z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Scenario 6a: Enabling secure outbound FTP using a shared virtual key ring

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

A company wants to allow its employees to make FTP requests from z/OS® to three FTP servers out on the Internet. The clients (z/OS users) will authenticate to the FTP servers with preestablished user IDs and passwords. Therefore, FTP will be used without client authentication. For privacy protection, the company will use secure FTP to encrypt the information being transferred. To use the FTP client with SSL, a key ring containing the certificate authority certificates must be specified for the target FTP servers. Because a client certificate is not required, one key ring will suffice for all users. You can use a virtual key ring or a real key ring. This scenario uses a virtual key ring. (For instructions using a real key ring, see Scenario 6b.) In this scenario, the CA certificates for the three FTP servers were already obtained and reside in the following three data sets: 'FTPD.CACERT1', 'FTPD.CACERT2', and 'FTPD.CACERT3'.
  1. Add the three certificate authority certificates to RACF®: 
    RACDCERT CERTAUTH ADD('FTPD.CACERT1') WITHLABEL('CA for FTP Server 1')
RACDCERT CERTAUTH ADD('FTPD.CACERT2') WITHLABEL('CA for FTP Server 2')
RACDCERT CERTAUTH ADD('FTPD.CACERT3') WITHLABEL('CA for FTP Server 3')
  2. Authorize access to the virtual key ring under CERTAUTH for the z/OS users (USER01, USER02) who need to communicate with the external FTP servers. Do this by administering a profile in either the FACILITY or the RDATALIB class. Using the FACILITY class provides global control of all rings, whereas using the RDATALIB class provides granular control of a specific ring.
    • When using the FACILITY class:
      RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(USER01 USER02) ACCESS(UPDATE)
      • If the FACILITY class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
      • If the FACILITY class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(FACILITY) REFRESH
    • When using the RDATALIB class:
      RDEFINE RDATALIB CERTIFAUTH.IRR_VIRTUAL_KEYRING.LST UACC(NONE)
PERMIT CERTIFAUTH.IRR_VIRTUAL_KEYRING.LST CLASS(RDATALIB) 
    ID(USER01 USER02) ACCESS(READ)
      • If the RDATALIB class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
      • If the RDATALIB class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(RDATALIB) REFRESH
  3. Configure the FTP client to use the virtual key ring under CERTAUTH by specifying the following KEYRING directive: 
    KEYRING *AUTH*/*
    Note: RACF is not involved with this step.
Parent topic: Implementation scenarios

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014