You can customize the FTP client for TLS, but a better way to implement TLS security is by using AT-TLS.
Perform the following steps to customize the FTP client for TLS:
TLSRFCLEVEL DRAFT
This
is the default. The z/OS® FTP
client has supported TLS security at this level since V1R2. Code this
statement in FTP.DATA to maintain this level of support.TLSRFCLEVEL RFC4217
The
RFC On Securing FTP with TLS was published as RFC 4217
in October, 2005. The RFC differs from the Internet draft in its description
of the AUTH, CCC, and REIN commands. This has implications for client
subcommands such as AUTH and CCC. Generally, RFC 4217 is less restrictive
than the Internet draft. For more information, see RFC 4217. For more
information on RFC 4217 and using security mechanisms, see z/OS Communications Server: IP User's Guide and
Commands.SECURE_MECHANISM TLS
If you cannot use a virtual key ring, create the client key ring database and add the certificates that you need to that database.
Every TLS session handshake includes server authentication. If a server certificate is self-signed, you must import that certificate to the key ring database of any client that will log in using TLS. If the server certificate is signed by a CA, the CA certificate used to sign the server certificate (rather than the server certificate itself) needs to be in the client key ring database. For more information, see Server authentication.
If you are using client authentication, you must add a certificate for the client to the client key ring database.
If you are using client authentication and self-signed client certificates, you must add a certificate for the client to the server key ring database. If a client certificate is signed by a CA, the CA certificate used to sign the client certificate needs to be in the server key ring database, rather than the client certificate.
For information about the client certificates you must create, see Client authentication.
TLSMECHANISM ATTLS
TLSMECHANISM FTP
This
is the default setting.KEYRING client-keyring-database
For information about the KEYRING statement, see z/OS Communications Server: IP Configuration Reference.
Code a TTLSEnvironmentAdvancedParms statement with the ApplicationControlled and SecondaryMap parameters; both parameters should specify the value On. The ApplicatonControlled parameter allows FTP to start and stop TLS security on a connection. The SecondaryMap parameter enables active or passive data connections to use the AT-TLS policy that is used for the control connection. You do not need to code any additional TTLSRule statements for the data connections.
A sample Policy Agent AT-TLS configuration showing the required policy configuration statements for AT-TLS is as follows:
TTLSGroupAction secure_ftp_client_group
{
TTLSEnabled On
}
TTLSEnvironmentAction secure_ftp_client_env
{
TTLSKeyringParms
{
Keyring client-keyring-database
}
HandshakeRole Client
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On
SecondaryMap On
}
TTLSCipherParmsRef ftp_client_ciphers # Used to customize ciphersuites
}
TTLSCipherParms ftp_client_ciphers
{
# Sample ciphers. Should be customized!
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_NULL_SHA
}
TTLSRule secure_ftp_client_rule
{
RemotePortRange 21 # This should be set to the port the FTP server is
# listening on
Direction Outbound
TTLSGroupActionRef secure_ftp_client_group
TTLSEnvironmentActionRef secure_ftp_client_env
}
If using TLSMECHANISM FTP, select which cipher algorithms you prefer to use by coding a CIPHERSUITE configuration statement in the FTP.DATA file for each cipher algorithm the client can use. For a list of the cipher algorithms you can specify on the CIPHERSUITE statement, see z/OS Communications Server: IP Configuration Reference.
If you specify TLSMECHANISM ATTLS, select which cipher algorithms you want to use by coding a TTLSCipherParms configuration statement to specify the cipher algorithms the client can use. For a list of the cipher algorithms you can specify with the TTLSCipherParms statement, see z/OS Communications Server: IP Configuration Reference. List the ciphers in the order of preference, your most preferred cipher algorithm first. The cipher algorithm is negotiated with the server on behalf of the client using the same order of preference as is indicated by the order of the TTLSCipherParms statement.
To have the client log in using the TLS protocol when the server supports TLS, and log in without TLS when the server does not support TLS, code the following statement in the client's FTP.DATA configuration file:
SECURE_FTP ALLOWED
This is the default. To have the client log in using the TLS protocol, but close the server connection and prevent logging in when the server does not support TLS, code the following statement in the client's FTP.DATA configuration file:
SECURE_FTP REQUIRED
Note that the level of security for data connections is determined by both the SECURE_DATACONN statement in FTP.DATA and by subcommands an FTP user might issue during an FTP session.
The following subcommands can be issued by the user:
If you want the client to transfer data raw with no cipher algorithm applied to the data, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN NEVER
To indicate the data can be transferred raw or enciphered, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN CLEAR
This
is the default. By default, data is transferred raw. However, the user can issue the private subcommand during the FTP session to change the data connection security level, so that data is transferred enciphered. The user can also issue the clear subcommand to reset the data connection security level back, so that data is transferred raw again. For TLS, if the private subcommand is issued, the cipher algorithm is negotiated between the server and the client using TLS protocols.
If you want to require that data is transferred enciphered, code the following statement in the client's FTP.DATA configuration file:
SECURE_DATACONN PRIVATE
For TLS, the cipher algorithm is negotiated between the server and the client using TLS protocols.