Customization › TCP/IP PrintDirect › FTP Print Driver › Transfer Files to a Remote FTPS Server

Transfer Files to a Remote FTPS Server

Use the CA Spool FTP print driver to transfer files to a remote FTP server that requires SSL/TLS for file transfers.

Follow these steps:

1. Securely export the certificate for the remote server to a system running CA Spool.

   Note: For instructions to export the certificate, see the documentation for the security software for the server.

2. Add the server certificate to a keyring of the userid that is assigned to the CA Spool task.

   Note: For instructions to create a keyring for a user and to add a certificate stored in a dataset, see the documentation for the security software for your environment. If the server certificate is not self-signed, add a signer’s Certification Authority (CA) certificate to the keyring.

3. Copy the sample FTP.DATA file from TCPIP.SEZAINST(FTCDATA) to a data set of your choice. To specify the location of FTP.DATA, use the DRIVPRMx=’FTPDATA=data.set.name’ option of the NODE statement. An example follows:

   NODE FTPS,TCPIP,TCPDRIV=FTP,TCPPORT=21,TCPHOST=ftps.domain.com
        DRIVPRM1=’FTPDATA=FTP.DATA’
   

4. Open the FTP.DATA file for editing and add or modify the following statements.

   SECURE_MECHANISM  TLS                 ; Sends AUTH TLS command 
   KEYRING           esfuid/keyring name ; Specifies keyring name 
   SECURE_DATACONN   PRIVATE             ; Client requires data to be transferred enciphered
   

   If the CA Spool NODE parameter specifies either the TCPDRIV=FTPT or TCPDRIV=FTPe option, the following line is written to FTP client log:

   ESF Using 'FTP.DATA' for local site configuration parameters
   

   Note: For more information about FTP.DATA file statements, see the z/OS Communications Server: IP Configuration Reference. For more information about how to use AT-TLS and how to implement FTP client authentication using certificates, see the z/OS Communications Server: IP Configuration Guide: see the section for customizing the FTP server for Transport Layer Security (TLS). For information to diagnose Secure Socket Layer (SSL) function return codes, see the z/OS Cryptographic Services System SSL Programming Guide.

   Important! We strongly recommend securing connections with TLS instead of SSL.

CA Top Secret Example

This example explains how to export the certificate of an FTP server and add it to CA Spool started task userid. This example applies if CA Top Secret is the security software for your environment.

1. Enter the following command to export the certificate to a dataset to transfer to the client:

   TSS EXPORT(FTPD) DIGICERT(FTPDCERT) DCDSN('FTPS.SERVER.CERT')
   

2. Enter the following commands to add the server certificate to the userid for the CA Spool task:

   TSS ADDTO(CASPOOL) DIGICERT(FTPDCERT) DCDSN('FTPS.SERVER.CERT')
   TSS REPLACE(CASPOOL) DIGICERT(FTPDCERT) TRUST
   

3. Enter the following command to create the keyring for the CA Spool task userid:

   TSS ADD(CASPOOL) KEYRING(ESFRING) LABLRING(ESFRING)
   

4. Add the FTP server certificate to the keyring for the CA Spool task userid:

   TSS ADDTO(CASPOOL) KEYRING(ESFRING) RINGDATA(CASPOOL,FTPDCERT) DEFAULT - USAGE(PERSONAL)  
   

5. If the server certificate is not self-signed, export the Certification Authority (CA) certificate of the signer and add it to the keyring, as follows:

   Enter the following command at the server:

   TSS EXPORT(CERTAUTH) DIGICERT(CACERT) DCDSN('FTPS.SERVER.CACERT')
   

   Enter the following commands at the client:

   TSS ADDTO(CERTAUTH) DIGICERT(CACERT) DCDSN('FTPS.SERVER.CACERT')
   TSS ADDTO(CASPOOL) KEYRING(ESFRING) RINGDATA(CERTAUTH,CACERT) - USAGE(CERTAUTH)
   

6. Enter the following commands to permit CA Spool to work with digital certificates:

   TSS ADDTO(deptacid) IBMFAC(IRR.)
   

   TSS PER(CASPOOL) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE)
   TSS PER(CASPOOL) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
   TSS PER(CASPOOL) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)
   

Note: For more information about CA Top Secret commands and keywords, see the CA Top Secret Command Functions Guide.

CA ACF2 Example

This example explains how to export the certificate of an FTP server and add it to CA Spool started task userid. This example applies if CA ACF2 is the security software for your environment.

