A fix is available
APAR status
Closed as new function.
Error description
The new function will allow the ftp client to optionally bypass the password if they are using TLS and the server receives a certificate from the client that contains the clients userid and password. The password check will be done automatically once the ftp server has verified that the clients userid typed in matches the userid in the certificate.
Local fix
Do not try to bypass the password. The client should manually enter the password.
Problem summary
**************************************************************** * USERS AFFECTED: All users of the IBM Communications Server * * for z/OS Version 1 Release 4 IP: FTP Server * **************************************************************** * PROBLEM DESCRIPTION: Support required for the FTP client to * * optionally bypass the password if they * * are using TLS and the server receives * * a certificate from the client that * * contains the clients userid and * * password, needs to be added. * **************************************************************** * RECOMMENDATION: * **************************************************************** The FTP support for the FTP.DATA keyword SECURE_PASSWORD is being added to this release. This will allow the client to optionally bypass the password if they are using TLS. +-------------------------------------------------------------+ + Please check our Communications Server for OS/390 homepages + + for common networking tips and fixes. The URL for these + + homepages can be found in Informational APAR II11334. + +-------------------------------------------------------------+
Problem conclusion
Temporary fix
Comments
The FTP server has been updated to support the SECURE_PASSWORD FTP.DATA parameter. The following documentation changes will be made. =============================================================== IBM Communications Server: IP and SNA Codes SC31879102 Add the following 2 replies under FTPD Reply Codes. 530 USER command failed Explanation: The client entered a USER command to log in to the server. While validating the USER name, a function issued by the server failed. System Action: The login attempt to the user ID on the server system is rejected. Control is returned to the client for further command processing. User Response: Contact the system programmer. System Programmer Response: A previous 530- reply should contain additional information in the reason code field. --------------------------------------------------------------- 530- An error occurred in the security product Explanation: The client entered the USER command to log in to the server. The server is using the client certificate that is passed to the server when a TLS protected session was established to authenticate the user. The client certificate is already defined for another process or the certificate does not meet the required format. System Action: The login to the user ID is rejected. User Response: Contact the system programmer. System Programmer Response: Find the certificate in the security product and determine whether it is a valid certificate that is registered. =============================================================== IBM Communications Server: IP Messages: Vol 3 (EZY) SC31878502 Add the following message. EZYFS16I SECURE_PASSWORD reset to REQUIRED Explanation: After processing the FTP.DATA statements, the server cross-checked the values of the SECURE_LOGIN and SECURE_PASSWORD statements and found them to be in a combination that is not valid. SECURE_PASSWORD is coded with a value of OPTIONAL and SECURE_LOGIN has value NO_CLIENT_AUTH. NO_CLIENT_AUTH indicates that the server does not request a certificate from the client. A client certificate is required for a session protected by the TLS security mechanism if the OPTIONAL feature is requested for SECURE_PASSWORD. System Action: The value set by SECURE_PASSWORD is changed to the value that would be set if REQUIRED were coded for SECURE_PASSWORD. As a result a password will be required for authentication of a TLS secured login. User or Operator Response: If the new value is acceptable, no action is required. Otherwise, contact the system programmer to have the values for the parameters changed. System Programmer Response: Update the FTP.DATA file with corrected values for SECURE_LOGIN and SECURE_PASSWORD. Refer to z/OS Communication Server: IP Configuration Reference for information about the statements in the FTP.DATA file. Source Data Set: EZAFTPEP Procedure Name: read_ftpdata Add a new reason code to message EZYFS57I. 21 Determine whether the certificate or ticket used to authenticate the user is associated in the security product with a different user. =============================================================== IBM Communications Server: IP Configuration Guide SC31877502 Add the following in section - "Steps for customizing the FTP server for TLS", under Step 5: If you choose to use client authentication, you can also use the client certificate authentication process to eliminate