Safe And Secure Transfers With Z OS FTP - SHARE
Safe and Secure Transfers with z/OSFTPAlfred B Christensen – alfredch@us.ibm.comIBM Raleigh, NC, USASession: 8239Thursday, March 3, 2011: 9:30 AM-10:30 AM
Safe and Secure Transfers with z/OS FTPSession number:8239Date and time:Thursday, March 3, 2011: 9:30 AM-10:30 AMLocation:Room 212B (Anaheim Convention Center)Program:Communications InfrastructureProject:Communications ServerTrack:Network Support and Management, Security Administration and Security and Privacy d B Christensen, IBMAbstract:FTP is a readily available, convenient, and inexpensive technology to transfers files and datasets between z/OS and a virtually unlimited number of other operating system platforms. FTPis not a bad technology, as some recent press might lead you to believe. FTP can be misusedand cause problems if the FTP service isn't properly set up to prevent potential securityexposures. This session will explore a wide range of aspects related to how FTP works onz/OS. The session will reveal 'hidden gems' of FTP on z/OS and will look at a set of usagescenarios, providing suggestions on how to best exploit selected features of the z/OS FTPtechnology. The session will especially focus on how you can secure both the FTP environmentitself and the individual data transfers that z/OS FTP participates in both as a client and as aserver.Page 2 2011 SHARE and IBM Corporation
Trademarks, notices, and disclaimersThe following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States or other countries or both: Advanced Peer-to-PeerNetworking AIX alphaWorks AnyNet AS/400 BladeCenter Candle CICS DataPower DB2 Connect DB2 DRDA e-business on demand e-business (logo) e business(logo) ESCON FICON GDDM GDPS Geographically DispersedParallel Sysplex HiperSockets HPR Channel Connectivity HyperSwap i5/OS (logo) i5/OS IBM eServer IBM (logo) IBM IBM zEnterprise System IMS InfiniBand IP PrintWay IPDS iSeries LANDP Language Environment MQSeries MVSNetView OMEGAMON Open PowerOpenPowerOperating System/2 Operating System/400 OS/2 OS/390 OS/400 Parallel Sysplex POWER POWER7 PowerVMPR/SMpSeries RACF Rational Suite Rational RedbooksRedbooks (logo)Sysplex Timer System i5System p5System x System z System z9 System z10Tivoli (logo) Tivoli VTAM WebSphere xSeries z9 z10 BCz10 EC zEnterprisezSeries z/Architecturez/OS z/VM z/VSE* All other products may betrademarks or registeredtrademarks of theirrespective companies.The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States or other countries or both: Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license there from. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. InfiniBand is a trademark and service mark of the InfiniBand Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of IntelCorporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce.Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that anyuser will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workloadprocessed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may haveachieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject tochange without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm theperformance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.Refer to www.ibm.com/legal/us for further legal information.Page 3 2011 SHARE and IBM Corporation
Agenda FTP and Security – an oxymoron? SSL/TLS FTP: Keys and certificates overview z/OS FTP Server with server authentication only– client WS FTP Pro on Windows z/OS FTP Server with server authentication andclient authentication – client WS FTP Pro onWindows z/OS FTP client connecting to a FileZillaWindows server with server authentication only Appendix A: z/OS FTP – local security Appendix B: Secure FTP - network traversalchallenges and solutionsDisclaimer: All statements regarding IBM future direction or intent, including current product plans, are subject to change orwithdrawal without notice and represent goals and objectives only. All information is provided for informational purposes only,on an “as is” basis, without warranty of any kind.Page 4 2011 SHARE and IBM Corporation
