Securing FTP server on z/OS
SSL/TLS (FTPS) implementation for server authentication
z/OS is the most widely used IBM mainframe operating system. It is a 64-bit operating system that is derived from and is the successor to OS/390. It is designed to offer a stable, secure, continuously available, and scalable environment for applications running on the mainframe. z/OS is designed to take advantage of the IBM System z architecture, or z/Architecture.
The z/OS operating system is a share-everything runtime environment that provides resource sharing through virtualization technology. It uses special hardware and software to access and control the use of those resources, ensuring that there is very little underutilization of components.
File Transfer Protocol (FTP) is one of the most commonly used network protocols to transfer files from one host to another host over a TCP-based network. FTP, which is based on client-server architecture, uses separate control and data connections between the client and the server. FTP is not a secured protocol and is extremely vulnerable to sniffing and other forms of cyber-attacks, which can severely compromise data security.
In typical enterprise systems, digital certificates are used by Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to implement an authentication mechanism between a client and a server. This article describes how you can secure FTP on z/OS using SSL/TLS (FTPS) for server authentication. This authentication process can be provided natively by the application itself, or the process can be performed transparently to the application by implementing Application Transparent TLS (AT-TLS). In the example provided in this article, the AT-TLS method is used. The article also describes creating AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server and setting up Policy Agent on z/OS.
Understanding SFTP and FTPS
People often use (and sometimes confuse) SFTP and FTPS interchangeably while referring to a secured mode of file transfer. Although both SFTP and FTPS are designed to serve a common purpose, they are quite different from each other in the way they work.
Back in the early days, FTP was a widely used unsecured protocol for transferring files across a network, whereas SSH, a secured network protocol, lacked FTP-like file transfer commands. When the need for a secured mode of transferring files was felt, two different solutions were proposed. The first solution was to add FTP capabilities to SSH, resulting in SFTP (SSH File Transfer Protocol). The second solution was to implement SSH security features in FTP, giving rise to FTPS (FTP over SSL or FTP Secured).
SFTP uses a single channel to transmit and receive all the pertinent data, whereas FTPS uses two channels (command channel and data channel) for file transfer. The data channel uses on-demand temporary ports that are dynamically decided. When it comes to passing through a firewall, FTPS often has problems, as it does not know the port that is being used for the data transfer and thereby fails to allow traffic through that port. FTPS sends messages in a text format, allowing people to read logs and understand what happened during the session. This is not possible with SFTP, where the messages are in binary.
To benefit from this article, you should have basic knowledge of:
- Public key infrastructure and how SSL and TLS works
- FTP server and TCPIP stack on z/OS
- z/OS Security Server—RACF administration
- Job Control Language (JCL)
- z/OS UNIX System Services (USS)
In addition to the prerequisites mentioned above, you need to install IBM Configuration Assistant for z/OS Communication Server. You can either install it on your workstation using a stand-alone installer or access it through z/OSMF (z/OS management facility) installed on your z/OS host, via the web interface. Note that as of z/OS V2R1, the Configuration Assistant tool is not provided as a separate download and is provided only as part of z/OSMF.
Setting up FTPS server on z/OS LPAR for server authentication
Follow the instructions given below (Step 1 to Step 4) to set up FTPS server on z/OS LPAR (in our example, the LPAR name is MVD3) for server authentication. It is assumed that FTP service is already configured on this LPAR and that it is active on default port 21. The mode of the FTPS setup is FTPS Explicit SSL.
FTPS server setup for server authentication involves four major tasks:
Step 1: Set up digital certificates in RACF
Sample JCL code has been provided with every step to execute RACF commands. Alternatively, you can use RACF panels to set up these digital certificates and key ring.
- Create a CA certificate (this is for testing purposes only).
Listing 1. Creating a CA certificate
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT CERTAUTH GENCERT + SUBJECTSDN( + CN('MVD3 FTPS CA CERT PABMUKH') + O('IBM') L('BLR') C('IN') ) + TRUST + SIZE(1024) + NOTBEFORE(DATE(2013-04-15)) + NOTAFTER(DATE(2023-04-15)) + WITHLABEL('MVD3 FTPS CA CERT') + KEYUSAGE(CERTSIGN) /*
- Create a personal certificate for the FTPS server, signed by the CA
certificate created in Step 1a.
Listing 2. Creating a personal certificate
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ID(SYSTASK) GENCERT + SUBJECTSDN( + CN('MVD3 FTPS SERV CERT PABMUKH') + O('IBM') L('BLR') C('IN') ) + SIZE(1024) + NOTBEFORE(DATE(2013-04-15)) + NOTAFTER(DATE(2023-04-15)) + WITHLABEL('MVD3 FTPS SERV CERT') + KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) + SIGNWITH(CERTAUTH LABEL('MVD3 FTPS CA CERT')) /*
- Export the CA certificate to a dataset and FTP it to the site where
the FTP client is running. (Remember to FTP this dataset in ASCII
Listing 3. Exporting CA certificate
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT CERTAUTH + EXPORT(LABEL('MVD3 FTPS CA CERT')) + DSN('PABMUKH.MVD3.FTPS.CACERT.B64') + FORMAT(CERTB64) /*
- Create a new RACF key ring and connect the CA certificate to this key
ring. The user ID of the FTPD started task on this LPAR should be the
owner of this key ring. Also, connect the personal certificate as the
default certificate to this key ring. Ensure that the certificates are
in TRUSTed state. Finally, list the certificates connected to this key
ring for verification.
Listing 4. Creating RACF key ring and adding certificates
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD *,DLM=@@ /****************************************************** /* Add a keyring called MVD3FTPSRING * /****************************************************** RACDCERT ID(SYSTASK) ADDRING(MVD3FTPSRING) /****************************************************** /* Connect the CA certificate to MVD3FTPSRING keyring * /****************************************************** RACDCERT ID(SYSTASK) + CONNECT(CERTAUTH LABEL('MVD3 FTPS CA CERT') + RING(MVD3FTPSRING) ) /****************************************************** /* Connect the FTP server certificate to MVD3FTPSRING * /* keyring * /****************************************************** RACDCERT ID(SYSTASK) + CONNECT(LABEL('MVD3 FTPS SERV CERT') + RING(MVD3FTPSRING) + DEFAULT) /****************************************************** /* List the contents of MVD3FTPSRING keyring * /****************************************************** RACDCERT ID(SYSTASK) LISTRING(MVD3FTPSRING) @@
Step 2: Update the TCP/IP and FTP profile and configuration data to enable AT-TLS
- Update the TCPIP profile member in the TCPIP parameter dataset to
include the configuration statement shown in Listing 5.
Listing 5. Configuring TCPIP profile
TCPCONFIG TTLS ; TO ENABLE AT-TLS SUPPORT IN TCP LAYER OF TCPIP
You can find the sample TCPIP profile member SAMPPROF in the TCPIP target library hlq.SEZAINST. To identify the active profile dataset member, look at the PROFILE DD statement of the TCPIP started task procedure.
- Update the FTP.DATA member to include the configuration statements
shown in Listing 6.
Listing 6. Configuring FTP.DATA dataset member
EXTENSIONS AUTH_TLS ; Enable TLS authentication TLSMECHANISM ATTLS ; Server-specific or ATTLS SECURE_FTP ALLOWED ; Security required/optional SECURE_LOGIN NO_CLIENT_AUTH ; Client authentication SECURE_PASSWORD REQUIRED ; Password requirement SECURE_CTRLCONN PRIVATE ; Minimum level of security CTRL SECURE_DATACONN PRIVATE ; Minimum level of security DATA TLSRFCLEVEL RFC4217 ; SSL/TLS RFC Level supported TLSTIMEOUT 500 ; SSL/TLS RFC Level supported TLSPORT 0 ; SSL/TLS RFC Level supported KEYRING MVD3FTPSRING ; Name of key ring FTPKEEPALIVE 0 DEBUG ALL ; ALL TRACE TRACE FTPLOGGING TRUE
You can find the sample FTP.DATA member FTPSDATA in TCPIP target library hlq.SEAZINST. To identify the active FTP.DATA dataset, look at the SYSFTPD DD statement in the FTP started task procedure (default name FTPD). If no FTP.DATA file is in use, FTP uses default values for these parameters. In such a case, you need to create the FTP.DATA dataset and provide the dataset name in the SYSFTPD DD statement of the FTP started task.
Step 3: Set up AT-TLS policy using IBM Configuration Assistant for z/OS Communication Server
- Launch IBM Configuration Assistant for z/OS Communication Server and
right-click on z/OS Images and select Add new
z/OS Image… as shown in Figure 1.
Figure 1. Adding z/OS image
- Provide the z/OS image name and select the z/OS version from the
drop-down menu. Click OK to add the new z/OS image as
shown in Figure 2.
Figure 2. Specify z/OS image name and version
- As shown in Figure 3, the z/OS image should
appear in the left pane of the Main Perspective view of Configuration
Figure 3. z/OS image and version added to Configuration Assistant
- Select AT-TLS technology as shown in Figure 4. Then right-click on this line item and
click Enable. The status should now change to
Figure 4. Enabling AT-TLS
- Click Add New TCP/IP Stack… and provide the TCPIP
stack name that is in use on the MVD3 system. Click
Figure 5. Adding TCPIP stack
- As shown in Figure 6, the TCP/IP stack entry should appear in the main
perspective, under the image name.
Figure 6. TCPIP stack added under z/OS image name
- Select AT-TLS technology and click
Enable. The status should now change to
Incompleteand the Configure button should be enabled.
Figure 7. Enabling AT-TLS
- Click Configure. From the list that appears (shown
in Figure 8), select the
Default_FTP-Server rule. Now click
Figure 8. Configuring AT-TLS
- Review all the options. If you are not using the default port number
21, change the port number accordingly.
Figure 9. Modifying traffic rules
- Select the Key Ring tab. As shown in Figure 10, provide the key ring name, created in
Step 1d. Click OK.
Figure 10. Modifying key ring rules
- The key ring name should be updated in the AT-TLS perspective as shown
in Figure 11. Now right-click on this entry and
click Enable Rule.
Figure 11. Enabling FTP rules
- The status of the Default_FTP-Server rule should now
have been changed to
Enabled. Click Apply Changes, followed by OK, as shown in Figure 12.
Figure 12. Applying FTP rules
- Now navigate back to the Main Perspective and select the
AT-TLS entry in the table. Click
Figure 13. Selecting AT-TLS policy for installation
- Review the details in the window shown in Figure 14. Make any necessary changes and click
Figure 14. Installing AT-TLS policy
- To upload this AT-TLS policy to the z/OS remote host via FTP, provide
the install path, hostname, port number, user ID, and password. Click
Figure 15. Uploading AT-TLS policy rules
This concludes AT-TLS policy installation on the z/OS image (MVD3), where the FTP server is running.
Step 4: Configure and set up Policy Agent on z/OS
- Create the pagent.mvd3.env environment file in the UNIX System
Services /etc directory for the Policy Agent. The contents of this
file are shown in Listing 7.
Listing 7. Contents of pagent.mvd3.env file
/MVD3/etc:>cat /etc/pagent.mvd3.env PAGENT_CONFIG_FILE=/etc/pagent.mvd3.conf PAGENT_LOG_FILE=/tmp/pagent.mvd3.log PAGENT_LOG_FILE_CONTROL=300,3
- Create the pagent.mvd3.conf configuration file in UNIX System Services
/etc directory for the Policy Agent. The contents of this file are
shown in Listing 8.
Listing 8. Contents of pagent.mvd3.conf file
/MVD3/etc:>cat /etc/pagent.mvd3.conf TcpImage TCPIP /etc/mvd3.tcpip_image.conf
- Create the mvd3.tcpip_image.conf TCPIP configuration file in the UNIX
System Services /etc directory for the Policy Agent. The contents of
this file are shown in Listing 9.
Listing 9. Contents of mvd3.tcpip_image.conf file
/MVD3/etc:>cat /etc/mvd3.tcpip_image.conf TTLSConfig /etc/cfgasst/v1r12/MVD3/TCPIP/tlsPol
- Copy the PAGENT started task procedure from the TCPIP target library
hlq.SEZAINST to the system or user proclib dataset and
update the EXEC statement as shown in Listing 10.
Listing 10. PAGENT started task EXEC statement
//PAGENT EXEC PGM=PAGENT,REGION=0K,TIME=NOLIMIT, // PARM='POSIX(ON) ALL31(ON) ENVAR("_CEE_ENVFILE=DD:STDENV")/'
Also, update the STDENV statement to point to the PAGENT environment file created in Step 4a, as shown in Listing 11.
Listing 11. PAGENT started task STDENV statement
//STDENV DD PATH='/etc/pagent.mvd3.env',PATHOPTS=(ORDONLY)
- Enable AUTOLOG (if not already enabled) in the profile member of the TCPIP started task procedure. Include PAGENT in the AUTOLOG statement.
