Securing FTP server on z/OS

SSL/TLS (FTPS) implementation for server authentication

This article describes how you can secure FTP on z/OS® (FTPS) for server authentication using AT-TLS. The article also describes how to create AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server and how to set up Policy Agent on z/OS.

Share:

Pabitra Mukhopadhyay (pabmukho@in.ibm.com), z/OS, Middleware System Programmer, IBM

Pabitra MukhopadhyayPabitra Mukhopadhyay is a z/OS and Middleware System Programmer at IBM India Software Labs System z Competency. He has coauthored several developerWorks articles, technical artifacts, and product demos involving messaging products and z/OS.



04 June 2014

z/OS is the most widely used IBM mainframe operating system. It is a 64-bit operating system that is derived from and is the successor to OS/390. It is designed to offer a stable, secure, continuously available, and scalable environment for applications running on the mainframe. z/OS is designed to take advantage of the IBM System z architecture, or z/Architecture.

Protect data, applications, web, cloud and mobile computing

Protect data, applications, web, cloud and mobile computing

Use IBM security solutions on your mainframe to create the ultimate security platform for mission critical data and applications.

Read this white paper to learn about

  • Efficient mainframe security administration and controls.
  • Enhanced security intelligence for regulatory compliance.
  • Comprehensive integrated application and data protection.

Download "Creating the ultimate security platform."

The z/OS operating system is a share-everything runtime environment that provides resource sharing through virtualization technology. It uses special hardware and software to access and control the use of those resources, ensuring that there is very little underutilization of components.

File Transfer Protocol (FTP) is one of the most commonly used network protocols to transfer files from one host to another host over a TCP-based network. FTP, which is based on client-server architecture, uses separate control and data connections between the client and the server. FTP is not a secured protocol and is extremely vulnerable to sniffing and other forms of cyber-attacks, which can severely compromise data security.

In typical enterprise systems, digital certificates are used by Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to implement an authentication mechanism between a client and a server. This article describes how you can secure FTP on z/OS using SSL/TLS (FTPS) for server authentication. This authentication process can be provided natively by the application itself, or the process can be performed transparently to the application by implementing Application Transparent TLS (AT-TLS). In the example provided in this article, the AT-TLS method is used. The article also describes creating AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server and setting up Policy Agent on z/OS.

Understanding SFTP and FTPS

People often use (and sometimes confuse) SFTP and FTPS interchangeably while referring to a secured mode of file transfer. Although both SFTP and FTPS are designed to serve a common purpose, they are quite different from each other in the way they work.

Back in the early days, FTP was a widely used unsecured protocol for transferring files across a network, whereas SSH, a secured network protocol, lacked FTP-like file transfer commands. When the need for a secured mode of transferring files was felt, two different solutions were proposed. The first solution was to add FTP capabilities to SSH, resulting in SFTP (SSH File Transfer Protocol). The second solution was to implement SSH security features in FTP, giving rise to FTPS (FTP over SSL or FTP Secured).

SFTP uses a single channel to transmit and receive all the pertinent data, whereas FTPS uses two channels (command channel and data channel) for file transfer. The data channel uses on-demand temporary ports that are dynamically decided. When it comes to passing through a firewall, FTPS often has problems, as it does not know the port that is being used for the data transfer and thereby fails to allow traffic through that port. FTPS sends messages in a text format, allowing people to read logs and understand what happened during the session. This is not possible with SFTP, where the messages are in binary.

Prerequisites

To benefit from this article, you should have basic knowledge of:

  • Public key infrastructure and how SSL and TLS works
  • FTP server and TCPIP stack on z/OS
  • z/OS Security Server—RACF administration
  • Job Control Language (JCL)
  • z/OS UNIX System Services (USS)

In addition to the prerequisites mentioned above, you need to install IBM Configuration Assistant for z/OS Communication Server. You can either install it on your workstation using a stand-alone installer or access it through z/OSMF (z/OS management facility) installed on your z/OS host, via the web interface. Note that as of z/OS V2R1, the Configuration Assistant tool is not provided as a separate download and is provided only as part of z/OSMF.


