IBM Z and LinuxONE IBM Z

Expand all | Collapse all

Need Help creating valid TLS Policy for FTP z/OS 2.3

  • 1.  Need Help creating valid TLS Policy for FTP z/OS 2.3

    Posted 8 days ago

    I need to fully support the TLS v1.2 protocol.  I am having an issue configuring the TLS Policy for FTP.

    I have tried several definitions in the tlsPol member but FTP is giving us a lot of problems. We can configure the port 21 to use a TLS policy but during the FTP, it negotiates the data channel to some port above 1024. That is what is causing problems. I cannot figure out how to tell PAGENT to encrypt that data port since it is negotiated and different each time. I am  hoping someone could give us some ideas to try so that we can get FTP working.



    ------------------------------
    Kat Obrien
    Storage CTS
    ibm
    703 231 9159
    ------------------------------


  • 2.  RE: Need Help creating valid TLS Policy for FTP z/OS 2.3

    Posted 8 days ago
    This is exactly what Secondary Map is used for.  Take a look here: https://www.ibm.com/docs/en/zos/2.4.0?topic=SSLTBW_2.4.0/com.ibm.tcp.ipsec.ipsec.help.doc/tls/AttlsRole.BG_SecondaryMap.html.

    You need to code "SecondaryMap On" in the TTLSEnvironmentAdvancedParms statement associated with the rule matching your FTP server.
    If you are coding the AT-TLS policy by hand: https://www.ibm.com/docs/en/zos/2.4.0?topic=statements-ttlsenvironmentadvancedparms-statement.
    If using Network Configuration Assistant: Navigate to the Role tab of the associated Connectivity Rule for the FTP server and check 'Secondary map'.




    ------------------------------
    JOSHUA BENNETONE
    ------------------------------