Safe and Secure Transfers with z/OS FTPFTP and Security – an oxymoron?Page 5 2011 SHARE and IBM Corporation
Let's try and clear a little common confusion from the startRFC959FTP FTP:– Also referred to as RFC959 FTP or “normal” FTP– The FTP protocol we all know and have used for years.– The FTP protocol has been extended numerous times since the original RFC959 was issued in 1985 Specific support for both Kerberos-based and SSL/TLS-based securityhas been added to the FTP protocol RFC4217 "Securing FTP with TLS"– What the z/OS CS FTP client and server have supported through many years An RFC959 FTP client talks to an RFC959 FTP server, and not to an sftpserverSecure sftp:Shell– Secure Shell file transfer protocolFTP A sub-protocol of SSH (Secure Shell) Supported on z/OS by "IBM Ported tools for z/OS" and at least two ISVproducts Has nothing to do with RFC959 FTP - incompatible protocols An sftp client talks to an sftp server and not an RFC959 FTP serverRFC4217 FTPS:FTP– Also referred to as RFC4217 FTP, FTP AUTH-TLS, or FTP AUTH-SSL– Secure RFC959 FTP using a standard security mechanism, such asKerberos or SSL/TLS RFC4217 "Securing FTP with TLS"– The normal FTP protocol but extended with full network security(authentication, data integrity, and data privacy)– Both control connection and data connection can be secured No user IDs or password flowing in the clear 2011 SHARE and IBM CorporationPage 6
A quick comparison of selected z/OS file transfer technologies from a securityperspectiveFTPFTPSFTPSFTPWith no securityFTP w. SSL/TLSFTP w. IPSecAs implemented byIBM Ported ToolsRFC959 RFC4217Any RFC levelRFC959User ID and password protectionNoYesYesYesData protection (the file beingtransferred)NoYesYesYesz/OS UNIX file supportYesYesYesYesz/OS MVS data set supportYesYesYesNo (but add-onproducts do exist)Use of System z hardware encryptiontechnologiesn/aYesYesYes (for randomnumber generation)Partner authentication via locally storedcopies of public keysn/aNoYes (pre-sharedkey)YesPartner authentication via X509certificatesn/aYesYesNoUse of SAF key rings and/or ICSFn/aYesYesYesFIPS 140-2 moden/aYes (z/OSV1R11)NoNoMutual authentication supportedn/aYesYes (at an IPaddress level)YesMVS data set support example: Dovetailed Technologies’ Co:Z SFTPPage 7 2011 SHARE and IBM Corporation
FTP Server CPU usage with and without securityFTP CPU Usage250Microsec CPU200128 connectionsClear Text150AT-TLSIPSec without zIIPs10032 connectionszIIP processor“pegged”IPSec with zIIPs500050100150M B/Se cAll measurements done with z/OS V1R11Outbound Data (Gets) to an MVS client3DES encryption with SHA authenticationFrom 1 to 128 parallel connectionsHighest throughput numbers obtained with 0 think-time200250300Client: 1 z10 LPAR (3 dedicated CPs)Server: 1 z10 LPAR (4 dedicated CPs)Connectivity: OSA-E3 10 GbEEncryption/Authentication: 3DES/SHATransaction: 1 byte / 2 MBTarget data sets: MVS data sets on 3390 DASDThink time: 1500 msNumber of connections: 1 to 128Driver tool: AWMAll performance data contained in this publication was obtained in the specific operating environment and under the conditions described and is presented as anillustration. Performance obtained in other operating environments may vary and customers should conduct their own testing.Page 8 2011 SHARE and IBM Corporation
Safe and Secure Transfers with z/OS FTPSSL/TLS FTP:Keys and certificates overviewNote: This will hurt your brain, but this is where you all run intoproblems when trying to set up SSL/TLS for the first time!Page 9 2011 SHARE and IBM Corporation
SSL/TLS application typesPort-determined SSL/TLS (Implicit)connectSSL/TLS handshakeSecure connectionServer port xAll connectionsto port x will besecure As soon as a connection has beenestablished with the server, theSSL/TLS handshake starts Examples are the HTTPS port (443),and FTP’s secure port (990) AT-TLS considerations:– Can be done totally transparent toapplication code This is referred to as an AT-TLS"Basic" application– Optionally the application may querySSL/TLS attributes, such as clientuser ID (if client authentication isused, cipher suite in use, etc) This is referred to as an AT-TLS"Aware" applicationPage 10Application-negotiated SSL/TLS (Explicit)connectNon-secure negotiationSSL/TLS handshakeSecure connectionServer port yConnect to port y,and then negotiate ifconnection shouldbe secured or not Application protocol includes verbs tonegotiate security protocol and options Examples are FTP that uses the AUTH FTPcommand to negotiate use of SSL/TLS orKerberos, and in some cases a TN3270server port (Conntype NegtSecure) AT-TLS considerations:– Application needs to "tell" AT-TLS when tostart the SSL/TLS handshake This is referred to as an AT-TLS"Controlling" application– Otherwise, use of AT-TLS is transparent toapplication– Optionally the application may querySSL/TLS attributes, such as client user ID(if client authentication is used, cipher suitein use, etc) 2011 SHARE and IBM Corporation
Cryptographic Basics Cryptography is the use of mathematical algorithms to transform data for the purposes ofensuring:– Partner authentication – proving the other end point of the secure communication iswho it claims to be (certificates and asymmetric encryption)– Data privacy – hiding the data (encryption/decryption)– Data integrity – proving the data hasn’t been modified since it was sent (messagedigests and secure message authentication codes)– Data origin authentication – proving the data’s origin (message digests and securemessage authentication codes) Cryptographic operations are compute intensive, hence the need for hardware assisttechnologies General rule: For a given algorithm: the longer keys,the stronger security, the more compute intensive– For example, AES-128 vs. AES-256– Increases the amount of work anattacker needs to do to crack the codeEncryptionstrength, CPUcost, time toencrypt/decryptKey lengthPage 11 2011 SHARE and IBM Corporation
Symmetric encryptionDES, 3DES, AES, .Cleartext:“MVS isgreat!”Ciphertext:*7 &hl;f9jjut8(DES, 3DES, AES, .Cleartext:“MVS isgreat!”Exact same value Only one key value - “shared secret” between both parties– Used for both encryption and decryption– Hence, the symmetry; each side has the same key and use the samealgorithm Much faster than asymmetric cryptography– You typically use symmetric encryption for bulk encryption/decryption Also known as – “secret key encryption” Securely sharing and exchanging the key between both parties is a major issuePage 12 2011 SHARE and IBM Corporation
Asymmetric encryptionRSA, DSA, .Cleartext:Cleartext:*7 &hl;f9jjut8(“MVS isgreat!”Private keyRSA, DSA, .Ciphertext:“MVS isgreat!”Mathematically linked,but not the same valuePublic key Two different key values – no shared secrets!– Private key is known only to owner and is kept under lock!– Public key is freely distributed to others– Data encrypted with private key can only bedecrypted with public key and vice versaPrivatekey– No way to derive one key value from the otherPublickey Great for authentication and non-repudiation– “digital signatures” - signing with private key Very expensive computationally– Not so great for bulk encryption - usually used to encrypt small data objects likemessage digests or symmetric keys Also known as “public key cryptography”Page 13RSA: Rivest, Shamir and AdlemanDSA: Digital Signature AlgorithmPublickey 2011 SHARE and IBM Corporation
Digital signatureCleartext:Cleartext:“MVS isgreat!”SHA-1, SHA-2, MD5, .“MVS isgreat!”SHA-1, SHA-2, MD5, .SignatureSignatureRSA, DSA, .RSA, DSA, .digestDo thesetwo match?digestDecrypted SignaturePrivate keyMathematically linked, butnot the same valuePublic key A digital signature is a message digest that has been encrypted with the sender’s private key. If the receiver recalculates the message digest, decrypts the signature with the sender’s publickey, and compares the decrypted signature to the recalculated message digest – the twoshould match:– The message text cannot have been modified since the signature was calculated– The signature cannot have been tampered with– The signature could only have been created by the partner with the matching private keySHA: Secure Hash Algorithm – MDn: Message Digest nPage 14 2011 SHARE and IBM Corporation
