IBM Z and LinuxONE IBM Z

IBM Z

The enterprise platform for mission-critical applications brings next-level data privacy, security, and resiliency to your hybrid multicloud.

 View Only
Back to discussions
Expand all | Collapse all

Enable Explicit FTP over TLS on FTP server

  • 1.  Enable Explicit FTP over TLS on FTP server

    Posted Thu April 07, 2022 03:13 AM
    Hi
    I'm trying to use FileZilla 3.57.0 client to connect to my z/OS FTP server using Explicit FTP over TLS but I'm getting error "RC=6 (Key label is not found)":
    BPXF024I (TCPIP) Apr  5 00:38:54 ftps 50397245 : GU1129 chkVerRel: 061 
system information for S0W1: z/OS version 2 release 4 (3906)           
BPXF024I (TCPIP) Apr  5 00:38:54 ftps 50397245 : PR0319 parse_cmd: 062 
entered                                                                
BPXF024I (TCPIP) Apr  5 00:38:54 ftps 50397245 : PR0501 parse_cmd: 063 
>>> AUTH TLS                                                           
BPXF024I (TCPIP) Apr  5 00:38:54 ftps 50397245 : SR3541 reply: --> 064 
234 Security environment established - ready for negotiation           
BPXF024I (TCPIP) Apr  5 00:38:55 ftps 50397245 : FR0653 authClient: 065
init failed with rc = 6 (Key label is not found)                       
BPXF024I (TCPIP) Apr  5 00:38:55 ftps 50397245 : FR1344 endSecureConn: 
066                                                                    ​
    I've created a self-signed root certificate and a server certificate (signed with the root certificate). Both are attached to my keyring:
    Digital ring information for user TCPIP:                               
                                                                       
  Ring:                                                                
       >FTPRING<                                                       
  Certificate Label Name             Cert Owner     USAGE      DEFAULT 
  --------------------------------   ------------   --------   ------- 
  CA for EXT-FTP                     CERTAUTH       CERTAUTH     NO    
  ServerCert for EXT-FTP             ID(TCPIP)      PERSONAL     NO    
                                                                       
***                                                                    ​

    My z/OS FTP server config includes:

    TLSRFCLEVEL       RFC4217     ;    
EXTENSIONS        AUTH_TLS    ;    
TLSMECHANISM      FTP         ;    
KEYRING           TCPIP/FTPRING ;  
SECURE_FTP        ALLOWED     ;    
SECURE_PASSWORD   OPTIONAL         
SECURE_LOGIN      NO_CLIENT_AUTH ; 
SECURE_DATACONN   CLEAR       ;    
CIPHERSUITE SSL_NULL_MD5    ;      
CIPHERSUITE SSL_NULL_SHA    ;      
CIPHERSUITE SSL_RC4_MD5_EX  ;      
CIPHERSUITE SSL_RC4_MD5     ;      
CIPHERSUITE SSL_RC4_SHA     ;      
CIPHERSUITE SSL_RC2_MD5_EX  ;      
CIPHERSUITE SSL_DES_SHA     ;      
CIPHERSUITE SSL_3DES_SHA    ;      
CIPHERSUITE SSL_AES_128_SHA ;      
CIPHERSUITE SSL_AES_256_SHA ;
    The owner of the FTP server task is TCPIP which matches my keyring owner and I've checked TCPIP has read access to the FACILITY profile IRR.DIGTCERT.LISTRING.

    I've also downloaded my root certificate and added it to my 'Trusted Root Certification Authorities'. Have I missed a step or am I using the wrong ciphersuite values?

    Thanks
    Claire

    ------------------------------
    Claire Hamilton
    ------------------------------


  • 2.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Thu April 07, 2022 11:57 AM

    Try making your server certificate the default on the keyring.

     

    Charles

     




    Original Message


  • 3.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Fri April 08, 2022 01:30 AM
    Thank you Charles.

    Changing my server certificate to default on the keyring resolved the 'Key label is not found' error.

    After updating this, my FileZilla client returned error: GnuTLS error -8: A packet with illegal or unsupported version was received.

    Some Googling on the FileZilla error revealed this is resolved by reverting to an older version of the client. I have it working now.

    Claire

    ------------------------------
    Claire Hamilton
    ------------------------------

    Original Message


  • 4.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Fri April 08, 2022 08:37 AM

    The recommendation by Charles of setting your server certificate as default should fix your issue.

