PQ84185: NEW FUNCTION

A fix is available

APAR status

Closed as new function.

Error description

The new function will allow the ftp client to optionally
bypass the password if they are using TLS and the server
receives a certificate from the client that contains the
clients userid and password.  The password check will be done
automatically once the ftp server has verified that the
clients userid typed in matches the userid in the certificate.

Local fix

Do not try to bypass the password.  The client should
manually enter the password.

Problem summary

****************************************************************
* USERS AFFECTED: All users of the IBM Communications Server   *
*                 for z/OS Version 1 Release 4 IP: FTP Server  *
****************************************************************
* PROBLEM DESCRIPTION: Support required for the FTP client to  *
*                      optionally bypass the password if they  *
*                      are using TLS and the server receives   *
*                      a certificate from the client that      *
*                      contains the clients userid and         *
*                      password, needs to be added.            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The FTP support for the FTP.DATA keyword SECURE_PASSWORD is
being added to this release.  This will allow the client to
optionally bypass the password if they are using TLS.
+-------------------------------------------------------------+
+ Please check our Communications Server for OS/390 homepages +
+ for common networking tips and fixes.  The URL for these    +
+ homepages can be found in Informational APAR II11334.       +
+-------------------------------------------------------------+

Problem conclusion

Temporary fix

Comments

The FTP server has been updated to support the SECURE_PASSWORD
FTP.DATA parameter.  The following documentation changes will
be made.

===============================================================
IBM Communications Server: IP and SNA Codes
SC31879102

Add the following 2 replies under FTPD Reply Codes.

530 USER command failed

Explanation: The client entered a USER command to
log in to the server.  While validating the USER name,
a function issued by the server failed.

System Action: The login attempt to the user ID on
the server system is rejected. Control is returned to
the client for further command processing.

User Response: Contact the system programmer.

System Programmer Response: A previous 530- reply should
contain additional information in the reason code field.
---------------------------------------------------------------
530- An error occurred in the security product

Explanation: The client entered the USER command to log
in to the server.  The server is using the client certificate
that is passed to the server when a TLS protected session
was established to authenticate the user.  The
client certificate is already defined for another
process or the certificate does not meet the required format.

System Action: The login to the user ID is rejected.

User Response: Contact the system programmer.

System Programmer Response: Find the certificate in the
security product and determine whether it is a valid
certificate that is registered.

===============================================================
IBM Communications Server: IP Messages: Vol 3 (EZY)
SC31878502

Add the following message.

EZYFS16I SECURE_PASSWORD reset to REQUIRED

Explanation: After processing the FTP.DATA statements, the
server cross-checked the values of the SECURE_LOGIN and
SECURE_PASSWORD statements and found them to be in a combination
that is not valid.

SECURE_PASSWORD is coded with a value of OPTIONAL and
SECURE_LOGIN has value NO_CLIENT_AUTH. NO_CLIENT_AUTH indicates
that the server does not request a certificate from the client.
A client certificate is required for a session protected by
the TLS security mechanism if the OPTIONAL feature is requested
for SECURE_PASSWORD.

System Action: The value set by SECURE_PASSWORD is changed
to the value that would be set if REQUIRED were coded for
SECURE_PASSWORD. As a result a password will be required for
authentication of a TLS secured login.

User or Operator Response: If the new value is acceptable, no
action is required. Otherwise, contact the system programmer
to have the values for the parameters changed.

System Programmer Response: Update the FTP.DATA file with
corrected values for SECURE_LOGIN and SECURE_PASSWORD.
Refer to z/OS Communication Server: IP Configuration Reference
for information about the statements in the FTP.DATA file.

Source Data Set: EZAFTPEP

Procedure Name: read_ftpdata

Add a new reason code to message EZYFS57I.

21
Determine whether the certificate or ticket used to authenticate
the user is associated in the security product with a
different user.

===============================================================
IBM Communications Server: IP Configuration Guide
SC31877502

Add the following in section -
"Steps for customizing the FTP server for TLS", under Step 5:
If you choose to use client authentication, you can also use
the client certificate authentication process to eliminate the
login password prompt so that a client supplies only the login
user ID to establish the session. The certificate received from
the client must be registered with the security product and must
be associated with the login user ID. You can use the RACDCERT
ADD command to register and associate the certificate. If either
the certificate is not registered or is not associated with the
user ID, you will be prompted for a password.

If you do not want to use the client authentication process to
eliminate the client password prompt, you can code the following
statement in the server's FTP.DATA configuration file:
       SECURE_PASSWORD REQUIRED
     This is the default.