1. Enter the following command to export the certificate to a dataset to transfer to the client:

   ACF
   EXPORT FTPD DSNAME('FTPS.SERVER.CERT') LABEL(FTPDCERT)
   

2. Enter the following commands to add the server certificate to the CA Spool task userid:

   ACF 
   SET PROFILE(USER) DIV(CERTDATA)       
   INSERT CASPOOL.suffix DSNAME('FTPS.SERVER.CERT') LABEL(FTPDCERT) TRUST
   

3. Enter the following command to create the keyring for the CA Spool task userid:

   ACF 
   SET PROFILE(USER) DIV(KEYRING)  
   INSERT CASPOOL.suffix RINGNAME(ESFRING)
   

4. Add the FTP server certificate to the keyring for the CA Spool task userid:

   ACF 
   CONNECT CERTDATA(CASPOOL.suffix) LABEL(FTPDCERT) KEYRING(CASPOOL.suffix) + RINGNAME(ESFRING) USAGE(PERSONAL) DEFAULT  
   

5. If the server certificate is not self-signed, export the Certification Authority (CA) certificate of the signer and add it to the keyring, as follows:

   Enter the following command at the server:

   ACF 
   EXPORT CERTAUTH DSNAME('CHQA.SERVER.CACERT') LABEL(CACERT)
   

   Enter the following commands at the client:

   ACF 
   SET PROFILE(USER) DIV(CERTDATA)
   INSERT CERTAUTH.suffix DSNAME('FTPS.SERVER.CACERT') LABEL(CACERT) TRUST
   CONNECT CERTDATA(CERTAUTH.suffix) LABEL(CACERT) KEYRING(CASPOOL.suffix) + RINGNAME(ESFRING) USAGE(CERTAUTH) 
   

6. Enter the following commands to permit CA Spool to work with digital certificates:

   ACF
   SET RESOURCE(FAC)                                                    
    COMPILE * STORE                                                     
     $KEY(IRR) TYPE(FAC)                                                
     DIGTCERT.GENCERT  UID(*************CASPOOL) SERVICE(READ,UPDATE) ALLOW
     DIGTCERT.LIST     UID(*************CASPOOL) SERVICE(READ,UPDATE) ALLOW
     DIGTCERT.LISTRING UID(*************CASPOOL) SERVICE(READ,UPDATE) ALLOW
     END                                                                
     STORE                                                              
   F ACF2,REBUILD(FAC)                                                  
   

Note: For more information about CA ACF2 commands and keywords, see the CA ACF2 for z/OS Command Reference Guide.

RACF Example

This example explains how to export the certificate of an FTP server and add it to CA Spool started task userid. This example applies if RACF is the security software for your environment.

1. Enter the following command to export the certificate to a dataset to transfer to the client:

   RACDCERT EXPORT(LABEL('FTPDCERT'))  ID(FTPD) DSN('FTPS.SERVER.CERT')
   

2. Enter the following commands to add the server certificate to the CA Spool task userid:

   RACDCERT ID(CASPOOL) ADD(‘FTPS.SERVER.CERT') WITHLABEL('FTPDCERT') TRUST
   

3. Enter the following command to create the keyring for the CA Spool task userid:

   RACDCERT ID(CASPOOL) ADDRING(ESFRING)
   

4. Add the FTP server certificate to the keyring for the CA Spool task userid:

   RACDCERT ID(CASPOOL) CONNECT(ID(CASPOOL) LABEL('FTPDCERT') RING(ESFRING) + USAGE(PERSONAL))  
   

5. If the server certificate is not self-signed, export the signer's Certification Authority (CA) certificate and add it to the keyring, as follows:

   Enter the following command at the server:

   RACDCERT EXPORT(LABEL('CACERT')) CERTAUTH DSN('FTPS.SERVER.CACERT')
   

   Enter the following commands at the client:

   RACDCERT CERTAUTH ADD(‘FTPS.SERVER.CACERT') WITHLABEL('CACERT') TRUST
   RACDCERT ID(CASPOOL) CONNECT(CERTAUTH LABEL('CACERT') RING(ESFRING) + USAGE(CERTAUTH))
   

6. Enter the following commands to permit CA Spool to work with digital certificates:

   RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
   RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)
   RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)
   PERMIT IRR.DIGTCERT.LISTRING CL(FACILITY) ID(CASPOOL)  ACCESS(UPDATE)
   PERMIT IRR.DIGTCERT.LIST CL(FACILITY) ID(CASPOOL)  ACCESS(UPDATE)
   PERMIT IRR.DIGTCERT.GENCERT CL(FACILITY) ID(CASPOOL)  ACCESS(UPDATE)
   SETROPTS RACLIST(FACILITY) REFRESH
   

Note: For more information about RACF commands and keywords, see the IBM z/OS Security Server RACF Command Language Reference.