FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default.
FTP instructions (non-secure)
FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default. To be able to process the data automatically, a file naming convention needs to be met. Please read the file naming convention page that is related to your operating system.
Addresses
Note: Please use the server closest to your physical location.
Americas
ftp://testcase.boulder.ibm.com/
Asia Pacific
ftp://ftp.ap.ecurep.ibm.com/
Europe
ftp://ftp.ecurep.ibm.com/
Active vs. passive transfer mode
The FTP protocol supports two transfer modes: active and passive. Both are supported by the ECuRep FTP server. The active mode is the default for many FTP clients. If you encounter problems after logging onto the ECuRep's FTP server, try to switch to the passive mode. This is needed because most corporate firewall policies only allow the use of the passive mode. If your client does not support the passive mode, please use another client. If you are in doubt, try an ls command right after login. If nothing is returned and a timeout occurs passive FTP is required.
ASCII vs. binary transfer mode
One of the least-understood aspects of FTP transfers is the difference between ASCII and binary mode data transfers. ASCII stands for American Standard Code for Information Interchange, and is a type of character encoding based on the English language used on devices that handle information stored in text. It includes 33 non-printed control characters and 94 printed characters such as letters and punctuation.
When files are transferred in ASCII mode, the transferred data is considered to contain only ASCII formatted text. The party that is receiving the transferred data is responsible for translating the format of the received text to one that is compatible with their operating system. The most common example of how this is applied pertains to the way Windows and UNIX handle newlines. On a Windows computer, pressing the "enter" key inserts two characters in an ASCII text document - a carriage return (which places the cursor at the beginning of the line) and a line feed (which places the cursor on the line below the current one). On UNIX systems, only a line feed is used. ASCII text formatted for use on UNIX systems does not display properly when viewed on a Windows system and vice versa.
Binary mode refers to transferring files as a binary stream of data. Where ASCII mode may use special control characters to format data, binary mode transmits the raw bytes of the file being transferred. In binary mode, the file is transferred in its exact original form.
For our FTP server transfer must be done in binary mode.
Examples
To help you use our FTP server, we provide several operating system-specific descriptions. For more information, please go to the description of your operating system.
Back to top
FTPS instructions (secure)
A default FTP connection does not have any security. Secure and trusted data transfer is important. We offer a secure and trusted way to transfer your data to IBM via Secure FTP. Secure FTP provides File Transfer Protocol capability plus the security of Secure Sockets Layer/Transport Layer Security (SSL/TLS) for your data transfers. In order to use this, your FTP client must support SSL/TLS and your firewall must be transparent for secure FTP. The FTP client decides whether it wants the session to be encrypted by sending the AUTH command to the server to switch to using SSL.
For detailed description of secure FTP please have a look at your system related documentation.
Note: Using cryptographic functions may reduce the transfer rate considerably.
If your FTP client supports SSL and TLS, activate these options and use port 21. Here is a sample logon log of a FTP client, the important lines applicable to SSL/TLS are marked. During initial establishment of the session, the server and your client will decide about a method which is supported at both ends. After this, our server will ask you to accept our certificate and, when you accept it, a secure session is established. Please check whether the certificate is a valid IBM certificate.
Addresses
Note: Please use the server closest to your physical location.
Americas
testcase.boulder.ibm.com
Asia Pacific
ftp.ap.ecurep.ibm.com
Europe
ftp.ecurep.ibm.com
Supported options:
RC2
Block cipher developed at RSA Data Security
RC4
Stream cipher developed at RSA Data Security
DES
56 bits of security
3DES
Digital Encryption Standard -168 bits of security
AES
Advanced Encryption Standard -256 bits of security
Hashing algorithms:
MD5
Algorithm that converts to fixed size (16 bytes)
SHA
Secure Hash Algorithm that converts to a 20-byte output
Port, protocols & security certificates:
Port
21
Protocols
SSL, TLS
Security protocol
The certificate is from Equifax Secure Certificate Authority
.
When using MVS (OS/390, z/OS) FTP client, please be sure to obtain the CA ROOT Certificate from GeoTrust or .
Examples
We have successfully tested several different implementations of FTP clients. Take a look at the documentation of your FTP client to check whether secure FTP is supported. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client.
Back to top
SFTP instructions (secure)
Secure FTP over SSH is based on the Secure Shell protocol. In contrast to standard FTP, only one port is used for session handling and data transfer. Therefore, the implementation is firewall friendly.
In general, the directory structure of the SFTP server is the same as on the standard FTP server except that only the toibm directory is available. Because SFTP Windows GUI clients require directory listing, files can be listed in upload directories. Downloads of such files is administratively prohibited. They are also moved to another directory a few seconds after the upload is started, and therefore vanish from the directory listing after a short period.
Address
Note: Please use the server closest to your physical location.