    Although this would not fix the certificate issue you are facing, you should consider configuring AT-TLS for TLS/SSL with the z/OS FTP server. Native TLS/SSL support for the FTP server has been removed in V2R5.

    https://www.ibm.com/docs/en/zos/2.5.0?topic=summary-support-considerations-in-v2r5



    ------------------------------
    Paul Brown
    ------------------------------

    Original Message


  • 5.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Tue April 12, 2022 02:05 AM
    Thanks Paul, I've set the server certificate to default as my work-around for right now but I'll follow-up on the AT-TLS configuration as the correct implementation.

    Claire

    ------------------------------
    Claire Hamilton
    ------------------------------

    Original Message


  • 6.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Tue April 12, 2022 10:29 AM

    When you do move over to AT-TLS, the same certificate and ring should work – and you will still want the server certificate to be the default on the ring.

     

    Charles

     




    Original Message


  • 7.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Fri May 20, 2022 01:54 AM
    I'm looking at moving to AT-TLS for the FTP server now and I'm primarily relying on this IBM doco to guide me:
    Configuring the server system - IBM Documentation
    Steps for customizing the FTP server for TLS - IBM Documentation

    I've got no experience in this area so I'm leaning on the sample members and I'll be using the sample in TCPIP.SEZAINST(EZARACF) to do the RACF definitions for permitting access.

    We use Personal Communications v12 emulator with the Enable Security option turned off to connect to our z/VM. I don't think there's any way I can accidentally block access between the emulator and z/VM by enabling AT-TLS, or that I need to grant any explicit access via RACF but could I just get confirmation I haven't completely overlooked something here please?

    Claire

    ------------------------------
    Claire Hamilton
    ------------------------------

    Original Message


  • 8.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Fri May 20, 2022 09:55 AM

    Claire –

     

    As you can see from my posts I am struggling my way through this also. I have TLS 1.2 working for FTP server.

     

    The good news is that the process was less "dangerous" than I expected. I did not once lock myself out of TCP/IP and TN3270! <g> So long as you don't "touch" TN3270 intentionally you should be fine. Put up a second FTP server so you don't hose your users. So long as your main FTP does not say TLSMECHANISM ATTLS it will not be affected.

     

    Here are my quick notes on what I had to do, slightly sanitized. Let me know if any questions.

     

    ·         The usual certificates and so forth. Test with naked FTP first to make sure it all works.

    ·         A minimal PAGENT configuration file. See /etc/pagent.conf. That is the default name if you don't change anything in the PAGENT proc.

    ·         A minimal PAGENT TLS configuration file. See /etc/pagent_TTLS.conf. That's where the KEYRING goes. Use owner/keryringname.

    ·         Turn on TCP/IP TCPCONFIG RESTRICTLOWPORTS TTLS. You can use an OBEYFILE to turn this on and off.

    ·         The vanilla PAGENT proc. See the GSK trace notes below. Start PAGENT.

    ·         A TCP.DATA file with TLSMECHANISM ATTLS and no CCCNONOTIFY and no KEYRING.

    ·         An FTP proc that references the above (SYSFTPD) and perhaps with GSK tracing. (Not sure which tracing, FTP or PAGENT, is effective.)

    ·         Start the FTP proc. At Dallas, errors and such come out on the console. Not sure about elsewhere or how controlled.

    ·         Turn on FTP debugging. F FTPproc,DEBUG=SEC

    ·         Give it a shot from a TLS-enabled FTP client. You need access to the certificate chain of trust, of course.

    GSK Tracing

     

    ·         In the application to be traced, PARM='ENVAR("GSK_TRACE=0xFFFF")... You can get more granularity than FFFF but if things are not working then FFFF does not give excessive data.

    ·         To see the trace, open /tmp/ in ISPF Edit. Look for the newest file with a name like gskssl.nnnnnnnn.trc. (The .trc will not show up in the Edit Directory List but you can see it with the I command. Type gsktrace /tmp/gskssl.nnnnnnnn.trc on the command line and the trace will open in an Edit window. (Or save it with > trace.txt) (You need Enter z/OS UNIX commands in Command field turned on in Directory List Options.)

    Charles

     




    Original Message


  • 9.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Fri May 20, 2022 03:07 PM

    Claire, I don't know if you can see the other thread I am on here.

     

    HIGHEST RECOMMENDATION: ( IBM DB2 for z/OS: Configuring TLS/SSL for Secure Client/Server Communications )

     

    Yes it says "DB2" in the title but don't let that put you off.

     

    I got my TLSv1.3 working on the FIRST try after following the guidance in that manual.

