ECuRep
MVS or z/OS
VM or z/VM
VSE/ESA or z/VSE
OS/400 or IBM i
Other
Standard data upload
Secure data upload
	Secure FTP with SSL/TLS
	Secure FTP over SSH
	Secure HTTPS-based data upload
	Mail
Country/Region Codes
Exchanging diagnostic data with IBM
In case of problems

For MVS (OS/390, z/OS) FTP Clients only

Please follow the directives below to establish the necessary RACF definition.

Obtain the Equifax CA certificate.
Below you will find the contents of the CURRENT Equifax CA certificate. Please note that this certificate is subject to change, i.e. it may get invalid or it may expire.
You can find the ORIGINAL certificate on the GeoTrust webpage under Web Security, SSL certificates, TrueBusiness ID, Installation Instructions, or you can use

this link for the certificate and installation.
Follow the link 'IBM-HTTP', ignore all references to the HTTP server, the certificate is at the bottom.

Current contents of the GeoTrust Trusted Root Certificate: "Equifax Secure Certificate Authority"

Use "Cut and Paste" to place this Certificate into a SEQUENTIAL, VARIABLE BLOCKED dataset on your MVS System, be sure to include the top and bottom "dashed" lines.
Let's name this dataset 'SYS1.CA.CERT'.
Do NOT change the contents!

New certificate, valid from 13 May 2008:

Use "Cut and Paste" to place this Certificate into a second SEQUENTIAL, VARIABLE BLOCKED dataset, be sure to include the top and bottom "dashed" lines.
Let's name this dataset 'SYS1.FTPEMEA.CERT'.
Do NOT change the content!

Add the Equifax CA Certificate to your RACF database as a CERTAUTH Certificate.
Use the RACF dialogs as follows :
- From the RACF Primary Panel (ICHP00), select Option "7 - DIGITAL CERTIFICATES AND KEY RINGS"
- On the next panel (ICHPB70), select Option "4 - Add, Alter, Delete, or List certificates....."
- On the next panel (ICHPB0), select Option "1 - Add a digital certificate to the RACF database" and enter any character under the "Certificate Authority"-heading in the next line, then press "ENTER"
- On the next panel (ICHPB01A), you will now notice the highlighted word "CERTAUTH".
- Enter the Data Set Name (in quotes) 'SYS1.CA.CERT' in the first input field.
- Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'Equifax Secure Certificate Autho'
  Caution, this field is case-sensitive.
- In the Field "Status Trust" enter the character "H" for Hightrust, then press ENTER.
Alternatively, you can issue the RACF command:
```
RACDCERT CERTAUTH -
ADD('SYS1.CA.CERT') -
HIGHTRUST -
WITHLABEL('Equifax Secure Certificate Autho')
                    
```
Add the ECuRep FTP Server Certificate to your RACF database as a SITE Certificate.
Use the RACF dialogs as follows :
- From the RACF Primary Panel (ICHP00), select Option "7 - DIGITAL CERTIFICATES AND KEY RINGS"
- On the next panel (ICHPB70), select Option "4 - Add, Alter, Delete, or List certificates....."
- On the next panel (ICHPB0), select Option "1 - Add a digital certificate to the RACF database" and enter any character under the "Site"-heading in the next line, then press "ENTER"
- On the next panel (ICHPB01A), you will now notice the highlighted word "SITE".
- Enter the Data Set Name (in quotes) 'SYS1.FTPEMEA.CERT' in the first input field.
- Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'ftp.ecurep.ibm.com'
  Caution, this field is case-sensitive.
- In the Field "Status Trust" enter the character "T" for Trust, then press ENTER.
Alternatively, you can issue the RACF command:
```
RACDCERT SITE - 
ADD('SYS1.FTPEMEA.CERT') -
TRUST -
WITHLABEL('ftp.ecurep.ibm.com')
  
```
Create a RACF KEYRING for EACH userid(!) who would like to use Secure FTP.
Use the RACF dialogs as follows :
- From the RACF Primary Panel (ICHP00), select Option "7 - DIGITAL CERTIFICATES AND KEY RINGS"
- On the next panel (ICHPB70), select Option "6 - Create, List, or Delete an entire key ring...".
- On the next panel (ICHP75), select Option "1 - Create a new key ring" and enter the userid for which you create this keyring.
- On the next panel (ICHP75A), enter a name for the keyring (WITHOUT quotes), e.g. SECURE.FTP.KEYRING
Alternatively, you can issue the RACF command :
```
RACDCERT ID(userid) ADDRING(SECURE.FTP.KEYRING)
  
```
Connect the CA certificate to each user's(!) keyring.
Use the RACF dialogs as follows :
- From the RACF Primary Panel (ICHP00), select Option "7 - DIGITAL CERTIFICATES AND KEY RINGS"
- On the next panel (ICHPB70), select Option "6 - Create, List, or Delete an entire key ring...".
- On the next panel (ICHP75), select Option "4 - Connect a digital certificate to a key ring" and enter the userid to whose keyring you connect this certificate.
- On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING
  In the fields "Certificate Type" and "Usage", enter any character under "Certificate Authority" and enter the Label Name (in quotes) 'Equifax Secure Certificate Autho', then press ENTER. (The field "Default" defaults to NO, that's fine)
Alternatively, you can issue the RACF command:
```
RACDCERT ID(userid) -
CONNECT( -
CERTAUTH -
LABEL('Equifax Secure Certificate Autho') -
RING(SECURE.FTP.KEYRING) -
USAGE(CERTAUTH) -
     )
  
```
Connect the ECuRep FTP Server Certificate to each user's(!) keyring.
Use the RACF dialogs as follows :
- From the RACF Primary Panel (ICHP00), select Option "7 - DIGITAL CERTIFICATES AND KEY RINGS"
- On the next panel (ICHPB70), select Option "6 - Create, List, or Delete an entire key ring...".
- On the next panel (ICHP75), select Option "4 - Connect a digital certificate to a key ring" and enter the userid to whose keyring you connect this certificate.
- On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING
  In the fields "Certificate Type" and "Usage", enter any character under "Site" and enter the Label Name (in quotes) 'ftp.ecurep.ibm.com', then press ENTER. (The field "Default" defaults to NO, that's fine)
Alternatively, you can issue the RACF command:
```
RACDCERT ID(userid) -
CONNECT( -
SITE -
LABEL('ftp.ecurep.ibm.com') -
RING(SECURE.FTP.KEYRING) -
USAGE(SITE) -
     )
  
```
Do a RACF Refresh of the (hopefully) RACLISTed classes DIGTCERT and DIGTRING
Issue the RACF command :
```
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
   
```
That's it!
However, please remember that each userid now has his/her own keyring.
In the TCP/IP parameters for your FTP CLIENT, you can just enter ONE keyring.
That implies that you will have to create a separate FTPDATA dataset/member/file for EVERY userid who wants to exploit Secure FTP.