Mainframe, MVS and zOS Discussion


https://www.zmainframes.com/

TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

https://www.zmainframes.com/viewtopic.php?t=2120

Page 1 of 1

TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

Posted: Thu May 05, 2016 6:04 pm
by Jcronje
Is it possible to use TLS v1.2 when the TLSMECHANISM   is   FTP or is it only supported when using AT-TLS. My secure FTP  job has stopped working since the Windows guys upgraded to TLS v1.2. The same job still works when they downgrade back to TLS v1. I have applied the migration action as required in the z/OS v2.1 Migration guide to turn on SSLV3 in FTP.DATA.
Following are the relevant FTP Data parms:

Code: Select all

EXTENSIONS        AUTH_TLS       
SECURE_MECHANISM  TLS            
SSLV3             TRUE           
TLSMECHANISM      FTP            
TLSRFCLEVEL       RFC4217        
SECURE_CTRLCONN   CLEAR          
SECURE_DATACONN   PRIVATE        
CIPHERSUITE       SSL_AES_256_SHA
EPSV4             TRUE           
PASSIVEDATAPORTS  (64400-64600)  
TLSTIMEOUT        500            
KEYRING           FTPx/xxxxkr   
Thanks,
Johan Cronje

Re: TLS v1.2 on z/OS v2.1 using TLSMECHANISM FTP

Posted: Fri May 06, 2016 12:09 pm
by Anuj Dhawan
Please see if this applies: 

https://www.ibm.com/support/knowledgece ... n_v2r1.htm and check for this text and what follows it:
FTP client and server

The FTP client and FTP server are modified to disable SSLV3 by default when TLSMECHANISM FTP is specified. In this mode, the FTP client or server uses System SSL APIs natively for its SSL/TLS protection, rather than AT-TLS.

Because the z/OS FTP client and server have historically enabled SSLV3 by default, evaluate whether the following conditions are true:
[ul][li]Your server is supporting clients that require SSLV3.[/li]
[li]Your client is connecting to a server that requires SSLV3.[/li][/ul]
If either of the conditions is true, enable SSLV3 by specifying the new SSLV3 parameter in the relevant FTP configuration data set FTP.DATA with a value of TRUE.

If TLSMECHANISM ATTLS is specified, the FTP client or server is protected by AT-TLS, so the changes described under the AT-TLS function apply.
All times are UTC+05:30
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited