FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default.


FTP instructions (non-secure)

FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default. To be able to process the data automatically, a file naming convention needs to be met. Please read the file naming convention page that is related to your operating system.

Addresses

Note: Please use the server closest to your physical location.

  1. Americas

    ftp://testcase.boulder.ibm.com/

  2. Asia Pacific

    ftp://ftp.ap.ecurep.ibm.com/

  3. Europe

    ftp://ftp.ecurep.ibm.com/

Active vs. passive transfer mode

The FTP protocol supports two transfer modes: active and passive. Both are supported by the ECuRep FTP server. The active mode is the default for many FTP clients. If you encounter problems after logging onto the ECuRep's FTP server, try to switch to the passive mode. This is needed because most corporate firewall policies only allow the use of the passive mode. If your client does not support the passive mode, please use another client. If you are in doubt, try an ls command right after login. If nothing is returned and a timeout occurs passive FTP is required.

ASCII vs. binary transfer mode

One of the least-understood aspects of FTP transfers is the difference between ASCII and binary mode data transfers. ASCII stands for American Standard Code for Information Interchange, and is a type of character encoding based on the English language used on devices that handle information stored in text. It includes 33 non-printed control characters and 94 printed characters such as letters and punctuation.

When files are transferred in ASCII mode, the transferred data is considered to contain only ASCII formatted text. The party that is receiving the transferred data is responsible for translating the format of the received text to one that is compatible with their operating system. The most common example of how this is applied pertains to the way Windows and UNIX handle newlines. On a Windows computer, pressing the "enter" key inserts two characters in an ASCII text document - a carriage return (which places the cursor at the beginning of the line) and a line feed (which places the cursor on the line below the current one). On UNIX systems, only a line feed is used. ASCII text formatted for use on UNIX systems does not display properly when viewed on a Windows system and vice versa.

Binary mode refers to transferring files as a binary stream of data. Where ASCII mode may use special control characters to format data, binary mode transmits the raw bytes of the file being transferred. In binary mode, the file is transferred in its exact original form.
For our FTP server transfer must be done in binary mode.

Examples

To help you use our FTP server, we provide several operating system-specific descriptions. For more information, please go to the description of your operating system.

FTPS instructions (secure)

A default FTP connection does not have any security. Secure and trusted data transfer is important. We offer a secure and trusted way to transfer your data to IBM via Secure FTP. Secure FTP provides File Transfer Protocol capability plus the security of Secure Sockets Layer/Transport Layer Security (SSL/TLS) for your data transfers. In order to use this, your FTP client must support SSL/TLS and your firewall must be transparent for secure FTP. The FTP client decides whether it wants the session to be encrypted by sending the AUTH command to the server to switch to using SSL.

For detailed description of secure FTP please have a look at your system related documentation.

Note: Using cryptographic functions may reduce the transfer rate considerably.

If your FTP client supports SSL and TLS, activate these options and use port 21. Here is a sample logon log of a FTP client, the important lines applicable to SSL/TLS are marked. During initial establishment of the session, the server and your client will decide about a method which is supported at both ends. After this, our server will ask you to accept our certificate and, when you accept it, a secure session is established. Please check whether the certificate is a valid IBM certificate.

Addresses

Note: Please use the server closest to your physical location.

  1. Americas

    testcase.boulder.ibm.com

  2. Asia Pacific

    ftp.ap.ecurep.ibm.com

  3. Europe

    ftp.ecurep.ibm.com

Supported options:

  1. RC2

    Block cipher developed at RSA Data Security

  2. RC4

    Stream cipher developed at RSA Data Security

  3. DES

    56 bits of security

  4. 3DES

    Digital Encryption Standard -168 bits of security

  5. AES

    Advanced Encryption Standard -256 bits of security

Hashing algorithms:

  1. MD5

    Algorithm that converts to fixed size (16 bytes)

  2. SHA

    Secure Hash Algorithm that converts to a 20-byte output

Port, protocols & security certificates:

  1. Port

    21

  2. Protocols

    SSL, TLS

  3. Security protocol

    The certificate is from Equifax Secure Certificate Authority.

    When using MVS (OS/390, z/OS) FTP client, please be sure to obtain the CA ROOT Certificate from GeoTrust or view the certificate and installation instructions.

Examples

We have successfully tested several different implementations of FTP clients. Take a look at the documentation of your FTP client to check whether secure FTP is supported. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client.

