FTP Server Authentication - Mainframe to PC

Document ID : KB000026672
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

The following example shows how to setup FTP SERVER AUTHENTICATION with eTrust CA-TOP SECRET generated selfsigned DIGITAL CERTIFICATES .

Instructions:

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. Generate the FTP server's certificate with the TSS GENCERT command:

    TSS GENCERT(FTPS) DIGICERT(FTPSCERT) - SUBJECTN('o="COMPANYA" CN="FTPS certificate" - OU="SYSTEMS" C="US" ')  
    1. In this example, 'FTPS ' is the FTP started task region acid.

    2. FTPSCERT is the digital certificate name in eTrust CA-TOP SECRET.

  2. Create the FTP server's KEYRING with the TSS ADD command:

    TSS ADD(FTPS) KEYRING(FTPSRING) LABLRING(FTPSRING)

    Note: No blank spaces in the LABLRING.

  3. Add the FTP server's certificate to the FTP server's KEYRING with the TSS ADD command:
    TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(FTPS,FTPSCERT) - 
    DEFAULT USAGE(PERSONAL)
  4. Copy the FTP server's certificate to a dataset with the TSS EXPORT command:

    TSS EXPORT(FTPS) DIGICERT(FTPSCERT) DCDSN('FTPS.SERVER.CERT')

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged.

  5. Copy it to the FTP server's certificate 'FTPS.SERVER.CERT' to the FTP client's Trusted Authorities database via FTP.

  6. Permit FTP acid to SSL KEYRING, certificates and mappings via TSS PERMIT command:

      TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)  TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)  TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)  TSS PER(USRA) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)  TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)  TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)

    Note : If acid CERTSITE is the owner of the certificate, ACC(CONTROL) needs to be specified instead of ACC(UPDATE)

  7. Open IBM's FTPS.DATA member for editing and add the following IBM FTP parameters:

    • KEYRING FTPSRING

    • SECURE_LOGIN NO_CLIENT_AUTH

    • SECURE_FTP REQUIRED

    • AUTH TLS

      The keyring name is established with FTP, client authentication is disabled, and FTP server authentication is activated

Please refer to IBM documentation for further details about activating Digital Certificate with FTP.

FTP Client Authentication -- Mainframe to PC

The following example shows how to setup FTP CLIENT AUTHENTICATION with eTrust CA-TOP SECRET generated selfsigned DIGITAL CERTIFICATES.

NOTE: The following are example commands and may vary depending on your naming conventions and environment. Please adjust them accordingly to your site standards and environment.

  1. FTP Client Authentication is optional and not required for FTP Server Authentication. However, FTP Client Authentication does require FTP Server Authentication. Before activating FTP Client Authentication, please test and verify that your FTP Server Authentication is working.

  2. Copy the FTP server's certificate to a dataset called ' FTPS.SERVER.CERT' via TSS EXPORT command. If the certificate dataset was already created when setting up FTP SERVER AUTHENTICATION, this step can be skipped.

     TSS EXPORT(FTPS) DIGICERT(FTPSCERT) - DCDSN('FTPS.SERVER.CERT')

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged.

  3. Send the certificate dataset to the PC and bring it into the FTP client's Trusted Authorities database.

  4. Generate the FTP client certificate with the TSS GENCERT command:

    TSS GENCERT(USERA) DIGICERT(USRACERT) - SUBJECTN('o="COMPANYA" CN="USERA selfsigned ftp cert" - OU="SYSTEMSDEPT" C="US"') LABLCERT('USERA CERT') TRUST 
  5. Create the KEYRING for the FTP client acid with the TSS ADD command:

    TSS ADD(USERA) KEYRING(USRARING) LABLRING(USRARING)    
  6. Add the FTP client's certificate to the FTP client's KEYRING with the TSS ADD command:
    TSS ADD(USERA) KEYRING(USRARING) - RINGDATA(USERA,USRACERT) DEFAULT USAGE(PERSONAL)
  7. Add FTP client's certificate to FTP server's KEYRING with CERTAUTH authority via TSS ADD command:

    TSS ADD(FTPS) KEYRING(FTPSRING) RINGDATA(USERA,USRACERT) USAGE(CERTAUTH)
  8. Export FTP client's certificate to dataset 'USERA.CERT' via TSS EXPORT command.

    TSS EXPORT(USERA) DIGICERT(USRACERT) DCDSN(USERA.CERT)

    Note: Dataset doesn't have to be formatted. It is automatically created and cataloged by eTrust CA-TOP SECRET.

  9. Export the FTP client certificate 'USERA.CERT' to the PC and bring it into the FTP client's Trusted Authorities database via FTP.

  10. Update IBM's FTP parameter 'SECURE_LOGIN VERIFY_USER'. The parameter can be found in IBM's FTPS.DATA member.