z/OS

z/OS

z/OS

IBM z/OS is a widely-used mainframe operating system designed for a stable, secure and highly available environment for running mission-critical applications.

 View Only

Secure z/OS software delivery: Don't get locked out!

By Anthony Giorgio posted Thu April 02, 2020 03:45 PM

  

IBM will be turning off its unencrypted FTP servers for downloading products and PTFs over the Internet very soon.  How soon?  Maybe as soon as next month, April 2016!  (See the statement of direction in the z/OS V2.2 announcement.)  Do you download software products and PTFs from IBM's servers to your z/OS?  Are you already using a secure and encrypted download method?  If so, then great!  But if not, will you be ready when the lights go out on unsecured FTP?  Don't be caught unprepared.  If you download any of the following offerings directly from IBM's servers to your z/OS systems, then you need to take action now:

 

  • PTFs and HOLDDATA ordered using the SMP/E RECEIVE ORDER command
  • PTFs ordered using Shopz
  • PTFs ordered using ServiceLink
  • Products in ServerPac and CBPDO offerings ordered using Shopz
  • Products in CustomPac offerings

 

SMP/E can perform secure and encrypted downloads from IBM's servers using FTPS (FTP over TLS) and HTTPS (HTTP Secure) via the RECEIVE command and the GIMGTPKG service routine, but, using either of these download methods requires preparation and one-time setup.  You can read the full story with lots of details in the "Preparing for secure Internet delivery" chapter of the SMP/E User's Guide.

 

However, if you want the short and sweet version, first make sure you have SMP/E APAR IO22422 installed (PTF UO01744  for SMP/E V3.6, HMP1J00, and PTF UO01743  for SMP/E V3.5, HMP1H00).  Then simply specify the following three attributes in your <CLIENT> tag for the SMP/E RECEIVE command and the GIMGTPKG service routine:

<CLIENT  downloadmethod=”https”  downloadkeyring=”javatruststore”  javahome="/usr/lpp/java/J6.0"  ></CLIENT>

 

This quick and easy method tells SMP/E to download files using HTTPS, secured with the pre-existing certificate authority (CA) certificates managed by the default z/OS Java truststore.  SMP/E uses the capabilities of Java 6 for its HTTPS operations, but you can specify a logical successor like Java 7 or 8 instead on the javahome attribute.

 

That's it, you're done!  You can verify your changes and experiment with IBM's Connectivity Test order, or you can try it out directly with any of the offerings listed above.

 

If you prefer to use FTPS instead of HTTPS, or if you prefer to manage the certificate authority (CA) certificates with your security manager product, like RACF, or if you just want to learn more, then check out the SMP/E User's Guide.

0 comments
4 views

Permalink

https://community.ibm.com/community/user/blogs/anthony-giorgio2/2020/04/02/secure-zos-software-delivery-dont-get-locked-out