SFTP instructions (secure)

Secure FTP over SSH is based on the Secure Shell protocol. In contrast to standard FTP, only one port is used for session handling and data transfer. Therefore, the implementation is firewall friendly.

In general, the directory structure of the SFTP server is the same as on the standard FTP server except that only the toibm directory is available. Because SFTP Windows GUI clients require directory listing, files can be listed in upload directories. Downloads of such files is administratively prohibited. They are also moved to another directory a few seconds after the upload is started, and therefore vanish from the directory listing after a short period.

Address

Note: Please use the server closest to your physical location.

  1. Americas

    anonymous@testcase.boulder.ibm.com

  2. Europe

    anonymous@sftp.ecurep.ibm.com

Supported ciphers:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

Hashing algorithm:

  • sha1

Port & protocol:

  1. Port

    22

  2. Protocol

    SFTP based on SSH version 2; Secure Copy (SCP) requests are denied

Server host key information and fingerprint

  • Key type: ssh-dss
  • Key length: 1024
  • Fingerprint: 83:f0:e4:63:4a:5c:d6:06:90:17:a8:34:8e:37:e7:5c
  • Babbleable: xevef-cyzyh-vazyl-baheh-rakih-nupyr-refod-hyfof-pucyp-nakar-coxix
  • Key type: ssh-rsa
  • Key length: 2048
  • Fingerprint: 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64
  • Babbleable: xomor-degap-fozel-hizeb-pihad-kutap-kagim-palab-zivus-tahih-faxux

Examples

We have successfully tested different implementations of SFTP clients. The tests included command line and GUI clients. Some Windows FTP clients support FTP, FTPS and SFTP. Please have a look at the documentation of your client. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client. Secure Copy (SCP) is not supported.

Related links

Skip to main content

SFTP example

The following is an example of performing an anonymous SFTP upload of a file to IBM Enhanced Customer Data Repository using a line mode SFTP client. Of course you can use any SFTP client.

Command/Response Description
$ sftp anonymous@sftp.ecurep.ibm.com The customer enters the SFTP command to invoke the SFTP client log into the SFTP server..
The authenticity of host 'sftp.ecurep.ibm.com (192.109.81.25)' can't be established.
RSA key fingerprint is 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64.
Are you sure you want to continue connecting (yes/no)?
The connection is established. The SFTP clients asks for verification of the SFTP server key fingerprint. The fingerprint can be found on the ECuRep Web page. If the fingerprint is verified, it needs to be accepted by entering yes. Entering no will end the connection.
Depending on the SFTP client, this step is only required once. Most clients store the accepted fingerprint or they ask if the fingerprint should be remembered.
Welcome to the IBM Centralized Customer Data Repository (ECuRep).
By using this service, you agree to all terms of the IBM Service User Licence Agreement (see http://www.ibm.com/de/support/ecurep/service.html)!
For FAQ/ Documentation please see ECuRep - Homepage http://www.ibm.com/de/support/ecurep/index.html
LOGIN user: anonymous pw: <not required>
Please report questions to: ftp.emea@mainz.ibm.com
Connection will close if idle for more than 30 minutes.
Here you can deliver support material to IBM.
use command 'cd toibm'
Connected to sftp.ecurep.ibm.com.
The connection is established. A welcome message is posted. Not all SFTP clients display this message.
sftp> cd toibm/aix The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here.
ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation.
your_data_at_the_workstation 100% 591KB 197.1KB/s 00:03 Most client will show information about the transfer progress.
ftp>quit The customer then terminates the FTP session by using the quit subcommand.
ftp> quit The customer then terminates the FTP session by using the quit subcommand.
Skip to main content

FTP example

The following is an example of performing an anonymous FTP upload of a file to IBM Enhanced Customer Data Repository using a line mode FTP client. Of course you can use any FTP client.