Trust relationships via Certificate Authorities – getting my public keydistributed to those who need it1My corporation: ABCABCPrivatekey5ABC Certificate Request1. Generate a key-pair: A private key A matching public key2. Generate a certificaterequest document and(e)mail to a CertificateAuthority Name andaddress of myABC corporation My web URI . ABC public key2ABC CertificateABCPublickey4 Name and address ofmy ABC corporation My web URI . ABC public keyABCCertificate Signed by the CA’sprivate key6CACertificateinstalledas atrustedroot (a CA)Page 15User AliceCACertificate1. Verify validity of ABC’s certificate bydecrypting signature using CA’s public keyand compare to content of the certificate If they match, the certificate was indeedissued by our trusted CA2. Because ABC trusted the CA, and Alice truststhe CA, Alice can now trust ABCCertificate AuthorityCAPrivatekeyCAPublickey3 1. Validate requestand requestor2. Generate ABCcertificate –signed with theCA’s private key3. Send ABC’scertificate back toABC 2011 SHARE and IBM Corporation
SSL/TLS use of hardware crypto functionsCrypto TypeAsymmetricencrypt / decryptSymmetricencrypt / decryptSymmetricauthenticationPage 16AlgorithmCPACF available onlyCPACF plus Coprocessor / AcceleratoravailableRSA signature generationIn softwareIn coprocessor mode only. Otherwise in software(Accelerator does not support this option)RSA signature verificationIn softwareIn coprocessor / acceleratorPKA encrypt / decrypt for handshakeIn softwareIn coprocessor / acceleratorDES encrypt / decryptCPACF (non-FIPS mode only; DES not allowed in FIPS mode)3DES encrypt / decryptCPACFAES-CBC-128 encrypt / decryptCPACFAES-CBC-256 encrypt / decryptIn software on z9, in CPACF on z10SHA-1 digest generationCPACFSHA-224 digest generationCPACFSHA-256 digest generationCPACFSHA-384 digest generationIn software on z9, in CPACF on z10SHA-512 digest generationIn software on z9, in CPACF on z10MD5In software (non-FIPS mode only; MD5 not allowed in FIPS mode) 2011 SHARE and IBM Corporation
Hardware support With AT-TLS enabled, check the TCP/IP stack SYSOUT file for details on whichcryptographic algorithms are supported by your mSystemSystemSystemPage 17SSL:SSL:SSL:SSL:SSL:SSL:SSL:SSL:SSL:SSL:SHA-1 crypto assist is availableSHA-224 crypto assist is availableSHA-256 crypto assist is availableSHA-384 crypto assist is availableSHA-512 crypto assist is availableDES crypto assist is availableDES3 crypto assist is availableAES 128-bit crypto assist is availableAES 256-bit crypto assist is availableICSF services are not available 2011 SHARE and IBM Corporation
Safe and Secure Transfers with z/OS FTPz/OS FTP Server with serverauthentication only – client WS FTPPro on WindowsWS FTP Professional is a product from Ipswitch File Transfer Division:http://www.ipswitchft.com/products/ws ftp pro/index.aspxThis material does not in any way endorse or promote WS FTP Professional, but merely uses it as an example of a WindowsFTP client that supports SSL/TLS FTP functions.Page 18 2011 SHARE and IBM Corporation
What is needed for z/OS Server authentication only (which issufficient for encrypted data exchange)CA certificate w.CA public keyCA certificate w.CA public keyKey-ring of the serverstarted task user IDClientkey-ringSigned bythe CAprivate keyServerkey-ringServer certificate w.server public keyServerprivate keyTCP connection setupWindows FTP Clientz/OS FTP ServerHello – I want to use SSL/TLS1. Verify server certificatehas not expired2. Verify server certificateis valid using CA'spublic key3. Do optional checks onthe server certificate4. Store server's public keyfor later use5. Generate symmetric keyand encrypt underserver's public keyPage 19Hello – OK, me too !!And here is my server certificate CA may be an external CA, such as Verisign, or it maybe an in-house CA In both cases, the CA root certificate needs to bepresent at both the client and the server side The server certificate is signed by the CA and is storedon the server side On z/OS, this will typically be the default certificate inthe server's started task user ID's key-ring in RACF During SSL handshake, the server certificate (not theserver private key) is sent to the client The client verifies the certificates signature using theCA public key in its copy of the CA certificateServer certificate w.server public keyHere is our secret symmetric keyEncrypted under your public key 2011 SHARE and IBM Corporation
