TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

Other Mainframe related questions which attracts you and there is no suitable Forum you find for it and related FAQs.
Post Reply
Jcronje
New Member
Posts: 1
Joined: Thu May 05, 2016 11:26 am

TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

Post by Jcronje »

Is it possible to use TLS v1.2 when the TLSMECHANISM   is   FTP or is it only supported when using AT-TLS. My secure FTP  job has stopped working since the Windows guys upgraded to TLS v1.2. The same job still works when they downgrade back to TLS v1. I have applied the migration action as required in the z/OS v2.1 Migration guide to turn on SSLV3 in FTP.DATA.
Following are the relevant FTP Data parms:

Code: Select all

EXTENSIONS        AUTH_TLS       
SECURE_MECHANISM  TLS            
SSLV3             TRUE           
TLSMECHANISM      FTP            
TLSRFCLEVEL       RFC4217        
SECURE_CTRLCONN   CLEAR          
SECURE_DATACONN   PRIVATE        
CIPHERSUITE       SSL_AES_256_SHA
EPSV4             TRUE           
PASSIVEDATAPORTS  (64400-64600)  
TLSTIMEOUT        500            
KEYRING           FTPx/xxxxkr   

Thanks,
Johan Cronje
Last edited by Anuj Dhawan on Fri May 06, 2016 11:13 am, edited 1 time in total.
Reason: Added BBCode Tags.
User avatar
Anuj Dhawan
Founder
Posts: 2799
Joined: Sun Apr 21, 2013 7:40 pm
Location: Mumbai, India
Contact:
India

Re: TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

Post by Anuj Dhawan »

Please see if this applies: 

https://www.ibm.com/support/knowledgece ... n_v2r1.htm and check for this text and what follows it:
FTP client and server

The FTP client and FTP server are modified to disable SSLV3 by default when TLSMECHANISM FTP is specified. In this mode, the FTP client or server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.

Because the z/OS FTP client and server have historically enabled SSLV3 by default, evaluate whether the following conditions are true:
[ul][li]Your server is supporting clients that require SSLV3.[/li]
[li]Your client is connecting to a server that requires SSLV3.[/li][/ul]
If either of the conditions is true, enable SSLV3 by specifying the new SSLV3 parameter in the relevant FTP configuration data set FTP.DATA with a value of TRUE.

If TLSMECHANISM ATTLS is specified, the FTP client or server is protected by AT-TLS, so the changes described under the AT-TLS function apply.
Thanks,
Anuj

Disclaimer: My comments on this website are my own and do not represent the opinions or suggestions of any other person or business entity, in any way.
Post Reply

Create an account or sign in to join the discussion

You need to be a member in order to post a reply

Create an account

Not a member? register to join our community
Members can start their own topics & subscribe to topics
It’s free and only takes a minute

Register

Sign in

Return to “Other Mainframe Topics, Off-Topics, FAQs.”