Command/Response Description
C:\> ftp ftp.ecurep.ibm.com The customer enters the FTP command to invoke the FTP client and begin an FTP session with Testcase Data Exchange.
Connected to ftp.ecurep.ibm.com. 220-FTPD1 IBM FTP CS V1R5 at MCEFTP, 17:14:35 on 2005-06-22.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep)
The customer receives verification that the session has been established and that the Testcase Data Exchange FTP server is ready
User (ftp.ecurep.ibm.com:(none)): anonymous The customer is prompted for their user name. They should enter the keyword anonymous indicating that this will be an anonymous FTP session.
331 Send email address as password please. The FTP server responds that anonymous access is permitted and prompts the customer to enter any text as a password.
Password: test@anyone The customer should enter any text as a password. In this case, the customer entered the password test@anyone.
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver  use command 'cd toibm'
230- get      use command 'cd fromibm'.
The FTP server responds that the login was successful.
ftp> cd toibm/windows The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here.
250 HFS directory /toibm/windows is the current working directory. The FTP server responds that the change (working) directory command was successful.
ftp> binary
200 Type set to I.
ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP
The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation. Depending on your requirements, you may want them to upload the file in binary format by first specifying the binary subcommand.
200 PORT command successful.
150 Opening binary mode connection for your_data_at_the_workstation
226 Transfer complete.
The FTP server responds that the connection has started and also responds when the upload is complete. Upload times will vary depending on network connection speed and file size.
ftp> quit The customer then terminates the FTP session by using the quit subcommand.
Skip to main content

FTP example (DOS command prompt)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\>ftp ftp.ecurep.ibm.com
Connected to ftp.ecurep.ibm.com.
220-FTPD1 IBM FTP CS V2R10 at MCEFTP, 15:13:33 on 2002-05-01.
220-***********************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* By using this service, you agree to all terms of the *
220-* Service User Licence Agreement *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) ! *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-***********************************************************************
220-* please report questions to: contact@ecurep.ibm.com *
220 Connection will close if idle for more than 10 minutes.
User (ftp.ecurep.ibm.com:(none)): anonymous
331 Send email address as password please.
Password:
230-Here you can deliver/get support material to/from IBM.
230-
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.
ftp> cd toibm
250-Here you can deliver Support Material to IBM.
250-Directories for: aix, cae, intel, tivoli, ssa,
250-san, dm, netw-hw, imageplus, swm, tsm, websphere,
250-s390 and as/400
250-To enter the folder of your operating-system type 'cd'
250-Example: To enter the folder AIX type 'cd aix'.
250-Please use command 'bin' prior transfer.
250-===================================================================
250- IMPORTANT : only use the following characters for filenames:
250- Upper- or lowercas (A-Z), numbers (0-9),
250- period (.) and hyphen (-)
250- ==> Using other characters may lead to UNPREDICTABLE RESULTS,
250- ==> your file may NOT be processed |
250- E.g. Do NOT use BLANK characters, $-sign etc. in FILE NAMES |
250-===================================================================
250 HFS directory /toibm is the current working directory.
ftp> ls
200 Port request OK.
125 List started OK
aix
hw
linux
mvs
os2
os400
swm
unix
readme.msg
vm
vse
windows
250 List completed successfully.
ftp: 119 bytes received in 0,00Seconds 119000,00Kbytes/sec.
ftp> cd aix
250-Here you can place AIX related support material for IBM
250-For better identifaction purposes please use the following naming
250-convention:
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-Take care to use the 'bin' Option before transfering data
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transfered. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/aix is the current working directory.
ftp> bin
200 Representation type is Image
ftp> put boot.ini 34143.055.000.test.nixx
200 Port request OK.
125 Storing data set /toibm/aix/34143.055.000.test.nixx
250 Transfer completed successfully.
ftp: 523 bytes sent in 0,00Seconds 523000,00Kbytes/sec.
ftp> bye
221 Quit command received. Goodbye.


C:\>

Skip to main content

FTP example (MVS or z/OS command prompt)

The following JCL can be tailored and used to process the data sets to be transmitted to the FTP server.

Note: Please be sure to TURN OFF the LINE NUMBERING.

/XXXXX JOB CLASS=A,MSGCLASS=X,REGION=64M
//*----------------------------------------------------
//* Be sure that line numbering is set to off (unnum)

//*----------------------------------------------------
//* Delete the temporary file
//*----------------------------------------------------
//DELETE EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DELETE YOUR.TERSED.DATASET
DELETE YOUR.CRYPTED.DATASET
SET MAXCC=0
//*----------------------------------------------------
//* Terse the file
//* THIS STEP IS MANDATORY
//*----------------------------------------------------
//TERSE EXEC PGM=TRSMAIN,PARM=PACK
//SYSPRINT DD SYSOUT=*
//INFILE DD DISP=SHR,DSN=YOUR.INPUT.DATASET
//OUTFILE DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.TERSED.DATASET
//*----------------------------------------------------
//* Encrypt the file
//* Optional step if you can not use secure FTP
//*----------------------------------------------------
//DFSMSENC EXEC PGM=CSDFILEN
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,
// DSN=YOUR.TERSED.DATASET
//SYSUT2 DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.CRYPTED.DATASET
//SYSIN DD *
DESC='Optional information'
CLRTDES
PASSWORD=sample password please change
//*----------------------------------------------
//* SEND THE FILE TO THE IBM FTP SERVER
//* WHEN CRYPTED, SEND THE CRYPTED DATASET
//* WHEN TERSED ONLY, SEND THE TERSED DATASET
//* USE NON-SECURE OR SECURE FTP
//*----------------------------------------------
//* EXEC Statement for NON-Secure-FTP
//FTP EXEC PGM=FTP,PARM='-v (EXIT '
//* Uncomment next line for Secure-FTP
//*FTP EXEC PGM=FTP,PARM='-a TLS -v (EXIT '
//SYSTCPD DD DSN=YOUR.TCPPARMS(TCPDATA),DISP=SHR
//SYSFTPD DD DSN=YOUR.TCPPARMS(FTPDATA),DISP=SHR
//SYSPRINT DD SYSOUT=*
//INPUT DD *
ftp.ecurep.ibm.com
anonymous
your@email.address
bin
cd /toibm/mvs
put 'YOUR.CRYPTED.DATASET' 12345.123.724.DUMP.TRS[.EFZ]
quit
/*

Where
TRS - Mandatory identifier for tersed files
EFZ - Identifier only for encrypted files

Skip to main content

FTP example (z/VM)

Ready; T=0.01/0.01 17:25:05
ftp ftp.ecurep.ibm.com
VM TCP/IP FTP Level 320
Connecting to ftp.ecurep.ibm.com 9.39.0.2, port 21
220-FTPSERVE IBM FTP CS V2R10 at MCEVS1, 16:24:21 on 2002-03-19.
220-************************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep)*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* *
220-* All FTP'able software is (c) copyright International Business *
220-* Machines Corporation. *
220-* *
220-* Before using this service refer to the terms of use for *
220-* Exhanging Diagnostic Data with IBM *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) Ü *
220-* *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-************************************************************************
220-* please report questions to: ftp.emea§mainz.ibm.com *
220 Connection will close if idle for more than 5 minutes.
USER (identify yourself to the host):
anonymous
>>>USER anonymous
331 Send email address as password please.
Password:
>>>PASS ********
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.
Command:
cd /toibm/s390
>>>CWD /toibm/s390
250-Here you can place s390 related support material for IBM
250-
250-To ensure quick and proper problem determination you should consider
250-these principals and naming convention:
250-
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-
250-Take care to use the binary Option before transfer.
250-Due to security reasons you will not be able to list the directory contents.

250-
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transferred. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/s390 is the current working directory.
Command:
put qt.rextrace.a 12345.111.724.qt.test

>>>SITE VARrecfm
200 Site command was accepted
>>>PORT 9,39,62,3,10,72
200 Port request OK.
>>>STOR 12345.111.724.qt.test
125 Storing data set /toibm/s390/12345.111.724.qt.test
250 Transfer completed successfully.
52 bytes transferred in 0.034 seconds. Transfer rate 1.53 Kbytes/sec.
Command:
quit
>>>QUIT
221 Quit command received. Goodbye.
Ready; T=0.02/0.03 17:26:12
cl con

Skip to main content

SFTP and firewalls

When using Secure FTP (FTPS) it is possible that you will get problems with your firewall. This is due to the nature of the protocol and the different types of firewalls.

FTP uses two connections between the FTP client and FTP server. The control connection is used to exchange FTP commands and control information, and the data connection is used to transmit the files and for output of commands.

The control connection is established when an FTP client connects an FTP server. If data has to be transfered, the data connection is set up dynamically. There are no fixed TCP ports which are used for this connection. The FTP server tells the client the TCP port to be used within the control connection. The port changes for every data transmission. Modern firewalls read the port information exchanged within the control connection and dynamically create rules to allow the data transfer.

While FTPS is in use, the control and data connection is encrypted. A firewall can no longer read the content of the control connection and dynamic rule creation for the data connections is no longer possible.

There are also some firewalls which run more or less intensive checks on the traffic within the control connections. They drop the connection if they detect traffic which is not mentioned in the FTP protocol definition. Those checks must fail with encrypted connections.

In case of problems please read our help page.

Skip to main content

GeoTrust certificate installation instructions

MVS (OS/390, z/OS) FTP Clients only

Please follow the directives below to establish the necessary RACF definition.

  1. Obtain the Equifax CA certificate.
    • Below you will find the contents of the CURRENT Equifax CA certificate. Please note that this certificate is subject to change, i.e., it may get invalid or it may expire.
    • You can find the ORIGINAL certificate on the GeoTrust webpage under Web Security, SSL certificates, TrueBusiness ID, Installation Instructions, or you can use this link for the certificate and installation.
    • Follow the link IBM-HTTP, ignore all references to the HTTP server, the certificate is at the bottom.
    • Current contents of the GeoTrust Trusted Root Certificate: Equifax Secure Certificate Authority

      -----BEGIN CERTIFICATE-----
      MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
      UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
      dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
      MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
      dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
      AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
      BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
      cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
      AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
      MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
      aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
      ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
      IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
      MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
      A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
      7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
      1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
      -----END CERTIFICATE-----
      

    • Use Copy and Paste to place this Certificate into a SEQUENTIAL, VARIABLE BLOCKED dataset on your MVS System, be sure to include the top and bottom dashed lines.
    • Name this dataset SYS1.CA.CERT.
    • Do NOT change the contents!
  2. New intermediate certificates

    Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA




    -----BEGIN CERTIFICATE-----
    MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
    WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
    AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
    OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
    T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
    JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
    Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
    PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
    aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
    TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
    LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
    BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
    dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
    AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
    NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
    b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
    -----END CERTIFICATE-----  
    

    Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA



    -----BEGIN CERTIFICATE-----
    MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
    YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
    EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
    IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
    cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
    FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
    8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
    dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
    96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
    d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
    VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
    ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
    L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
    KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
    hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
    J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
    0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
    2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
    4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
    TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
    -----END CERTIFICATE-----
    

    It is not necessary to install these certificates.

  3. New certificate, valid from 23 March 2011:

    -----BEGIN CERTIFICATE-----
    MIIEhjCCA26gAwIBAgICfEYwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
    FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRgwFgYDVQQDEw9HZW9UcnVzdCBTU0wg
    Q0EwHhcNMTEwMzIzMjEyMzQ1WhcNMTYwNjEyMjM0ODI3WjCBozEpMCcGA1UEBRMg
    YWNnU1dOYTZBVy9KZ2JaZUFKcW9rV0VwenlORDlscUIxCzAJBgNVBAYTAkRFMR0w
    GwYDVQQIExRSaGluZWxhbmQtUGFsYXRpbmF0ZTEOMAwGA1UEBxMFTWFpbnoxHTAb
    BgNVBAoTFElCTSBEZXV0c2NobGFuZCBHbWJIMRswGQYDVQQDExJmdHAuZWN1cmVw
    LmlibS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7fmw1g5xB
    YY1fXqZbSb1GrS7B1yfGkJulbxQFW+i1sbgfgcMGgopAJrWUc4Zat0CXFbC9vuQz
    lWEuzSeDkaIcJ7YlM+8RhHGiMK0gma2JGnnXBXHgAM7g1mjmQRzmJI5u+JlzKIfn
    dFhHtOcCIAIHU8equgaENDOFgkNMQHD8w4mxd1SAlf2nyf2v/YQu+SZWCmJRLg/D
    K2loHRIyXECfdkMui4ooZeD2x1ZMlD+GDxKG075OQwTd52UDxRNQi2bO0Ko5Ctmu
    oIXAgpcsEIsnOvDzBnARa7I5bGOUlfGG89SZ/LLHDngVuREtwGwkSA7c55Qnd0Qm
    UmyC991IqFcNAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRCeVQbYc1VKz5j1TxI
    V/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
    AQUFBwMCMB0GA1UdEQQWMBSCEmZ0cC5lY3VyZXAuaWJtLmNvbTA9BgNVHR8ENjA0
    MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3Ns
    LmNybDAdBgNVHQ4EFgQUm4EpB+2i3mJsN9H5TiiaNPWNW6IwDAYDVR0TAQH/BAIw
    ADBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9ndHNzbC1haWEu
    Z2VvdHJ1c3QuY29tL2d0c3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEARM4k2WiY
    UbfYAUrJ9aWBGZxj8P32LexvWcekUv2SRp9bDs0BJxvavMfmhH3PSUav4b4EpzPD
    /ue4ph5ZfBjqsCLhg4c3Qi518Rw+plYsDz+weA7jdpIA0I/JiMGtw5RmHxWRX8MN
    ivZ0OXHEsFZ4sHK38VC2sD7+zueBraxWdqYraUp9C3h5EmRD536JfVWCegYhEg8H
    9VufdrWTZHGNdEO7wMv0b3XlSEpAKnyCFENHk9Pb3/UlEur0DpDAOYBWgRW5V334
    qSi2rAqTN4nUgYfTm8yBBf5DuwH/JCO+cy8Q5+ndiMTrAv6K/Rj7cDOpfjD5HqpX
    RBIkl2YOm/eURQ==
    -----END CERTIFICATE-----
    