Create self-signed root certificate for test purposesRACDCERT CERTAUTH GENCERT SUBJECTSDN( CN('MVS098 Certificate Authority') OU('Z/OS CS V1R9', 'ENS', 'AIM', 'SWG') O('IBM') L('Raleigh') SP('NC') C('US') ) SIZE(1024) NOTBEFORE(DATE(2010-02-01)) NOTAFTER(DATE(2020-12-31)) WITHLABEL('ABCTLS CA') KEYUSAGE(CERTSIGN) ALTNAME( DOMAIN('mvs098.tcp.raleigh.ibm.com') )Create a self-signed rootcertificate and aprivate/public key-pair: CERTAUTHKEYUSAGE(CERTSIGN)Absence of a SIGNWITHoptionIt can become a nightmarewhen these things expire,so don’t create certificateswith too short a time span!(Your security czar willlikely have an opinion onthat) In a production environment, you would not need a self-signed root certificate. To signserver and personal certificates, you would use your company root certificate or anexternal Certificate Authority. For testing, a self-signed root certificate is useful. It allows you to familiarize yourself withkeys and certificates and allows you to thoroughly test your secure FTP setup on z/OSbefore deploying it in production.Page 20 2011 SHARE and IBM Corporation
Create z/OS FTP server certificate signed with your own root certificateRACDCERT ID(TCPCS) GENCERT SUBJECTSDN( CN('MVS098 Server Certificate') OU('Z/OS CS V1R11', 'ENS', 'AIM', 'SWG') O('IBM') L('Raleigh') SP('NC') C('US') ) SIZE(1024) NOTBEFORE(DATE(2010-02-01)) NOTAFTER(DATE(2020-12-31)) WITHLABEL('ABCTLS TCPSERV') KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) ALTNAME( DOMAIN('mvs098.tcp.raleigh.ibm.com') ) SIGNWITH(CERTAUTH LABEL('ABCTLS CA'))Create a server certificatesigned with your own rootcertificate and aprivate/public key pair: ID(userID) – the startedtask user ID of your FTPserverKEYUSAGE(HANDSHAKEDATAENCRYPT DOCSIGN)SIGNWITH(CERTAUTHLABEL(‘your rotcertificate’) In a production environment, you would use an alternative procedure after havinggenerated the server key pair and certificate: You would generate a certificate signing request and send it to your CA Your CA would process your request and create a certificate signed with the CAprivate key You would import the signed certificate into RACFPage 21 2011 SHARE and IBM Corporation
Alternative: use an external CA to sign your server certificateRACDCERT ID(TCPCS) GENCERT SUBJECTSDN( CN('MVS098 Server Certificate') OU('Z/OS CS V1R11', 'ENS', 'AIM', 'SWG') O('IBM') L('Raleigh') SP('NC') C('US') ) SIZE(1024) NOTBEFORE(DATE(2010-02-01)) NOTAFTER(DATE(2020-12-31)) WITHLABEL('ABCTLS TCPSERV') KEYUSAGE(HANDSHAKE DATAENCRYPT DOCSIGN) ALTNAME( DOMAIN('mvs098.tcp.raleigh.ibm.com') )RACDCERT ID(TCPCS) GENREQ (LABEL('ABCTLS TCPSERV')) DSN('USER1.PKITEST.SERVERS.REQ')(**** delay here while CA processes your request ****)RACDCERT ID(TCPCS) ADD('USER1.PKITEST.SERVERS.CRT') TRUST WITHLABEL('ABCTLS TCPSERV')Page 22Create a server certificate anda private/public key pair: ID(userID) – the startedtask user ID of your FTPserverKEYUSAGE(HANDSHAKEDATAENCRYPT DOCSIGN)Generate a request to havethe certificate signed by anexternal CA Send the request to theCAReceive the responsefrom the CAAdd the signed certificateinto RACFIf not already there, you alsoneed to add the CA’s rootcertificate to RACF as aCERTAUTH certificate 2011 SHARE and IBM Corporation
Create you z/OS server started task user ID key-ring and connectrequired certificates to itRACDCERT CERTAUTH EXPORT(LABEL('ABCTLS CA')) DSN('USER1.ABCTLSCA.B64') FORMAT(CERTB64)RACDCERT ID(TCPCS) ADDRING(TLSRING)RACDCERT ID(TCPCS) CONNECT(CERTAUTH LABEL('ABCTLS CA') RING(TLSRING) )RACDCERT ID(TCPCS) CONNECT(LABEL('ABCTLS TCPSERV') RING(TLSRING) DEFAULT)RACDCERT ID(TCPCS) LISTRING(TLSRING)In order for the remote client tosuccessfully authenticate servercertificates that are signed with our selfsigned root certificate, they need a copy ofthat root certificate in their local key-rings.Download as a text file to your clientworkstationCreate key-ring for your started taskserver user IDConnect certificates to the key-ring: Your root certificate Your server certificateDigital ring information for user TCPCS:Ring: TLSRING Certificate Label Name-------------------------------ABCTLS CAABCTLS TCPSERVPage 23Cert UTHPERSONALDEFAULT------NOYES 2011 SHARE and IBM Corporation