- Create RACF profile definitions for the PAGENT started task as shown
in Listing 12. Here SYSTASK is the user ID under
which the FTPD address space is running.
Listing 12. RACF commands to define resources for PAGENT started task
RDEF STARTED PAGENT.* OWNER(owner_userID) STDATA(USER(SYSTASK)) SETR RACLIST(STARTED) REFR
Set up TTLS Stack Initialization access control as described below.If you are using Application Transparent Transport Layer Security (AT-TLS), z/OS will not allow any socket-based applications to start before PAGENT is up and running, to make sure that all the security policies are enforced. But some essential applications need to start before PAGENT. To allow this, you have to define a resource profile EZB.INITSTACK.sysname.tcpprocname in the SERVAUTH class. Sample RACF commands are shown in Listing 13.
Listing 13. RACF commands to administer profiles in SERVAUTH class
SETROPTS CLASSACT(SERVAUTH) SETROPTS RACLIST (SERVAUTH) SETROPTS GENERIC (SERVAUTH) RDEFINE SERVAUTH EZB.INITSTACK.MVD3.TCPIP UACC(NONE) PERMIT EZB.INITSTACK.MVD3.TCPIP CLASS(SERVAUTH) ID(*) ACCESS(READ) + WHEN(PROGRAM(PAGENT,EZAPAGEN)) SETROPTS GENERIC(SERVAUTH) REFRESH SETROPTS RACLIST(SERVAUTH) REFRESH SETROPTS WHEN(PROGRAM) REFRESH
- Stop FTP and TCPIP address spaces from the z/OS console by issuing
/STOPcommands. Restart TCPIP address space (by logging on to z/OS Hardware Management Console or by issuing a
/RO MVD3,STARTcommand from another LPAR in the same sysplex). With AT-TLS enabled, check the TCPIP stack SYSOUT dataset for details on which cryptographic algorithms are supported by your hardware.
Listing 14. TCPIP started task SYSOUT contents
System SSL: SHA-1 crypto assist is available System SSL: SHA-224 crypto assist is available System SSL: SHA-256 crypto assist is available System SSL: SHA-384 crypto assist is not available System SSL: SHA-512 crypto assist is not available System SSL: DES crypto assist is not available System SSL: DES3 crypto assist is not available System SSL: AES 128-bit crypto assist is not available System SSL: AES 256-bit crypto assist is not available System SSL: ICSF services are not available
Also, PAGENT address space should be started automatically after TCPIP address space comes up. Look for the messages shown in Listing 15 in the PAGENT joblog.
Listing 15. PAGENT joblog messages
EZZ8431I PAGENT STARTING EZZ8432I PAGENT INITIALIZATION COMPLETE EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR TCPIP : TTLS EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR TCPIP
- Now start the FTP server started task by issuing the
/STARTcommand from the z/OS console. Look for a message similar to that shown in Listing 16, to verify if the FTP server has started without error.
Listing 16. FTP server started task message
EZY2702I Server-FTP: Initialization completed at HH:MM:SS on MM/DD/YY.
This step concludes the FTPS server setup on z/OS host. The FTPS server is now up and running and ready to accept secure connection from clients.
Connecting to FTPS server on z/OS
This section shows how to connect to an FTPS server on z/OS from different FTP clients. Here, we consider two scenarios:
Scenario 1: Connecting to FTPS server on z/OS from an FTP client running on your workstation
Note: "Smart FTP" client software, running on a Microsoft® Windows® workstation, has been used as an example for this scenario. You can use any other FTP client software that supports secure connections on an appropriate operating system.
- Import the CA certificate (which you have FTP-ed earlier in Step 1c)
as a trusted root CA, as shown in Figure 16.
Figure 16. Importing CA certificate on client
- Create a new connection for the FTPS server by providing the hostname,
username, and password.
Figure 17. Creating FTPS connection from the client
- Click OK to create the connection and list
the directories on the z/OS host (MVD3). A sample directory list can
be seen in Figure 18. This confirms that the FTP client running on your
workstation has successfully connected to the FTPS server on z/OS
Figure 18. Directory listing in FTP client software
Scenario 2: Connecting to FTPS server on z/OS from an FTP client on a different z/OS system
In this example, we connect to the FTPS server on the MVD3 system from another z/OS system (system name MVC6) that acts as a client. A job (JCL) is submitted on MVC6 to execute the FTP client program, which connects to the FTPS server on MVD3. In order to set up the client system MVC6, follow these instructions:
- Transfer the CA certificate of the FTPS server (on MVD3) to the client
system (MVC6). Note that this CA certificate was exported to a dataset
in Step 1c when the FTPS server was being set up on the MVD3 system.
Add this CA certificate in MVC6 RACF. Listing 17 provides sample JCL code. Alternatively, you
can use RACF panels to add this CA certificate.
Listing 17. Adding CA certificate in client system
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ADD('PABMUKH.MVD3.FTPS.CACERT.B64') + CERTAUTH TRUST + WITHLABEL('MVD3 FTPS CA CERT') /*
- Create a new RACF key ring on the client system (in this example, we
are using PMFTPSCLNT). The key ring should be owned by the userID
submitting the FTP job (in this example, we are using PABMUKH userID).
Now, connect the server CA certificate to this key ring. Finally, list
the contents of this key ring for verification. Sample JCL code has
been provided to execute RACF commands in Listing 18. Alternatively, you can use RACF panels to set up the
client key ring.
Listing 18. Setting up client key ring
//RACFCERT JOB CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID,REGION=0M //CERT01 EXEC PGM=IKJEFT01 //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * RACDCERT ID(PABMUKH) ADDRING(PMFTPSCLNT) RACDCERT ID(PABMUKH) + CONNECT(CERTAUTH LABEL('MVD3 FTPS CA CERT') + RING(PMFTPSCLNT) ) RACDCERT ID(PABMUKH) LISTRING(PMFTPSCLNT) /*
- Set up AT-TLS policy on the client system using z/OS Configuration
Assistant by following the instructions for the server system
configuration (Step 3). The only difference
this time is that you need to select and enable the
Default_FTP-Client rule instead of the
Default_FTP-Server rule and specify the client's
key ring name (PMFTPSCLNT) in the Key Ring tab while
modifying the Key Ring rules. This is shown in Figure 19 and Figure 20.
Figure 19. Configuring AT-TLS rule for client
Figure 20. Modifying Key Ring Rules for client
Install this AT-TLS policy on the client system (MVC6). The installation steps are exactly the same as the steps followed for the server side setup.
- Configure TCPIP profile to enable TTLS support (Step 2a) and set up the Policy Agent on the client system (MVC6) by following the instructions for the server system (Steps 4a to 4h). The client system is now ready to connect to the FTPS server.
- Submit the FTPSCLNT job (or an equivalent job) provided in Listing 19 on the client system. The FTPSCLNT job
lists the UNIX System Services files in the user home directory on
MVD3 system. Note that the SYSTCPD DD statement in the JCL code points
to the same dataset as the SYSTCPD DD statement in the TCPIP started task
on the client system. The SYSFTPD DD statement points to a customized
FTD.DATA file for the FTP client. The FTP client key ring name needs
to be provided in this FTP.DATA file. The SYSFTPD file used in this
JCL has been provided in the Downloadable resources
section for your reference.
Listing 19. FTPS client JCL
//FTPSCLNT JOB ,CLASS=A,REGION=0M, // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //FTPSTEP EXEC PGM=FTP,PARM='-a TLS' //SYSTCPD DD DSN=TCPIP.PARMS(TDATAC6),DISP=SHR //SYSFTPD DD DSN=PABMUKH.CNTL(PMFTPCLN),DISP=SHR //SYSPRINT DD SYSOUT=* //INPUT DD * BLRMVSD3.IN.IBM.COM PABMUKH PASSWORD cd /u/pabmukh ls QUIT /*
A sample joblog has also been provided for your reference in Downloadable resources.
- Find out more about the IBM z/OS operating system by visiting the IBM z/OS website.
- Administrators responsible for z/OS system data security can learn how to use RACF to increase system security from the Security Server RACF Security Administrator’s Guide.
- For help in configuring IP address spaces, servers, and applications for z/OS Communications Server, see the zOS Communication Server IP Configuration Guide.
- Visit the Security On developerWorks community to find more how-to-guides, articles, videos, and demos our community resource library.
- Visit the Security On developerWorks blog to learn about new security-related how-to guides, articles, and demo videos.
- Follow @dwsecurity to get updates from the developerWorks security zone in real time.