Application Transparent Transport Layer Security (AT-TLS) is the best way to implement TLS security for the FTP server and client. AT-TLS provides additional functionality and performance for TLS secured connections.
Perform the following steps to migrate from an existing configuration using TLS security for the FTP server and client to a configuration using AT-TLS:
For details about AT-TLS setup, see Application Transparent Transport Layer Security data protection. For Policy Agent setup and AT-TLS policy statements, see z/OS Communications Server: IP Configuration Reference.
Code a TTLSEnvironmentAdvancedParms statement with the ApplicationControlled and SecondaryMap parameters; both parameters should specify the value On. The ApplicatonControlled parameter allows FTP to start and stop TLS security on a connection. The SecondaryMap parameter enables active or passive data connections to use the AT-TLS policy that is used for the control connection. You do not need to code any additional TTLSRule statements for the data connections.
FTP.DATA statement | AT-TLS equivalent statement | AT-TLS policy statement |
---|---|---|
KEYRING | Keyring | TTLSKeyRingParms -> TTLSEnvironmentAction |
CIPHERSUITE | V3CipherSuites | TTLSCipherParms -> TTLSEnvironmentAction |
TLSTIMEOUT | GSK_V3_SESSION_TIMEOUT | TTLSGskAdvancedParms -> TTLSEnvironmentAction |
CIPHERSUITE cipher | V3CipherSuites cipher | Hexadecimal value |
---|---|---|
SSL_DES_SHA | TLS_RSA_WITH_DES_CBC_SHA | 09 |
SSL_3DES_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | 0A |
SSL_NULL_MD5 | TLS_RSA_WITH_NULL_MD5 | 01 |
SSL_NULL_SHA | TLS_RSA_WITH_NULL_SHA | 02 |
SSL_RC2_MD5_EX | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | 06 |
SSL_RC4_MD5 | TLS_RSA_WITH_RC4_128_MD5 | 04 |
SSL_RC4_MD5_EX | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | 03 |
SSL_AES_128_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | 2F |
SSL_AES_256_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | 35 |
CIPHERSUITE SSL_AES_256_SHA
CIPHERSUITE SSL_3DES_SHA
CIPHERSUITE SSL_NUL_SHA
The equivalent TTLSCipherParms
statement: TTLSCipherParms
{
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_NULL_SHA
}