Setting up FTPS server on z/OS LPAR for server authentication

Follow the instructions given below (Step 1 to Step 4) to set up FTPS server on z/OS LPAR (in our example, the LPAR name is MVD3) for server authentication. It is assumed that FTP service is already configured on this LPAR and that it is active on default port 21. The mode of the FTPS setup is FTPS Explicit SSL.

FTPS server setup for server authentication involves four major tasks:

Step 1: Set up digital certificates in RACF.

Step 2: Update TCP/IP and FTP profile and configuration data to enable AT-TLS.

Step 3: Set up AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server.

Step 4: Set up and configure Policy Agent on z/OS.

Step 1: Set up digital certificates in RACF

Sample JCL code has been provided with every step to execute RACF commands. Alternatively, you can use RACF panels to set up these digital certificates and key ring.

  1. Create a CA certificate (this is for testing purposes only).
    Listing 1. Creating a CA certificate
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
      RACDCERT CERTAUTH GENCERT +
      SUBJECTSDN( +
      CN('MVD3 FTPS CA CERT PABMUKH') +
      O('IBM') L('BLR') C('IN') ) +
      TRUST +
      SIZE(1024) +
      NOTBEFORE(DATE(2013-04-15)) +
      NOTAFTER(DATE(2023-04-15)) +
      WITHLABEL('MVD3 FTPS CA CERT') +
      KEYUSAGE(CERTSIGN)
    /*
  2. Create a personal certificate for the FTPS server, signed by the CA certificate created in Step 1a.
    Listing 2. Creating a personal certificate
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
      RACDCERT ID(SYSTASK) GENCERT +
      SUBJECTSDN( +
      CN('MVD3 FTPS SERV CERT PABMUKH') +
      O('IBM') L('BLR') C('IN') ) +
      SIZE(1024) +
      NOTBEFORE(DATE(2013-04-15)) +
      NOTAFTER(DATE(2023-04-15)) +
      WITHLABEL('MVD3 FTPS SERV CERT') +
      KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) +
      SIGNWITH(CERTAUTH LABEL('MVD3 FTPS CA CERT'))
    /*
  3. Export the CA certificate to a dataset and FTP it to the site where the FTP client is running. (Remember to FTP this dataset in ASCII mode).
    Listing 3. Exporting CA certificate
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
      RACDCERT CERTAUTH +
      EXPORT(LABEL('MVD3 FTPS CA CERT')) +
      DSN('PABMUKH.MVD3.FTPS.CACERT.B64') +
      FORMAT(CERTB64)
    /*
  4. Create a new RACF key ring and connect the CA certificate to this key ring. The user ID of the FTPD started task on this LPAR should be the owner of this key ring. Also, connect the personal certificate as the default certificate to this key ring. Ensure that the certificates are in TRUSTed state. Finally, list the certificates connected to this key ring for verification.
    Listing 4. Creating RACF key ring and adding certificates
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *,DLM=@@
    /******************************************************
    /* Add a keyring called MVD3FTPSRING                  *
    /******************************************************
      RACDCERT ID(SYSTASK) ADDRING(MVD3FTPSRING)
    /******************************************************
    /* Connect the CA certificate to MVD3FTPSRING keyring *
    /******************************************************
      RACDCERT ID(SYSTASK) +
      CONNECT(CERTAUTH LABEL('MVD3 FTPS CA CERT') +
      RING(MVD3FTPSRING) )
    /******************************************************
    /* Connect the FTP server certificate to MVD3FTPSRING *
    /* keyring                                            *
    /******************************************************
      RACDCERT ID(SYSTASK) +
      CONNECT(LABEL('MVD3 FTPS SERV CERT') +
      RING(MVD3FTPSRING) +
      DEFAULT)
    /******************************************************
    /* List the contents of MVD3FTPSRING keyring          *
    /******************************************************
      RACDCERT ID(SYSTASK) LISTRING(MVD3FTPSRING)
    @@

Step 2: Update the TCP/IP and FTP profile and configuration data to enable AT-TLS

