z/VM FTP Server Secure Configuration Examples for FTPS Support

The information herein describes basic FTP server configuration settings to support Implicit and Explicit secure connections over FTP (FTPS).

A given z/VM FTP server can be configured to support either explicit or implicit secure connections, but not both at once. For a given z/VM system to support both of these types of connections simultaneously, two distinct FTP servers are required.

Explicit secure FTP connections are negotiated and instantiated after an initial, unsecure TCP connection is established with the z/VM FTP server. Such connetions (as well as unsecure connections) conventionally are provided by an FTP server that listens on well-known port 21, so can be accommodated by using the supplied default FTP server, FTPSERVE.

Implicit secure connections are established at the time a connection is attempted to the port at which the FTP server listens. These connetions, by convention, are provided by an FTP server that listens at port 990.

Notes:

  1. For the purpose of discussion, assume that a server certificate with the name MYCERT already exists in the SSL server key database.
  2. Definition of a secondary FTP server (as discussed here) is not addressed by this information.
  3. The configuration changes and commands cited herein should be performed after having logged on the TCPMAINT user ID.

Configuring Explicit secure connectivity support for the default FTP server (FTPSERVE)

Because explicitly secure connections are negotiated and instantiated after an initial, unsecure TCP connection is established with the z/VM FTP server, modifications to the PORT assignments in the TCP/IP stack configuration file (PROFILE TCPIP, or its equivalent) are not necessary. The default PORT assignments for the FTPSERV server, shown here, are appropriate: 

  PORT
  ...
    20   TCP FTPSERVE  NOAUTOLOG ; FTP Server
    21   TCP FTPSERVE            ; FTP Server
  ...
  1. Update the FTPSERVE server configuration file (SRVRFTP CONFIG being the default) to include applicable TLS-related statements. For this example, secure connections will be allowed, but not required, for both FTP control and data connections.
    1. Include a TLSLABEL statement that identifies the server certificate that is to be used for authentication purposes: 

        TLSLABEL MYCERT
  ...
    2. Include SECURECONTROL and SECUREDATA statements that identify the type of security that is to be imposed, respectively, for the control and data connections: 

        SECURECONTROL ALLOWED
  SECUREDATA ALLOWED
  ...
  2. Restart the FTPSERVE server (if already active) using the SMSG REBOOT command, or, XAUTOLOG the server if it is not currently running: 

      smsg ftpserve reboot
    or 

      cp xautolog ftpserve

Configuring Implicit secure connectivity support for a second FTP server (FTPSERV2)

After having defined a second FTP server user ID (FTPSERV2, for this example) and completed related tasks (CMS formatting the server 191 disk, copying the IBM-supplied TCPROFIL EXEC to this disk as PROFILE EXEC), the server can be configured to support implicit secure FTP connections.

  1. Update the TCP/IP server configuration to add PORT assignments for FTPSERV2.

    The port assignments needed for the FTPSERV2 server are shown here: 

      PORT
  ...
    990  TCP FTPSERV2 SECURE MYCERT ; FTP Server - Implicit secure connections
    *    TCP FTPSERV2 SECURE MYCERT ; FTP Server - Implicit secure connections
  ...
    After these assignments have been added to the the TCP/IP stack configuration file, the statements need to be made effective. If the TCP/IP stack server is not currently in use, the added statements will be effective when the TCP/IP server is restarted.

    If the TCP/IP server is active, and must remain so, the new port assignments can be activated by using the OBEYFILE command. However, when this is done, the entire set of port assignement statements (existing statements, the FTPSERV2 additions, as well as a prefacing PORT keyword statment) must be supplied.

  2. Modify the nodeID or SYSTEM DTCPARMS file used for your installation, to add an applicable entry for the FTPSERV2 server.

    Add a :nick.FTPSERV2 :type.server entry for FTPSERV2 FTP server. This entry, at a minium, needs to identify a unique server configuration file that will be used by the FTPSERV2 server. For example, the file FTPSERV2 CONFIG will be used. 

      :nick.FTPSERV2  :type.server  :class.ftp
    :name.FTP Server for Implicit TLS
    :parms.FTPSERV2 CONFIG *
  ...
  3. Create the server configuration file (FTPSERV2 CONFIG) for the FTPSERV2 server. Do this by copying the IBM-supplied SRVRFTP SCONFIG file, from the TCPMAINT 591 disk to the TCPMAINT 198 disk, as the file: FTPSERV2 CONFIG

    Then, edit the FTPSERV2 CONFIG file and activate the (commented) PORT 21 statement, with the connection port number altered to 990: 

      PORT 990
  ...
    Additional statements can be activiated and customized as needed, with the exception of these statements: 

      TLSLABEL
  SECURECONTROL
  SECURECONTROL

    These statements are not applicable to a configuration for of implicit secure connection support. The inclusion of these statements will cause various problems to to arise when client connections are established,

  4. Start the FTPSERV2 server using the CP XAUTOLOG command: 

      cp xautolog ftpserv2

Additional Notes

    For more information, consult the TCP/IP and FTP server documentation in TCP/IP Planning and Customization.