-
Americas
ftp://testcase.boulder.ibm.com/
Europe
anonymous@sftp.ecurep.ibm.com
Supported ciphers:
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
Port & protocol:
Port
22
Protocol
SFTP based on SSH version 2; Secure Copy (SCP) requests are denied
Server host key information and fingerprint
- Key type: ssh-dss
- Key length: 1024
- Fingerprint: 83:f0:e4:63:4a:5c:d6:06:90:17:a8:34:8e:37:e7:5c
- Babbleable: xevef-cyzyh-vazyl-baheh-rakih-nupyr-refod-hyfof-pucyp-nakar-coxix
- Key type: ssh-rsa
- Key length: 2048
- Fingerprint: 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64
- Babbleable: xomor-degap-fozel-hizeb-pihad-kutap-kagim-palab-zivus-tahih-faxux
Examples
We have successfully tested different implementations of SFTP clients. The tests included command line and GUI clients. Some Windows FTP clients support FTP, FTPS and SFTP. Please have a look at the documentation of your client. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client. Secure Copy (SCP) is not supported.
Back to top
Related links
Skip to main content
SFTP example
The following is an example of performing an anonymous SFTP upload of a file to IBM Enhanced Customer Data Repository using a line mode SFTP client. Of course you can use any SFTP client.
| Command/Response |
Description |
| $ sftp anonymous@sftp.ecurep.ibm.com |
The customer enters the SFTP command to invoke the SFTP client log into the SFTP server.. |
The authenticity of host 'sftp.ecurep.ibm.com (192.109.81.25)' can't be established.
RSA key fingerprint is 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64.
Are you sure you want to continue connecting (yes/no)? |
The connection is established. The SFTP clients asks for verification of the SFTP server key fingerprint. The fingerprint can be found on the ECuRep Web page. If the fingerprint is verified, it needs to be accepted by entering yes . Entering no will end the connection.
Depending on the SFTP client, this step is only required once. Most clients store the accepted fingerprint or they ask if the fingerprint should be remembered. |
Welcome to the IBM Centralized Customer Data Repository (ECuRep).
By using this service, you agree to all terms of the IBM Service User Licence Agreement
(see http://www.ibm.com/de/support/ecurep/service.html)!
For FAQ/ Documentation please see ECuRep - Homepage http://www.ibm.com/de/support/ecurep/index.html
LOGIN user: anonymous pw: <not required>
Please report questions to: ftp.emea@mainz.ibm.com
Connection will close if idle for more than 30 minutes.
Here you can deliver support material to IBM.
use command 'cd toibm'
Connected to sftp.ecurep.ibm.com. |
The connection is established. A welcome message is posted. Not all SFTP clients display this message. |
| sftp> cd toibm/aix |
The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here. |
| ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP |
The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation. |
| your_data_at_the_workstation 100% 591KB 197.1KB/s 00:03 |
Most client will show information about the transfer progress. |
| ftp>quit |
The customer then terminates the FTP session by using the quit subcommand. |
| ftp> quit |
The customer then terminates the FTP session by using the quit subcommand. |
Skip to main content
FTP example
The following is an example of performing an anonymous FTP upload of a file to IBM Enhanced Customer Data Repository using a line mode FTP client. Of course you can use any FTP client.
| Command/Response |
Description |
C:\> ftp ftp.ecurep.ibm.com |
The customer enters the FTP command to invoke the FTP client and begin an FTP session with Testcase Data Exchange. |
Connected to ftp.ecurep.ibm.com. 220-FTPD1 IBM FTP CS V1R5 at MCEFTP, 17:14:35 on 2005-06-22.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep) |
The customer receives verification that the session has been established and that the Testcase Data Exchange FTP server is ready |
User (ftp.ecurep.ibm.com:(none)): anonymous |
The customer is prompted for their user name. They should enter the keyword anonymous indicating that this will be an anonymous FTP session. |
331 Send email address as password please. |
The FTP server responds that anonymous access is permitted and prompts the customer to enter any text as a password. |
Password: test@anyone |
The customer should enter any text as a password. In this case, the customer entered the password test@anyone . |
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'. |
The FTP server responds that the login was successful. |
ftp> cd toibm/windows |
The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here. |
250 HFS directory /toibm/windows is the current working directory. |
The FTP server responds that the change (working) directory command was successful. |
ftp> binary
200 Type set to I.
ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP
|
The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation. Depending on your requirements, you may want them to upload the file in binary format by first specifying the binary subcommand. |
200 PORT command successful.
150 Opening binary mode connection for your_data_at_the_workstation
226 Transfer complete. |
The FTP server responds that the connection has started and also responds when the upload is complete. Upload times will vary depending on network connection speed and file size. |
ftp> quit |
The customer then terminates the FTP session by using the quit subcommand. |
Skip to main content
FTP example (DOS command prompt)
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\>ftp ftp.ecurep.ibm.com
Connected to ftp.ecurep.ibm.com.
220-FTPD1 IBM FTP CS V2R10 at MCEFTP, 15:13:33 on 2002-05-01.