  1. Update the TCPIP profile member in the TCPIP parameter dataset to include the configuration statement shown in Listing 5.
    Listing 5. Configuring TCPIP profile
    TCPCONFIG TTLS       ; TO ENABLE AT-TLS SUPPORT IN TCP LAYER OF TCPIP

    You can find the sample TCPIP profile member SAMPPROF in the TCPIP target library hlq.SEZAINST. To identify the active profile dataset member, look at the PROFILE DD statement of the TCPIP started task procedure.
  2. Update the FTP.DATA member to include the configuration statements shown in Listing 6.
    Listing 6. Configuring FTP.DATA dataset member
    EXTENSIONS AUTH_TLS         ; Enable TLS authentication         
    TLSMECHANISM ATTLS          ; Server-specific or ATTLS           
    SECURE_FTP ALLOWED          ; Security required/optional         
    SECURE_LOGIN NO_CLIENT_AUTH ; Client authentication     
    SECURE_PASSWORD REQUIRED    ; Password requirement         
    SECURE_CTRLCONN PRIVATE     ; Minimum level of security CTRL
    SECURE_DATACONN PRIVATE     ; Minimum level of security DATA
    TLSRFCLEVEL RFC4217         ; SSL/TLS RFC Level supported       
    TLSTIMEOUT 500              ; SSL/TLS RFC Level supported       
    TLSPORT 0                   ; SSL/TLS RFC Level supported       
    KEYRING MVD3FTPSRING        ; Name of key ring                            
    FTPKEEPALIVE 0                                     
    DEBUG ALL                   ; ALL TRACE                         
    TRACE                                                   
    FTPLOGGING TRUE

    You can find the sample FTP.DATA member FTPSDATA in TCPIP target library hlq.SEAZINST. To identify the active FTP.DATA dataset, look at the SYSFTPD DD statement in the FTP started task procedure (default name FTPD). If no FTP.DATA file is in use, FTP uses default values for these parameters. In such a case, you need to create the FTP.DATA dataset and provide the dataset name in the SYSFTPD DD statement of the FTP started task.

Step 3: Set up AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server

  1. Launch IBM Configuration Assistant for z/OS Communication Server and right-click on z/OS Images and select Add new z/OS Image… as shown in Figure 1.
    Figure 1. Adding z/OS image
    Adding z/OS image
  2. Provide the z/OS image name and select the z/OS version from the drop-down menu. Click OK to add the new z/OS image as shown in Figure 2.
    Figure 2. Specify z/OS image name and version
    Specify z/OS image name and version
  3. As shown in Figure 3, the z/OS image should appear in the left pane of the Main Perspective view of Configuration Assistant.
    Figure 3. z/OS image and version added to Configuration Assistant
    z/OS image and version added to Configuration Assistant
  4. Select AT-TLS technology as shown in Figure 4. Then right-click on this line item and click Enable. The status should now change to Incomplete.
    Figure 4. Enabling AT-TLS
    Enabling AT-TLS
  5. Click Add New TCP/IP Stack… and provide the TCPIP stack name that is in use on the MVD3 system. Click OK.
    Figure 5. Adding TCPIP stack
    Adding TCPIP stack
  6. As shown in Figure 6, the TCP/IP stack entry should appear in the main perspective, under the image name.
    Figure 6. TCPIP stack added under z/OS image name
    TCPIP stack added under z/OS image name
  7. Select AT-TLS technology and click Enable. The status should now change to Incomplete and the Configure button should be enabled.
    Figure 7. Enabling AT-TLS
    Enabling AT-TLS
  8. Click Configure. From the list that appears (shown in Figure 8), select the Default_FTP-Server rule. Now click Modify....
    Figure 8. Configuring AT-TLS
    Configuring AT-TLS rules
  9. Review all the options. If you are not using the default port number 21, change the port number accordingly.
    Figure 9. Modifying traffic rules
    Modifying Traffic Rules
  10. Select the Key Ring tab. As shown in Figure 10, provide the key ring name, created in Step 1d. Click OK.
    Figure 10. Modifying key ring rules
    Modifying Key Ring rules
  11. The key ring name should be updated in the AT-TLS perspective as shown in Figure 11. Now right-click on this entry and click Enable Rule.
    Figure 11. Enabling FTP rules
    Enabling FTP Rules
  12. The status of the Default_FTP-Server rule should now have been changed to Enabled. Click Apply Changes, followed by OK, as shown in Figure 12.
    Figure 12. Applying FTP rules
    Applying FTP Rules
  13. Now navigate back to the Main Perspective and select the AT-TLS entry in the table. Click Install.
    Figure 13. Selecting AT-TLS policy for installation
    Selecting AT-TLS policy for installation
  14. Review the details in the window shown in Figure 14. Make any necessary changes and click Install.
    Figure 14. Installing AT-TLS policy
    Installing AT-TLS policy
  15. To upload this AT-TLS policy to the z/OS remote host via FTP, provide the install path, hostname, port number, user ID, and password. Click Go.
    Figure 15. Uploading AT-TLS policy rules
    Uploading the AT-TLS policy

