Operating Systems

If you run z/OS systems connected to a network, you have file transfer security issues.

The z/OS Communications Server includes a File Transfer Protocol (FTP) server and FTP client. If you let them, FTP users can do all kinds of unsafe work, such as download data sets, examine directories, access Job Entry Subsystem (JES) reports, submit jobs, or transmit private data in streams of plain ASCII text.

If you don’t want that to happen, or at least not without oversight, please read on. This article describes six routes to secure data transfer to and from z/OS systems:

1. Secure the FTP server with z/OS System Authorization Facility (SAF). On z/OS machines, apply standard mainframe security definitions to FTP users and FTP commands.

2. Encrypt FTP sessions with FTP Secure (FTPS). Between FTP clients and servers, use Transport Layer Security (TLS) to authenticate users and transmit commands and data in a way that can’t be read without the key.

3. Send encrypted FTP through a Secure Shell (SSH) tunnel. Between FTP clients and servers, use SOCKS (short for sockets) proxies and SSH servers to provide authentication and make commands and data unreadable as they traverse the network.

4. Use Secure Shell File Transfer (SFTP) instead of FTP. To reach machines that have FTP disabled, use an especially smart SOCKS proxy to translate FTP traffic into SFTP traffic.

5. Wrap a director around the FTP client. Some batch jobs will need to transfer data by one route, some by another, but writing that knowledge into the jobs themselves is far more trouble than necessary. Instead, direct the traffic with a management program that wraps around the z/OS FTP client.

6. To verify security, monitor data transfer by all means available. Complete records about who transferred what data to whom are available only by consulting and merging multiple sources of monitoring data.

Secure the FTP Server With z/OS SAF

6 Pages