Use the SECURE_LOGIN statement to indicate whether the FTP server requires client authentication.
The SECURE_LOGIN statement setting applies to TLS and Kerberos. Note that the term certificate is actually TLS terminology. In Kerberos, the equivalent of a certificate is a ticket, which contains credentials.
.-SECURE_LOGIN NO_CLIENT_AUTH------. >>-+----------------------------------+------------------------>< '-SECURE_LOGIN--+-VERIFY_USER----+-' +-NO_CLIENT_AUTH-+ '-REQUIRED-------'
EZB.FTP.MVS164.FTPD1.PORT21
EZB.FTP.<systemname>.<ftpdaemonname>.PORTxxxx
where
xxxx is replaced by the port number for the FTP daemon. For example,
if the procedure FTPD is used to start the daemon on system MVS164
and the daemon uses the default FTP port 21, then the resource name
is: EZB.FTP.MVS164.FTPD1.PORT21
Tip: For sessions that are not secured with TLS, you can use the same resource profile to control which users can log into the FTP server when you code VERIFYUSER TRUE in the server's FTP.DATA file. However, if you do code VERIFYUSER TRUE in FTP.DATA, the server verifies the user's access to the resource profile regardless of the SECURE_LOGIN value.
This does not affect Kerberos behavior; Kerberos always processes the client's ticket.
For TLS, client certificate authentication occurs during the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server. This means a certificate for the CA that issued the client certificate is listed as trusted in the server's key ring.
This parameter has no effect for Kerberos.
SECURE_LOGIN REQUIRED