    Use Copy and Paste to place this Certificate into a second SEQUENTIAL, VARIABLE BLOCKED dataset, be sure to include the top and bottom dashed lines. Name this dataset 'SYS1.FTPEMEA.CERT'.

    Do NOT change the content!

  4. Add the GeoTrust Trusted Root Certificate to your RACF database as a CERTAUTH Certificate. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS
    • On the next panel (ICHPB70), select Option 4 - Add, Alter, Delete, or List certificates.....
    • On the next panel (ICHPB0), select Option 1 - Add a digital certificate to the RACF database and enter any character under the Certificate Authority-heading in the next line, then press ENTER
    • On the next panel (ICHPB01A), you will now notice the highlighted word CERTAUTH.
    • Enter the Data Set Name (in quotes) 'SYS1.CA.CERT' in the first input field.
    • Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'Equifax Secure Certificate Autho'. Caution, this field is case-sensitive.
    • In the Field Status Trust enter the character H for Hightrust, then press ENTER.

    Alternatively, you can issue the RACF command:

    RACDCERT CERTAUTH -
    ADD('SYS1.CA.CERT') -
    HIGHTRUST -
    WITHLABEL('Equifax Secure Certificate Autho')

  5. Add the ECuRep FTP Server Certificate to your RACF database as a SITE Certificate. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS
    • On the next panel (ICHPB70), select Option 4 - Add, Alter, Delete, or List certificates.....
    • On the next panel (ICHPB0), select Option 1 - Add a digital certificate to the RACF databaseand enter any character under the Site-heading in the next line, then press ENTER
    • On the next panel (ICHPB01A), you will now notice the highlighted word SITE.
    • Enter the Data Set Name (in quotes) 'SYS1.FTPEMEA.CERT' in the first input field.
    • Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'ftp.ecurep.ibm.com'. Caution, this field is case-sensitive.
    • In the Field Status Trust enter the character T for Trust, then press ENTER.

    Alternatively, you can issue the RACF command:

    RACDCERT SITE -
    ADD('SYS1.FTPEMEA.CERT') -
    TRUST -
    WITHLABEL('ftp.ecurep.ibm.com')

  6. Create a RACF KEYRING for EACH userid(!) who would like to use Secure FTP. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring....
    • On the next panel (ICHP75), select Option 1 - Create a new key ring and enter the userid for which you create this keyring.
    • On the next panel (ICHP75A), enter a name for the keyring (WITHOUT quotes), e.g. SECURE.FTP.KEYRING

    Alternatively, you can issue the RACF command:

    RACDCERT ID(userid) ADDRING(SECURE.FTP.KEYRING)

  7. Connect the CA certificate to each user's(!) keyring. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring....
    • On the next panel (ICHP75), select Option 4 - Connect a digital certificate to a key ring and enter the userid to whose keyring you connect this certificate.
    • On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields Certificate Type and Usage, enter any character under Certificate Authority and enter the Label Name (in quotes) 'Equifax Secure Certificate Autho', then press ENTER. (The field Default defaults to NO, that's fine)

    Alternatively, you can issue the RACF command:

    RACDCERT ID(userid) -
    CONNECT( -
    CERTAUTH -
    LABEL('Equifax Secure Certificate Autho') -
    RING(SECURE.FTP.KEYRING) -
    USAGE(CERTAUTH) -
    )