the login password prompt so that a client supplies only the login user ID to establish the session. The certificate received from the client must be registered with the security product and must be associated with the login user ID. You can use the RACDCERT ADD command to register and associate the certificate. If either the certificate is not registered or is not associated with the user ID, you will be prompted for a password. If you do not want to use the client authentication process to eliminate the client password prompt, you can code the following statement in the server's FTP.DATA configuration file: SECURE_PASSWORD REQUIRED This is the default. If you want to use the client authentication process to eliminate the client password prompt, along with your client authentication statement (either SECURE_LOGIN REQUIRED or SECURE_LOGIN VERIFY_USER), code the following statement in the server's FTP.DATA configuration file: SECURE_PASSWORD OPTIONAL ================================================================ IBM Communications Server: IP Configuration Reference SC31877603 Add the following under FTP.DATA Statements. SECURE_PASSWORD statement (FTP server) Use the SECURE_PASSWORD statement to specify whether a password is required by the FTP server for a TLS protected session. The statement is ignored for sessions that are not protected by the TLS security mechanism. Syntax _SECURE_PASSWORD REQUIRED______ >>__|_______________________________|_________________________ |_SECURE_PASSWORD__ _REQUIRED_ _| |_OPTIONAL_ _| Parameters REQUIRED Specifies that a password is required to log in a client whose session is protected by the TLS security mechanism. OPTIONAL Specifies that the password is not required if the client provides a certificate that can be used to authenticate the user. See the following Usage notes. If the client certificate is used to authenticate the user and the authentication fails, the login attempt fails. Rule: The handshake that occurs when the TLS protected session is set must include the transfer of the client certificate to the server. If you code SECURE_PASSWORD OPTIONAL, you must code SECURE_LOGIN VERIFY_USER or SECURE_LOGIN REQUIRED to require the client certificate. Result: If you code SECURE_PASSWORD OPTIONAL and SECURE_LOGIN NO_CLIENT_AUTH in the FTP.DATA file, the message EZYFS16I is logged to inform you that the combination is not allowed. The value set by the SECURE_PASSWORD statement is changed to REQUIRED. Examples To require the user to enter a password on a TLS protected session only when the USER name does not match the name associated with the certificate, code the following statements: SECURE_LOGIN REQUIRED SECURE_PASSWORD OPTIONAL Usage notes The certificate that is received from the client must be registered in the security product and must be associated with the user ID that is passed on the USER command to the FTP server. You can use RACDCERT ADD command to register and associate the certificate. When the certificate is registered in the security product and is associated with the user ID that is passed in on the USER command, the SECURE_PASSWORD statement value determines the action taken during the login procedure. Table: SECURE_PASSWORD statement value options --------------------------------------------------------------- SECURE_PASSWORD SECURE_LOGIN Action --------------------------------------------------------------- REQUIRED VERIFY_USER Prompt for a password. OR REQUIRED --------------------------------------------------------------- OPTIONAL VERIFY_USER Authenticate with the certificate(do not prompt OR for password if the authenticate fails). REQUIRED ---------------------------------------------------------------- When either the certificate is not registered in the security product or is not associated with the user ID that is passed in on the USER command the SECURE_LOGIN statement value determines the action during the login procedure. --------------------------------------------------------------- Table: SECURE_LOGIN statement value options -------------------------------------------------------------- SECURE_PASSWORD SECURE_LOGIN Action -------------------------------------------------------------- REQUIRED VERIFY_USER Fail the login. OR OPTIONAL -------------------------------------------------------------- REQUIRED REQUIRED Prompt for a password OR OPTIONAL --------------------------------------------------------------
APAR Information
APAR number
PQ84185
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
140
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2004-02-04
Closed date
2004-03-24
Last modified date
2004-05-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UQ86593 UQ86594
Modules/Macros
EZAFTPAS EZAFTPBU EZAFTPCX EZAFTPDM EZAFTPEP EZAFTPFR EZAFTPLD EZAFTPLS EZAFTPRA EZAFTPSM EZAFTPSR
SC31877502 | SC31877603 | SC31878502 | SC31879102 |
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"140","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"140","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
05 May 2004