSS GENCERT(FTPS) DIGICERT(FTPSCERT) -
    SUBJECTN('o="COMPANYA" CN="FTPS certificate" -
    OU="SYSTEMS" C="US" ')
    • In this example 'FTPS ' is the FTP started task region acid.

    • FTPSCERT is the digital certificate name in eTrust CA-TOP SECRET.

  2. Create the FTP server's KEYRING with the TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) LABLRING(FTPSRING)

    Note: No blank spaces in the LABLRING.

  3. Add the FTP server's certificate to the FTP server's KEYRING with the TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(FTPS, FTPSCERT) -
    DEFAULT USEAGE(PERSONAL)
  4. Copy the FTP server's certificate to a dataset with the TSS EXPORT command:
          TSS EXPORT(FTPS) DIGICERT(FTPSCERT)-
    DCDSN('FTPS.SERVER.CERT')

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged.

  5. Copy FTP server's certificate to the FTP client's KEYRING with the TSS ADD command:
          TSS ADD(USERA) KEYRING(USRARING) -
    RINGDATA(FTPS,FTPSCERT) DEFAULT USAGE(PERSONAL)
  6. Permit FTP server's region acid and the FTP client acid to SSL KEYRING, certificates and mappings with the TSS PERMIT
          TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
    TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
    TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
    TSS PER(USRA) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
    TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
    TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
  7. Update IBM's FTP parameter 'KEYRING' requires the FTPS server's KEYRING LABEL 'FTPRING'. The parameter can be found in IBM's FTPS.DATA member.

  8. Update IBM's FTP parameter 'SECURE_LOGIN NO_CLIENT_AUTH'. The parameter can be found in IBM's FTPS.DATA member.

  9. Update IBM's FTP parameter 'SECURE_FTP REQUIRED'. The parameter can be found in IBM's FTPS.DATA member.

FTP Client Authentication - Mainframe to Mainframe

The following example shows how to setup FTP CLIENT AUTHENTICATION with eTrust CA-TOP SECRET generated selfsigned DIGITAL CERTIFICATES.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. FTP Client Authentication is optional and not required for FTP Server Authentication. However, FTP Client Authentication does require FTP Server Authentication. Before activating FTP Client Authentication, please test and verify that your FTP Server Authentication is working.

  2. Generate FTP client eTrust CA-TOP SECRET selfsigned certificate with the TSS GENECERT command:
          TSS GENCERT(USERA) DIGICERT(USRACERT) -
    SUBJECTN('o="COMPANYA" CN="USERA selfsigned ftp cert"
    OU="DEPTA" - C="US"') LABELCERT('USERACERT') TRUST
    • In this example 'USERA' is the client's acid.

    • 'USERACERT' is the digital certificate name in eTrust CA-TOP SECRET.

  3. Create the KEYRING for the FTP client acid with the TSS ADD command:
          TSS ADD(USERA) KEYRING(USRARING) LABLRING(USRARING)
  4. Add the FTP client's certificate to the FTP client's KEYRING with the TSS ADD command:
          TSS ADD(USERA) KEYRING(USRARING) -
    RINGDATA(USERA,USRACERT) DEFAULT USEAGE(PERSONAL)
  5. Add FTP client's certificate to FTP Server's KEYRING with CERTAUTH authority with the TSS ADD command:
          TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(USERA,USRACERT) -
    DEFAULT USEAGE(CERTAUTH)
  6. Copy FTP server's certificate to the FTP client's KEYRING with the TSS ADD command:
          TSS ADD(USERA) KEYRING(USRARING) -
    RINGDATA(FTPS,FTPSCERT) USAGE(PERSONAL)
  7. Update IBM's FTP parameter 'SECURE_LOGIN VERIFY_USER'. The parameter can be found in IBM's FTPS.DATA member.