If you want to use the client authentication process to
eliminate the client password prompt, along with your client
authentication statement (either SECURE_LOGIN REQUIRED or
SECURE_LOGIN VERIFY_USER), code the following statement in the
server's FTP.DATA configuration file:
       SECURE_PASSWORD OPTIONAL
================================================================
IBM Communications Server: IP Configuration Reference
SC31877603

Add the following under FTP.DATA Statements.

SECURE_PASSWORD statement (FTP server)
Use the SECURE_PASSWORD statement to specify whether a password
is required by the FTP server for a TLS protected session.
The statement is ignored for sessions that are not protected
by the TLS security mechanism.
Syntax
      _SECURE_PASSWORD REQUIRED______
 >>__|_______________________________|_________________________
     |_SECURE_PASSWORD__ _REQUIRED_ _|
                        |_OPTIONAL_ _|
Parameters

REQUIRED
Specifies that a password is required to log in a client
whose session is protected by the TLS security mechanism.

OPTIONAL
Specifies that the password is not required if the client
provides a certificate that can be used to authenticate the
user. See the following Usage notes.  If the client
certificate is used to authenticate the user and the
authentication fails, the login attempt fails.

Rule: The handshake that occurs when the TLS protected session
is set must include the transfer of the client certificate to
the server. If you code SECURE_PASSWORD OPTIONAL, you must code
SECURE_LOGIN VERIFY_USER or SECURE_LOGIN REQUIRED to require
the client certificate.
Result: If you code SECURE_PASSWORD OPTIONAL and SECURE_LOGIN
NO_CLIENT_AUTH in the FTP.DATA file, the message EZYFS16I is
logged to inform you that the combination is not allowed.
The value set by the SECURE_PASSWORD statement is changed to
REQUIRED.

Examples
To require the user to enter a password on a TLS protected
session only when the USER name does not match the name
associated with the certificate, code the following statements:
   SECURE_LOGIN      REQUIRED
   SECURE_PASSWORD   OPTIONAL

Usage notes
The certificate that is received from the client must be
registered in the security product and must be associated
with the user ID that is passed on the USER command to the FTP
server. You can use RACDCERT ADD command to
register and associate the certificate.
When the certificate is registered in the security product
and is associated with the user ID that is passed in on the
USER command, the SECURE_PASSWORD statement value determines
the action taken during the login procedure.

Table:    SECURE_PASSWORD statement value options
---------------------------------------------------------------
SECURE_PASSWORD       SECURE_LOGIN     Action
---------------------------------------------------------------
REQUIRED              VERIFY_USER     Prompt for a password.

                      OR

                      REQUIRED
---------------------------------------------------------------
OPTIONAL              VERIFY_USER     Authenticate with the
                                      certificate(do not prompt
                      OR              for password if the
                                      authenticate fails).
                      REQUIRED
----------------------------------------------------------------
When either the certificate is not registered in the security
product or is not associated with the user ID that is passed
in on the USER command the SECURE_LOGIN statement value
determines the action during the login procedure.
---------------------------------------------------------------
Table:    SECURE_LOGIN statement value options
--------------------------------------------------------------
SECURE_PASSWORD    SECURE_LOGIN         Action
--------------------------------------------------------------
REQUIRED           VERIFY_USER          Fail the login.

OR

OPTIONAL
--------------------------------------------------------------
REQUIRED           REQUIRED             Prompt for a password

OR

OPTIONAL
--------------------------------------------------------------

APAR Information

APAR number
PQ84185
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
140
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2004-02-04
Closed date
2004-03-24
Last modified date
2004-05-05

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

UQ86593 UQ86594

Modules/Macros

EZAFTPAS EZAFTPBU EZAFTPCX EZAFTPDM EZAFTPEP
EZAFTPFR EZAFTPLD EZAFTPLS EZAFTPRA EZAFTPSM EZAFTPSR

*Publications Referenced*
SC31877502	SC31877603	SC31878502	SC31879102

Fix information

Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00

Applicable component levels

R140 PSY UQ86593
UP04/04/22 P F404
R149 PSY UQ86594
UP04/04/22 P F404

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"140","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"140","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
05 May 2004

Tips

PQ84185: NEW FUNCTION

A fix is available

Subscribe

APAR status

Closed as new function.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R140 PSY UQ86593

R149 PSY UQ86594

Fix is available

Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

Document Information

Share your feedback

Need support?