In this configuration, the z/OS system will initiate and control file transfers (both outbound and inbound) with a batch job step. All file transfer messages will be logged as part of the job, and return codes may be used to control the flow of the job stream. A z/OS operator should never have to log onto the Linux machine to determine the status of a file transfer.
In this article, we rely heavily on the Linux curl package to handle the actual file exchange with our business partners. Curl’s flexible command-line interface supports all the standard file transfer protocols and authentication methods. The curl command lets you send or receive files and redirect its file I/O to pipes. Simple Linux shell scripts, coded directly in JCL, can be used to chain together curl with other commands to meet the requirements of exchanging a file with a particular business partner. Specifically, you can use pipes to combine the curl command with:
• The Linux zip or gzip commands to compress or decompress data as it’s transferred
• The Linux gpg or gpgsm commands to encrypt or decrypt data as it’s transferred
• The Co:Z toolkit fromdsn and todsn commands to convert z/OS data sets to or from pipes.
In Figure 1, the Co:Z launcher is executed in a batch job step (1). This creates an SSH session to the Linux gateway machine as user “gwuser” using a public/ private key pair. A Unix shell is started on the Linux gateway, which executes the commands contained in the STDIN DD. The first line (2) runs the fromdsn shell command on Linux, which reaches back into the launching jobstep via the Secure Shell (SSH) connection and converts the data set referenced by DD ORDERS to a stream of bytes. This stream is piped (|) into the curl command (3), which opens an FTP Secure (FTPS) connection to the remote host, partner.com, and uploads the data to “orders.txt.”
Let’s consider some of the security aspects of this setup:
• Normal z/OS security controls which data sets and resources are available to this job, which runs as a normal (unprivileged) user.
• The Linux machine can be placed in a network Demilitarized Zone (DMZ). The only connection to z/OS is an encrypted SSH session with the Linux gateway, authenticated by an SSH key pair.