Steps for migrating the FTP server and client to use AT-TLS
Application Transparent Transport Layer Security (AT-TLS) is the best way to implement TLS security for the FTP server and client. AT-TLS provides additional functionality and performance for TLS secured connections.
Procedure
Perform the following steps to migrate from an existing configuration using TLS security for the FTP server and client to a configuration using AT-TLS:
- Configure AT-TLS and Policy Agent.
For details about AT-TLS setup, see Application Transparent Transport Layer Security data protection. For Policy Agent setup and AT-TLS policy statements, see z/OS Communications Server: IP Configuration Reference.
Requirements:- The FTP server and client are controlling applications. For more
information about controlling applications, see Advanced application considerations.
Code a TTLSEnvironmentAdvancedParms statement with the ApplicationControlled and SecondaryMap parameters; both parameters should specify the value On. The ApplicatonControlled parameter allows FTP to start and stop TLS security on a connection. The SecondaryMap parameter enables active or passive data connections to use the AT-TLS policy that is used for the control connection. You do not need to code any additional TTLSRule statements for the data connections.
- The FTP server requires the HandshakeRole parameter with the value Server or ServerWithClientAuth to be coded on the TTLSEnvironmentAction statement. If the SECURE_LOGIN statement is coded in FTP.DATA with the parameters REQUIRED or VERIFY_USER, the HandshakeRole parameter value must be ServerWithClientAuth.
- The TTLSRule statement for the FTP server requires the Direction parameter with the value Inbound.
- The FTP client requires the HandshakeRole parameter with the value Client to be coded on the TTLSEnvironmentAction statement.
- The TTLSRule statement for the FTP client requires the Direction parameter with the value Outbound.
Guideline: The FTP server and client do not support SSLv2 when using TLSMECHANISM TLS. By default, AT-TLS does not enable SSLv2. SSLv2 should not be enabled in AT-TLS unless explicitly required by a remote system. If SSLv2 is required by a remote system, use a specific TTLSRule statement for the remote system that points to a TTLSConnectionAction statement enabling SSLv2. - The FTP server and client are controlling applications. For more
information about controlling applications, see Advanced application considerations.
- Configure the FTP server and client to use AT-TLS by coding TLSMECHANISM ATTLS in FTP.DATA.
- Use Table 1 to migrate the
existing FTP server and client configuration to AT-TLS. Remove the statements from FTP.DATA and code the AT-TLS equivalent statement.
Table 1. Migrating existing FTP server and client configuration FTP.DATA statement AT-TLS equivalent statement AT-TLS policy statement KEYRING Keyring TTLSKeyRingParms -> TTLSEnvironmentAction CIPHERSUITE V3CipherSuites TTLSCipherParms -> TTLSEnvironmentAction TLSTIMEOUT GSK_V3_SESSION_TIMEOUT TTLSGskAdvancedParms -> TTLSEnvironmentAction - Use Table 2 to migrate existing
ciphers coded on CIPHERSUITE statements in FTP.DATA to AT-TLS TTLSCipherParms
statements. For example, for an FTP.DATA file that contains the following statements:
Table 2. Migrating existing ciphers CIPHERSUITE cipher V3CipherSuites cipher Hexadecimal value SSL_DES_SHA TLS_RSA_WITH_DES_CBC_SHA 09 SSL_3DES_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA 0A SSL_NULL_MD5 TLS_RSA_WITH_NULL_MD5 01 SSL_NULL_SHA TLS_RSA_WITH_NULL_SHA 02 SSL_RC2_MD5_EX TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 06 SSL_RC4_MD5 TLS_RSA_WITH_RC4_128_MD5 04 SSL_RC4_MD5_EX TLS_RSA_EXPORT_WITH_RC4_40_MD5 03 SSL_AES_128_SHA TLS_RSA_WITH_AES_128_CBC_SHA 2F SSL_AES_256_SHA TLS_RSA_WITH_AES_256_CBC_SHA 35
The equivalent TTLSCipherParms statement:CIPHERSUITE SSL_AES_256_SHA CIPHERSUITE SSL_3DES_SHA CIPHERSUITE SSL_NUL_SHATTLSCipherParms { V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA V3CipherSuites TLS_RSA_WITH_NULL_SHA }