This is exactly what Secondary Map is used for. Take a look here:
https://www.ibm.com/docs/en/zos/2.4.0?topic=SSLTBW_2.4.0/com.ibm.tcp.ipsec.ipsec.help.doc/tls/AttlsRole.BG_SecondaryMap.html.You need to code "SecondaryMap On" in the TTLSEnvironmentAdvancedParms statement associated with the rule matching your FTP server.
If you are coding the AT-TLS policy by hand:
https://www.ibm.com/docs/en/zos/2.4.0?topic=statements-ttlsenvironmentadvancedparms-statement.If using Network Configuration Assistant: Navigate to the Role tab of the associated Connectivity Rule for the FTP server and check 'Secondary map'.
------------------------------
JOSHUA BENNETONE
------------------------------
Original Message:
Sent: Tue September 14, 2021 09:44 AM
From: Kat Obrien
Subject: Need Help creating valid TLS Policy for FTP z/OS 2.3
I need to fully support the TLS v1.2 protocol. I am having an issue configuring the TLS Policy for FTP.
I have tried several definitions in the tlsPol member but FTP is giving us a lot of problems. We can configure the port 21 to use a TLS policy but during the FTP, it negotiates the data channel to some port above 1024. That is what is causing problems. I cannot figure out how to tell PAGENT to encrypt that data port since it is negotiated and different each time. I am hoping someone could give us some ideas to try so that we can get FTP working.
------------------------------
Kat Obrien
Storage CTS
ibm
703 231 9159
------------------------------