AT-TLS problems
The FTP server and client provide a level of security using the Application Transport Transparent Layer Security (AT-TLS) protocol. The FTP server and client use the services of System SSL as described in z/OS Cryptographic Services System SSL Programming. This document describes how system SSL works and also contains a topic about obtaining diagnostic information.
If you are experiencing problems with the AT-TLS support, gather AT-TLS trace information from FTP by activating security processing trace. You activate the trace before the FTP server starts by adding the DEBUG SEC statement to the server's FTP.DATA file or after the server starts (and before client connection) by using the MODIFY jobname,DEBUG=(SEC) operator command.
One of the common problems with the AT-TLS handshake is a mismatch in the ciphersuites supported by client and server. For a list of ciphersuites supported by z/OS® FTP, see z/OS Communications Server: IP Configuration Reference.
SSL_NULL_MD5 ; 01
SSL_NULL_SHA ; 02
SSL_RC4_MD5_EX ; 03
SSL_RC4_MD5 ; 04
SSL_RC4_SHA ; 05
SSL_RC2_MD5_EX ; 06
SSL_DES_SHA ; 09
SSL_3DES_SHA ; 0A
auth: entered with mechname TLS
ftpAuth: keyring = /u/user33/keyring/key.kdb
ftpAuth: stash = /u/user33/keyring/key.sth
ftpAuth: environment_open()
ftpAuth: connect as a server
ftpAuth: environment_init()
ftpAuth: environment initialization complete
authClient: secure_socket_open()
authClient: cipherspecs = 0102
authClient: secure_socket_init()
tlsLevel: using TLSV1 with SSL_NULL_MD5 (01)
auth: entered with mechname TLS
ftpAuth: keyring = /u/user33/keyring/key.kdb
ftpAuth: stash = /u/user33/keyring/key.sth
ftpAuth: environment_open()
ftpAuth: connect as a server
ftpAuth: environment_init()
tpAuth: environment initialization complete
uthClient: secure_socket_open()
uthClient: cipherspecs = 0102
uthClient: secure_socket_init()
uthClient: init failed with rc = 402 (GSK_ERR_NO_CIPHERS)
ndSecureConn: entered
EYFT96I TLS handshake failed