How can I setup FTPS for clients sharing a keyring?

Document ID : KB000012441
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I setup FTPS for clients sharing a keyring?

Answer:

In this example a company wants to allow its employees to make FTP requests from z/OS to three FTP servers out on the Internet. The CA certificates for the three FTP servers were already obtained and reside in the following three data sets: 'FTPD.CACERT1', 'FTPD.CACERT2', and 'FTPD.CACERT3'.

Sample Keyring

KEYRING / SHAREID.RING LAST CHANGED BY USER002 ON 10/24/16-11:54  
                  DEFAULT() RINGNAME(RING01)

The following certificates are connected to this key ring:          

CERTDATA record    Label                                     Usage          
FTPD.CACERT1        CA for FTP Server 1               CERTAUTH      
FTPD.CACERT2        CA for FTP Server 2               CERTAUTH      
FTPD.CACERT3        CA for FTP Server 3               CERTAUTH

Authorize access to the shared key ring for the ring owner (SHAREID) and for the z/OS users (USER01 and USER02) who need to communicate with the external FTP servers. Do this by administering a profile in either the FACILITY or the RDATALIB class.

Using the FACILITY class:

SET RESOURCE(FAC)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER001) SERVICE(UPDATE) ALLOW)
RECKEY IRR ADD( DIGTCERT.LISTRING UID(***USER002) SERVICE(UPDATE) ALLOW)

Using the RDATALIB class:

SET RESOURCE(RDA)
RECKEY SHAREID ADD( RING01.LST UID(***USER001) SERVICE(READ) ALLOW)
RECKEY SHAREID ADD( RING01.LST UID(***USER002) SERVICE(READ) ALLOW)

Configure the FTP client to use the shared key ring by specifying its fully qualified name for the KEYRING directive syntax: KEYRING ringowner/ringname:

KEYRING SHAREID/RING01