     

    Charles

     




    Original Message


  • 10.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 01:40 AM
    Thank you Charles!

    That manual is fantastic. I took a couple of attempts to get the AT-TLS policy configured the way I wanted but I have TLSv1.3 working now too.

    Thanks for your help.

    I do have one follow-up question, do you know if there there any additional considerations if I add PAGENT to the AUTOLOG list?

    Claire

    ------------------------------
    Claire Hamilton
    ------------------------------

    Original Message


  • 11.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 09:14 AM
    Edited by Alan Altmark Mon May 23, 2022 09:14 AM

    What is driving people to use explicit TLS?

    The FTP and telnet protocols (and servers) were updated to allow an installation to easily migrate from non-TLS to TLS without a major upheaval.  No  port number changes.

    Day 0: "Attention:  We are migrating to secure FTP and TN3270 in 90 days.  Start now."
    Day 1:  In the server, turn on "security optional"  (if needed)
    Day 2:  Clients begin to change the client configuration to "secure" by just clicking a box
    Day 3-89:  Monitor session to compare "secure" and "not secure" and send e-mail reminders
    Day 90: Change the server to "security required"
    Day 90-n:  "We TOLD you we were changing.  Why did you ignore the e-mails?  You get what you deserve.  Now go away."

    ------------------------------
    Alan Altmark
    Senior Managing z/VM Consultant
    ------------------------------

    Original Message


  • 12.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 11:07 AM

    > Day 2:  Clients begin to change the client configuration to "secure" by just clicking a box

    Umm, clients are customer organizations with z/OS FTP and looooong formal change management processes. There is no clicking a box.

     

    Even on Windows etc. assumes (1) client supports TLS. Not all do. Again, corporate policies, etc. (2) Certificates in place. Certificate issues are real. We see one about every day on RACF-L and (3) may be using the same client to communicate with other servers that do not yet implement TLS v1.3.

     

    > Day 90-n:  "We TOLD you we were changing.  Why did you ignore the e-mails?  You get what you deserve.  Now go away."

     

    It must be nice to be a big company and be able to treat customers that way. A small software company does not have that liberty.

     

    Charles A. Mills | Chief Development Officer

    Phone: 707-291-0908
    Toll Free: 877-245-4322
    Email: Charles.Mills@CloudCompiling.com
    www.CloudCompiling.com

     

     




    Original Message


  • 13.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 11:35 AM

    My comment about "go away" was meant to be amusing, re: the ancient conflict between sysprogs and users.  Sorry the humor fell flat. 

     

    And I think I was barking up the wrong tree, anyway.   I always think of AT-TLS as providing the "static" TLS connection functions, but the applications can explicitly invoke it (a la TLSMECHANISM ATTLS).   My bad.   Since Claire is using Filezilla, it has dynamic TLS support in it.  You just "click the button".

     

    Regards,

    Alan

     

    Altn Altmark

    Senior Managing z/VM Consultant

    IBM Systems Lab Services

    1 607 321 7556  (Mobile)

    Alan_Altmark@us.ibm.com

     




    Original Message


  • 14.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 11:45 AM

    Just trying to answer your question "what is driving people to use explicit TLS?" There are some good reasons.

     

    I don't see Claire's reference to FileZilla, but I can confirm that for me at least it supported TLS v1.3 "right out of the box."

     

    I'm not sure if implicit TLS is possible with z/OS FTP. Perhaps it is; I don't know. I guess it is fairly common in the non-Z world.

     

    Charles

     




    Original Message


  • 15.  RE: Enable Explicit FTP over TLS on FTP server

    Posted Mon May 23, 2022 11:57 AM

    Yes, it's possible, but you wouldn't want to do it since you must predefine passive port ranges (and set up the policy to protect them) or require active data transfers and protect all inbound connections to any port owned by the FTP server.  (And it becomes impossible to clear the control connection after login.)  Ugh. 

     

    Explicit/negotiated/dynamic TLS on FTP and TN3270 is Good for clients, the server, and the network security folks.
    Implicit/static TLS on FTP is Bad for everyone except the user who has some oddball client that doesn't support RFC 4217.

    Implicit/static TLS on TN3270 can be survived.

     

    Sorry for the bunny trail.

    Regards,

    Alan

     

    Altn Altmark

    Senior Managing z/VM Consultant

    IBM Systems Lab Services

    1 607 321 7556  (Mobile)

    Alan_Altmark@us.ibm.com

     




    Original Message


Related Content