  8. Connect the ECuRep FTP Server Certificate to each user's(!) keyring. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring....
    • On the next panel (ICHP75), select Option 4 - Connect a digital certificate to a key ring and enter the userid to whose keyring you connect this certificate.
    • On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields Certificate Type and Usage, enter any character under Site and enter the Label Name (in quotes) 'ftp.ecurep.ibm.com', then press ENTER. (The field Default defaults to NO, that's fine)

    Alternatively, you can issue the RACF command:

    RACDCERT ID(userid) -
    CONNECT( -
    SITE -
    LABEL('ftp.ecurep.ibm.com') -
    RING(SECURE.FTP.KEYRING) -
    USAGE(SITE) -
    )

  9. Do a RACF Refresh of the (hopefully) RACLISTed classes DIGTCERT and DIGTRING. Issue the RACF command:

    SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH

  10. That's it! However, please remember that each userid now has his/her own keyring. In the TCP/IP parameters for your FTP CLIENT, you can just enter ONE keyring. That implies that you will have to create a separate FTPDATA dataset/member/file for EVERY userid who wants to exploit Secure FTP.
Skip to main content

FTPS example

EZA1736I FTP -a tls -n -v -p TCPIP (EXIT
EZY2640I Using dd:SYSFTPD=TCPIP.IVN.TCPPARMS(FTPCDATS) for local site configuration parameters.
EZYFT26I Using 7-bit conversion derived from 'ISO8859-1' and 'IBM-1047' for the control connection.
EZYFT32I Using the same translate tables for the control and data connections.
EZA1450I IBM FTP CS V1R4
EZA2807I Executing under single stack configuration. Specified TCPIP name TCPIP ignored.
EZA1772I FTP: EXIT has been set.
EZA1456I Connect to ?
EZA1736I 192.109.81.7
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
EZA1554I Connecting to: 192.109.81.7 port: 21.
220-FTPD1 IBM FTP CS V1R2 at MCEFTP, 15:27:37 on 2004-03-17.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep)
220-INTERNET ADDRESS 192.109.81.7 ()
220-BBefore using this service refer to the terms of use for
220-Exhanging Diagnostic Data with IBM
220-(see http://www.ibm.com/de/support/ecurep/service.html)!
220-For FAQ/Documentation please see ECuRep - Homepage
220-http://www.ibm.com/de/support/ecurep/index.html
220- LOGIN user: anonymous pw: your_email_address
220-please report questions to: contact@ecurep.ibm.com
220 Connection will close if idle for more than 15 minutes.
EZA1701I >>> AUTH TLS
234 Security environment established - ready for negotiation
EZA2895I Authentication negotiation succeeded
EZA1701I >>> PBSZ 0
200 Protection buffer size accepted
EZA1701I >>> PROT P
200 Data connection protection set to private
EZA2906I Data connection protection is private
EZA1460I Command:
EZA1701I >>> USER anonymous
331 Send email address as password please.
EZA1789I PASSWORD:
EZA1701I >>> PASS
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230-deliver use command 'cd toibm'
230-get use command 'cd fromibm'
230-for CADCAM/CATIA/VPM/ENOVIA/SMARTEAM use command 'cd cadcam'
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.

Skip to main content

Stat command example

If you cannot see the AUTH TLS command, you can check the status of the session with a remote stat command. The highlighted lines indicate a secure session.

EZA1736I stat
EZA1701I >>> STAT
211-Server FTP talking to host 195.212.29.163, port 21061
211-User: Anonymous Working directory: /
211-The control connection has transferred 707 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-to host 195.212.29.163, port 21061,
211-using Mode Stream, Structure File, type Image, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is set to 900
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are not removed from a fixed format
211-data set when it is retrieved.
211-Data set mode. (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 450 tracks. Secondary allocation 45 tracks.
211-Partitioned data sets will be created with 50 directory blocks.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 2
211-Xlate name is STANDARD
211-SMS is active.
211-Data sets will be allocated using unit SYSDA
211-New data sets will be catalogued if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 777
211-Process id is 50333504
211-Checkpoint interval is 0
211-Authentication type: TLS
211-Control protection level: Private
211-Data protection level: Private
211-Record format VB, Lrecl: 256, Blocksize: 27968
211 *** end of status ***
EZA1460I Command:

%%sidebarspace%%