Configure you z/OS FTP server to use SSL/TLS – this example is based onAT-TLS Define an FTP server that supports SSL/TLS connections, but does not require it– It depends on the client sending an AUTH command or not SSL/TLS is done by ATTLSEXTENSIONSTLSMECHANISMSECURE FTPSECURE LOGINSECURE PASSWORDSECURE CTRLCONNSECURE DATACONNTLSRFCLEVELPage 24AUTH TLSATTLSALLOWEDNO CLIENT AUTHREQUIREDPRIVATEPRIVATERFC4217;;;;;;;;Enable TLS authenticationServer-specific or ATTLSSecurity required/optionalClient authenticationPassword requirementMinimum level of security CTRLMinimum level of security DATASSL/TLS RFC Level supported 2011 SHARE and IBM Corporation
AT-TLS setup: Server port and keyring definitionsPage 25 2011 SHARE and IBM Corporation
AT-TLS setup: Data endpointsPage 26 2011 SHARE and IBM Corporation
AT-TLS setup: Security level Type:– AT-TLS Encryption:– 0x35 - TLS RSA WITH AES256 CBC SHA (first choice) Use TLS Version 1.0:– Yes Use TLS Version 1.1:– Yes Use SSL Version 3:– Yes Use SSL Version 2:– No Client authentication:– None FIPS 140 Support:– OffPage 27 2011 SHARE and IBM Corporation
Adding your root certificate to WS FTP Pro’s trusted authoritiesSelect tools,thenoptions, andthen importPage 28 2011 SHARE and IBM Corporation
Adding your root certificate to WS FTP Pro’s trusted authoritiesImport lets you pick a file.Choose the one you just downloaded with your rootcertificate in base64 encoding.Page 29 2011 SHARE and IBM Corporation
And set up a WS FTP Pro site for your secure z/OS FTP server portDefine a server site in WS FTP Propointing to your secure z/OS FTP server.Page 30 2011 SHARE and IBM Corporation
And connect securely to a z/OS FTP server port that supports SSL/TLSHere you see theAUTH command andthe set up of thesecure connetionPage 31This indicates youhave a secure FTPsession 2011 SHARE and IBM Corporation
What if it doesn’t work ? Make a visual drawing of where your certificates and private keys are locatedand what the names of the key rings and certificates are– Cross reference your definitions in ATTLS and the remote FTPclient to those definitions– Make sure certificate authority certificates are stored in RACF as CERTAUTH certificates Check all MVS SYSLOG messages for error return codes and reason codes and dig into thedocumentation to try and get some info out of them– Remember z/OS UNIX System Services Messages and Codes is a very good friend !! The ATTLS component logs error messages to the z/OS UNIX syslog daemon (syslogd).– A syslogd rule should’ve been set up to direct ATTLS messages to a z/OS UNIX log file *.TCP*.daemon.* /var/syslog/logs/ATTLS.log– If you are using the z/OS V1R11 syslogd ISPF browser application, search for messagesin this file with a message tag of TTLS Limit the search to the time window you’re interested in– Refer to z/OS Communications Server IP Diagnosis Guide Chapter 30 for details onATTLS error messages and codes Some return codes are referred to the z/OS Cryptographic Services System SecureSockets Layer Programming The FTP server also logs errors to the z/OS UNIX syslog daemon– *.FTP*.daemon.* /var/syslog/logs/ftp.log00000024 Jul 30 10:41:07 MVS098/TCPCSTCPCSTTLS[10]: 10:41:07TCPCSEZD1286I TTLS Error GRPID: 00000001 ENVID: 00000001CONNID: 0000007E LOCAL: ::0.1126 REMOTE: ::0.2252 JOBNAME:JESES002 USERID: TCPCS RULE: ABC NJE 2 RC: 503 InitialHandshake 00000000 7E60A378Page 32 2011 SHARE and IBM Corporation
Safe and Secure Transfers with z/OS FTPz/OS FTP Server with serverauthentication and clientauthentication – client WS FTP Proon WindowsPage 33 2011 SHARE and IBM Corporation
What is needed for z/OS Server and client authenticationCA certificate w.CA public keySigned bythe CAprivate keyCA certificate w.CA public keyClientkey-ringKey-ring ofthe client userIDClient certificate w.client public keyKey-ring ofthe serverstarted taskuser IDSigned bythe CAprivate keyServerkey-ringClient privatekeyServer certificate w.server public keyServerprivate keyTCP connection setupClientz/OS ServerHello – I want to use SSL/TLS1. Verify server certificate has notexpired2. Verify server certificate is validusing CA's public key3. Do optional checks on theserver certificate4. Store server's public key forlater use5. Generate symmetric key andencrypt under server's publickeyPage 34Hello – OK, me too !!And here is my server certificateAnd I want to see your clientcertificateHere is our secret symmetric keyClient certificate w. Encrypted under your public keyclient public key And here is my client certificateServer certificate w.server public key1. Verify client certificate has not expired2. Verify client certificate is valid using CA'spublic key3. Do optional checks on the client certificate Does it map to a RACF user ID(authentication level 2) Is the user permitted to use this service(authentication level 3) 2011 SHARE and IBM Corporation
z/OS FTP server options for authenticating an FTP clientAuthenticationlevelFTP serverDescriptionSECURE LOGINoptionLevel 1REQUIREDThe authenticity and validity of the client certificateis verified against the trusted roots in the FTPserver's key-ring.Level 2VERIFY USERSame as level 1 PLUS a verification that the clientcertificate is registered by RACF and mapped to aknown RACF user ID.Level 3VERIFY USERSame as level 2 PLUS a verification that the user IDhas permission to a SERVAUTH profile thatrepresents this specific FTP server:EZB.FTP.sysname.ftpdaemonname.PORTnnnnnPage 35 2011 SHARE and IBM Corporation
User private key and certificate Start creating a private key and certificate for your z/O
An sftp client talks to an sftp server and not an RFC959 FTP server FTPS: - Also referred to as RFC4217 FTP, FTP AUTH-TLS, or FTP AUTH-SSL - Secure RFC959 FTP using a standard security mechanism, such as Kerberos or SSL/TLS RFC4217 "Securing FTP with TLS" - The normal FTP protocol but extended with full network security
Ideo Sukhumvit 93 Key Company Milestones Mar, 2017 Unio Ramkhamhaeng-Serithai Unio H Tiwanon. Note: The 5-year plan has assumption of no new capital and keeping net IDE ratio at 1:1 4 9,598 2015 TRANSFERS 9,598 65 % YoY TRANSFERS 15,866 58 % YoY TRANSFERS 25,000 69 % YoY TRANSFERS 42,357 14 % YoY TRANSFERS 48,497 20 % YoY TRANSFERS
a speci c, commonly used, case of secure computation. To implement secure computation and secure key storage on mobile platforms hardware solutions were invented. One commonly used solution for secure computation and secure key storage is the Secure Element [28]. This is a smart card like tamper resistant
Capability (e.g. Spaceclaim, CAD) Evaluator in Cloud Transfers project and input parameters Transfers project and input parameters Transfers output parameters Transfers output parameters I’m here and I can Import input parameters Export output parameters can be all on one machine Yes!
Transfers: Internal Transfers for Recruiters and Managers 03/2017 v2.0 4 9. From the Summary page, Click the Edit icon to access and edit any of the details initially entered in the previous pages. Once done, click Submit to send to receiving manager. 10. Transfer will route to the Receiving Manager Step 3 - Transfer the Employee (Receiving .
private, voluntary transfers of this sort are operative (and casual observation suggests that such transfers in the appropriate broadly defined sense are pervasive) the main response to more social security benefits- that is, to more governmentally imposed intergenera- tional transfers-would be a shift of private transfers by .
Secure Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel.
64. 64. Abstract. This design guide details the secure data center solution based on the Cisco Application Center Infrastructure (ACI). The Cisco Secure Firewall and Cisco Secure Application Deliver Controller (ADC) solutions are used to secure access to the workloads in an ACI data center. Target Audience.
Reports are retained on the Secure FTP Server for 45 days after their creation. Programmatic Access: sFTP The PayPal Secure FTP Server is a secure File Transfer Protoc ol (sFTP) server. Programmatic access to the Secure FTP Server is by way of any sFTP client. Secure FTP Server Name The hostname of the Secure FTP Server is as follows: reports .