    This concludes AT-TLS policy installation on the z/OS image (MVD3), where the FTP server is running.

Step 4: Configure and set up Policy Agent on z/OS

  1. Create the pagent.mvd3.env environment file in the UNIX System Services /etc directory for the Policy Agent. The contents of this file are shown in Listing 7.
    Listing 7. Contents of pagent.mvd3.env file
    /MVD3/etc:>cat /etc/pagent.mvd3.env
    PAGENT_CONFIG_FILE=/etc/pagent.mvd3.conf
    PAGENT_LOG_FILE=/tmp/pagent.mvd3.log
    PAGENT_LOG_FILE_CONTROL=300,3
  2. Create the pagent.mvd3.conf configuration file in UNIX System Services /etc directory for the Policy Agent. The contents of this file are shown in Listing 8.
    Listing 8. Contents of pagent.mvd3.conf file
    /MVD3/etc:>cat /etc/pagent.mvd3.conf
    TcpImage TCPIP /etc/mvd3.tcpip_image.conf
  3. Create the mvd3.tcpip_image.conf TCPIP configuration file in the UNIX System Services /etc directory for the Policy Agent. The contents of this file are shown in Listing 9.
    Listing 9. Contents of mvd3.tcpip_image.conf file
    /MVD3/etc:>cat /etc/mvd3.tcpip_image.conf
    TTLSConfig /etc/cfgasst/v1r12/MVD3/TCPIP/tlsPol
  4. Copy the PAGENT started task procedure from the TCPIP target library hlq.SEZAINST to the system or user proclib dataset and update the EXEC statement as shown in Listing 10.
    Listing 10. PAGENT started task EXEC statement
    //PAGENT   EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT,                 
    //     PARM='POSIX(ON) ALL31(ON) ENVAR("_CEE_ENVFILE=DD:STDENV")/'

    Also, update the STDENV statement to point to the PAGENT environment file created in Step 4a, as shown in Listing 11.
    Listing 11. PAGENT started task STDENV statement
    //STDENV   DD PATH='/etc/pagent.mvd3.env',PATHOPTS=(ORDONLY)
  5. Enable AUTOLOG (if not already enabled) in the profile member of the TCPIP started task procedure. Include PAGENT in the AUTOLOG statement.
  6. Create RACF profile definitions for the PAGENT started task as shown in Listing 12. Here SYSTASK is the user ID under which the FTPD address space is running.
    Listing 12. RACF commands to define resources for PAGENT started task
    RDEF STARTED PAGENT.* OWNER(owner_userID) STDATA(USER(SYSTASK))
    
    SETR RACLIST(STARTED) REFR
  7. Set up TTLS Stack Initialization access control as described below.

