Use the SECURE_LOGIN statement to indicate whether the FTP server requires client authentication.
The SECURE_LOGIN statement setting applies to TLS and Kerberos. Note that the term certificate is actually TLS terminology. In Kerberos, the equivalent of a certificate is a ticket, which contains credentials.
- This statement is valid only when you have coded EXTENSIONS TLS or EXTENSIONS AUTH in the FTP.DATA file of the server.
- If you code VERIFYUSER TRUE in FTP.DATA, the server verifies the user's access to the FTP server port profile in the SERVAUTH class regardless of the SECURE_LOGIN value.
Syntax
.-SECURE_LOGIN NO_CLIENT_AUTH------. >>-+----------------------------------+------------------------>< '-SECURE_LOGIN--+-VERIFY_USER----+-' +-NO_CLIENT_AUTH-+ '-REQUIRED-------'
Parameters
- VERIFY_USER
- Indicates that in addition to client certificate authentication,
the user's ID is further verified. For Kerberos, the user ID in the client's ticket is verified to match the login user ID.
EZB.FTP.MVS164.FTPD1.PORT21For TLS:- The server verifies that the certificate has been registered with your SAF-compliant security product, such as RACF®, and has an associated user ID matching the login user ID.
- If the SERVAUTH RACF (or
another security product) class is active and a RACF resource has been defined for the port,
the connection is allowed only if the user ID associated with the
client certificate has READ access to the RACF resource. The resource name would be:
where xxxx is replaced by the port number for the FTP daemon. For example, if the procedure FTPD is used to start the daemon on system MVS164 and the daemon uses the default FTP port 21, then the resource name is:EZB.FTP.<systemname>.<ftpdaemonname>.PORTxxxxEZB.FTP.MVS164.FTPD1.PORT21
Tip: For sessions that are not secured with TLS, you can use the same resource profile to control which users can log into the FTP server when you code VERIFYUSER TRUE in the server's FTP.DATA file. However, if you do code VERIFYUSER TRUE in FTP.DATA, the server verifies the user's access to the resource profile regardless of the SECURE_LOGIN value.
- REQUIRED
- Indicates that the server should authenticate client certificates.
This does not affect Kerberos behavior; Kerberos always processes the client's ticket.
For TLS, client certificate authentication occurs during the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server. This means a certificate for the CA that issued the client certificate is listed as trusted in the server's key ring.
- NO_CLIENT_AUTH
- Specifies that the server should not request the client certificate
for TLS.
This parameter has no effect for Kerberos.
Examples
SECURE_LOGIN REQUIRED