Previous Topic: FTP Client Authentication-Mainframe to PC (Optional)Next Topic: FTP Client Authentication-Mainframe to Mainframe (Optional)

Digital CertificatesFTP Server and Client AuthenticationFTP Server Authentication-Mainframe to Mainframe

FTP Server Authentication-Mainframe to Mainframe

CA Top Secret Digital Certificates are a secure way to identify users when using OE/FTP services.

To authenticate a mainframe FTP Server from a FTP client on the mainframe

  1. Enter the command: 
    TSS GENCERT(FTPS) DIGICERT(FTPSCERT)

    The FTP server's certificate is generated and added to the FTP region ACID FTPS.

  2. Enter the command: 
    TSS ADD(FTPS) KEYRING(FTPSRING)
              LABLRING(FTPSRING)

    Create the FTP server's KEYRING.

    Note: There are no blank spaces in the LABLRING.

  3. Enter the command: 
    TSS ADD(FTPS) KEYRING(FTPSRING)
              RINGDATA(FTPS, FTPSCERT)
              DEFAULT 
              USAGE(PERSONAL)

    The FTP server's certificate is added to the FTP server's KEYRING.

  4. Enter the command: 
    TSS EXPORT(FTPS) DIGICERT(FTPSCERT)
                 DCDSN('FTPS.SERVER.CERT')

    The FTP server's certificate is copied to a dataset. This dataset does not have to be formatted and is automatically created and cataloged by CA Top Secret.

  5. Use your FTP product to export the FTPS.SERVER.CERT server certificate to the other mainframe and add it to the FTP client's KEYRING.
    1. If using CA Top Secret, enter the command: 
          TSS ADD(USERA) KEYRING(USRARING) 
                   RINGDATA(FTPS,FTPSCERT)
                   DEFAULT
                   USAGE(PERSONAL)

      The FTP server's certificate is copied from the FTP client's KEYRING.

    2. If using another product, refer to their manual for information on how to add the certificate to the user's KEYRING.
  6. Enter the commands: 
    TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE|CONTROL)
TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE|CONTROL)
TSS PER(FTPS) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE|CONTROL)
TSS PER(USRA) IBMFAC(IRR.DIGTCERT.GENCERT) ACC(UPDATE|CONTROL)
TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE|CONTROL)
TSS PER(USRA) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE|CONTROL)

    Use ACC(CONTROL) only if CERTSITE is the owner of the certificate.

    The FTP server's region ACID and the FTP client ACID are permitted to the SSL KEYRING, certificates, and mappings.

  7. Open the IBM's FTPS.DATA member and add the following parameters :

    The keyring name is established with FTP, client authentication is disabled, and FTP server authentication is activated.