    If you are using Application Transparent Transport Layer Security (AT-TLS), z/OS will not allow any socket-based applications to start before PAGENT is up and running, to make sure that all the security policies are enforced. But some essential applications need to start before PAGENT. To allow this, you have to define a resource profile EZB.INITSTACK.sysname.tcpprocname in the SERVAUTH class. Sample RACF commands are shown in Listing 13.
    Listing 13. RACF commands to administer profiles in SERVAUTH class
    SETROPTS CLASSACT(SERVAUTH)
    
    SETROPTS RACLIST (SERVAUTH)
    
    SETROPTS GENERIC (SERVAUTH)
    
    RDEFINE SERVAUTH EZB.INITSTACK.MVD3.TCPIP UACC(NONE)
    
    PERMIT EZB.INITSTACK.MVD3.TCPIP CLASS(SERVAUTH) ID(*) ACCESS(READ) +
    WHEN(PROGRAM(PAGENT,EZAPAGEN))
    
    SETROPTS GENERIC(SERVAUTH) REFRESH
    
    SETROPTS RACLIST(SERVAUTH) REFRESH
    
    SETROPTS WHEN(PROGRAM) REFRESH
  8. Stop FTP and TCPIP address spaces from the z/OS console by issuing /STOP commands. Restart TCPIP address space (by logging on to z/OS Hardware Management Console or by issuing a /RO MVD3,START command from another LPAR in the same sysplex). With AT-TLS enabled, check the TCPIP stack SYSOUT dataset for details on which cryptographic algorithms are supported by your hardware.
    Listing 14. TCPIP started task SYSOUT contents
    System SSL: SHA-1 crypto assist is available          
    System SSL: SHA-224 crypto assist is available        
    System SSL: SHA-256 crypto assist is available        
    System SSL: SHA-384 crypto assist is not available    
    System SSL: SHA-512 crypto assist is not available    
    System SSL: DES crypto assist is not available        
    System SSL: DES3 crypto assist is not available       
    System SSL: AES 128-bit crypto assist is not available
    System SSL: AES 256-bit crypto assist is not available
    System SSL: ICSF services are not available

    Also, PAGENT address space should be started automatically after TCPIP address space comes up. Look for the messages shown in Listing 15 in the PAGENT joblog.

    Listing 15. PAGENT joblog messages
    EZZ8431I PAGENT STARTING                                          
    EZZ8432I PAGENT INITIALIZATION COMPLETE                           
    EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIP : TTLS
    EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR TCPIP
  9. Now start the FTP server started task by issuing the /START command from the z/OS console. Look for a message similar to that shown in Listing 16, to verify if the FTP server has started without error.
    Listing 16. FTP server started task message
    EZY2702I Server-FTP: Initialization completed at HH:MM:SS on MM/DD/YY.

    This step concludes the FTPS server setup on z/OS host. The FTPS server is now up and running and ready to accept secure connection from clients.


Connecting to FTPS server on z/OS

This section shows how to connect to an FTPS server on z/OS from different FTP clients. Here, we consider two scenarios:

Scenario 1: Connecting to FTPS server on z/OS from an FTP client running on your workstation

Scenario 2: Connecting to FTPS server on z/OS from an FTP client on a different z/OS system

Scenario 1: Connecting to FTPS server on z/OS from an FTP client running on your workstation

Note: "Smart FTP" client software, running on a Microsoft® Windows® workstation, has been used as an example for this scenario. You can use any other FTP client software that supports secure connections on an appropriate operating system.

  1. Import the CA certificate (which you have FTP-ed earlier in Step 1c) as a trusted root CA, as shown in Figure 16.
    Figure 16. Importing CA certificate on client
    Importing CA certificate on client system
  2. Create a new connection for the FTPS server by providing the hostname, username, and password.
    Figure 17. Creating FTPS connection from the client
    Creating FTPS connection from the client
  3. Click OK to create the connection and list the directories on the z/OS host (MVD3). A sample directory list can be seen in Figure 18. This confirms that the FTP client running on your workstation has successfully connected to the FTPS server on z/OS host.
    Figure 18. Directory listing in FTP client software
    Directory Listing in FTP client software

Scenario 2: Connecting to FTPS server on z/OS from an FTP client on a different z/OS system

In this example, we connect to the FTPS server on the MVD3 system from another z/OS system (system name MVC6) that acts as a client. A job (JCL) is submitted on MVC6 to execute the FTP client program, which connects to the FTPS server on MVD3. In order to set up the client system MVC6, follow these instructions:

  1. Transfer the CA certificate of the FTPS server (on MVD3) to the client system (MVC6). Note that this CA certificate was exported to a dataset in Step 1c when the FTPS server was being set up on the MVD3 system. Add this CA certificate in MVC6 RACF. Listing 17 provides sample JCL code. Alternatively, you can use RACF panels to add this CA certificate.
    Listing 17. Adding CA certificate in client system
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
      RACDCERT ADD('PABMUKH.MVD3.FTPS.CACERT.B64') +
      CERTAUTH TRUST + 
      WITHLABEL('MVD3 FTPS CA CERT') 
    /*
  2. Create a new RACF key ring on the client system (in this example, we are using PMFTPSCLNT). The key ring should be owned by the userID submitting the FTP job (in this example, we are using PABMUKH userID). Now, connect the server CA certificate to this key ring. Finally, list the contents of this key ring for verification. Sample JCL code has been provided to execute RACF commands in Listing 18. Alternatively, you can use RACF panels to set up the client key ring.
    Listing 18. Setting up client key ring
    //RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M
    //CERT01 EXEC PGM=IKJEFT01
    //SYSTSPRT DD SYSOUT=*
    //SYSTSIN DD *
      RACDCERT ID(PABMUKH) ADDRING(PMFTPSCLNT)
      
      RACDCERT ID(PABMUKH) +
      CONNECT(CERTAUTH LABEL('MVD3 FTPS CA CERT') +
      RING(PMFTPSCLNT) )
      
      RACDCERT ID(PABMUKH) LISTRING(PMFTPSCLNT)
    /*
  3. Set up AT-TLS policy on the client system using z/OS Configuration Assistant by following the instructions for the server system configuration (Step 3). The only difference this time is that you need to select and enable the Default_FTP-Client rule instead of the Default_FTP-Server rule and specify the client's key ring name (PMFTPSCLNT) in the Key Ring tab while modifying the Key Ring rules. This is shown in Figure 19 and Figure 20.
    Figure 19. Configuring AT-TLS rule for client
    Configuring AT-TLS rules for FTP client
    Figure 20. Modifying Key Ring Rules for client
    Modifying Key Ring Rules for FTP client
    Install this AT-TLS policy on the client system (MVC6). The installation steps are exactly the same as the steps followed for the server side setup.
  4. Configure TCPIP profile to enable TTLS support (Step 2a) and set up the Policy Agent on the client system (MVC6) by following the instructions for the server system (Steps 4a to 4h). The client system is now ready to connect to the FTPS server.
  5. Submit the FTPSCLNT job (or an equivalent job) provided in Listing 19 on the client system. The FTPSCLNT job lists the UNIX System Services files in the user home directory on MVD3 system. Note that the SYSTCPD DD statement in the JCL code points to the same dataset as the SYSTCPD DD statement in the TCPIP started task on the client system. The SYSFTPD DD statement points to a customized FTD.DATA file for the FTP client. The FTP client key ring name needs to be provided in this FTP.DATA file. The SYSFTPD file used in this JCL has been provided in the Downloads section for your reference.
    Listing 19. FTPS client JCL
    //FTPSCLNT JOB ,CLASS=A,REGION=0M,                
    //     MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID  
    //FTPSTEP   EXEC PGM=FTP,PARM='-a TLS'             
    //SYSTCPD  DD DSN=TCPIP.PARMS(TDATAC6),DISP=SHR   
    //SYSFTPD  DD DSN=PABMUKH.CNTL(PMFTPCLN),DISP=SHR 
    //SYSPRINT DD  SYSOUT=*                          
    //INPUT    DD  *                                 
    BLRMVSD3.IN.IBM.COM                              
    PABMUKH PASSWORD                                 
    cd /u/pabmukh                                    
    ls                                               
    QUIT                                             
    /*

    A sample joblog has also been provided for your reference in Downloads.

Downloads

DescriptionNameSize
FTPCLNT JCL JoblogFTPCLNTJCLJoblog.pdf10KB
FTP.DATA file for FTP Client on z/OSPMFTPCLN.txt10KB

Resources

Learn

Get products and technologies

  • Find out more about the IBM z/OS operating system by visiting the IBM z/OS website.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security
ArticleID=972970
ArticleTitle=Securing FTP server on z/OS
publish-date=06042014