220-***********************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* By using this service, you agree to all terms of the *
220-* Service User Licence Agreement *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) ! *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-***********************************************************************
220-* please report questions to: contact@ecurep.ibm.com *
220 Connection will close if idle for more than 10 minutes.
User (ftp.ecurep.ibm.com:(none)): anonymous
331 Send email address as password please.
Password:
230-Here you can deliver/get support material to/from IBM.
230-
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /
.
ftp> cd toibm
250-Here you can deliver Support Material to IBM.
250-Directories for: aix, cae, intel, tivoli, ssa,
250-san, dm, netw-hw, imageplus, swm, tsm, websphere,
250-s390 and as/400
250-To enter the folder of your operating-system type 'cd'
250-Example: To enter the folder AIX type 'cd aix'.
250-Please use command 'bin' prior transfer.
250-===================================================================
250- IMPORTANT : only use the following characters for filenames:
250- Upper- or lowercas (A-Z), numbers (0-9),
250- period (.) and hyphen (-)
250- ==> Using other characters may lead to UNPREDICTABLE RESULTS,
250- ==> your file may NOT be processed |
250- E.g. Do NOT use BLANK characters, $-sign etc. in FILE NAMES |
250-===================================================================
250 HFS directory /toibm is the current working directory.
ftp> ls
200 Port request OK.
125 List started OK
aix
hw
linux
mvs
os2
os400
swm
unix
readme.msg
vm
vse
windows
250 List completed successfully.
ftp: 119 bytes received in 0,00Seconds 119000,00Kbytes/sec.
ftp> cd aix
250-Here you can place AIX related support material for IBM
250-For better identifaction purposes please use the following naming
250-convention:
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-Take care to use the 'bin' Option before transfering data
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transfered. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/aix is the current working directory.
ftp> bin
200 Representation type is Image
ftp> put boot.ini 34143.055.000.test.nixx
200 Port request OK.
125 Storing data set /toibm/aix/34143.055.000.test.nixx
250 Transfer completed successfully.
ftp: 523 bytes sent in 0,00Seconds 523000,00Kbytes/sec.
ftp> bye
221 Quit command received. Goodbye.
C:\>
Skip to main content
FTP example (MVS or z/OS command prompt)
The following JCL can be tailored and used to process the data sets to be transmitted to the FTP server.
Note: Please be sure to TURN OFF the LINE NUMBERING.
/XXXXX JOB CLASS=A,MSGCLASS=X,REGION=64M
//*----------------------------------------------------
//* Be sure that line numbering is set to off (unnum)
//*----------------------------------------------------
//* Delete the temporary file
//*----------------------------------------------------
//DELETE EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DELETE YOUR.TERSED.DATASET
DELETE YOUR.CRYPTED.DATASET
SET MAXCC=0
//*----------------------------------------------------
//* Terse the file
//* THIS STEP IS MANDATORY
//*----------------------------------------------------
//TERSE EXEC PGM=TRSMAIN,PARM=PACK
//SYSPRINT DD SYSOUT=*
//INFILE DD DISP=SHR,DSN=YOUR.INPUT.DATASET
//OUTFILE DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.TERSED.DATASET
//*----------------------------------------------------
//* Encrypt the file
//* Optional step if you can not use secure FTP
//*----------------------------------------------------
//DFSMSENC EXEC PGM=CSDFILEN
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,
// DSN=YOUR.TERSED.DATASET
//SYSUT2 DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.CRYPTED.DATASET
//SYSIN DD *
DESC='Optional information'
CLRTDES
PASSWORD=sample password please change
//*----------------------------------------------
//* SEND THE FILE TO THE IBM FTP SERVER
//* WHEN CRYPTED, SEND THE CRYPTED DATASET
//* WHEN TERSED ONLY, SEND THE TERSED DATASET
//* USE NON-SECURE OR SECURE FTP
//*----------------------------------------------
//* EXEC Statement for NON-Secure-FTP
//FTP EXEC PGM=FTP,PARM='-v (EXIT '
//* Uncomment next line for Secure-FTP
//*FTP EXEC PGM=FTP,PARM='-a TLS -v (EXIT '
//SYSTCPD DD DSN=YOUR.TCPPARMS(TCPDATA),DISP=SHR
//SYSFTPD DD DSN=YOUR.TCPPARMS(FTPDATA),DISP=SHR
//SYSPRINT DD SYSOUT=*
//INPUT DD *
ftp.ecurep.ibm.com
anonymous
your@email.address
bin
cd /toibm/mvs
put 'YOUR.CRYPTED.DATASET' 12345.123.724.DUMP.TRS[.EFZ]
quit
/*
Where
TRS - Mandatory identifier for tersed files
EFZ - Identifier only for encrypted files
Skip to main content
FTP example (z/VM)
Ready; T=0.01/0.01 17:25:05
ftp ftp.ecurep.ibm.com
VM TCP/IP FTP Level 320
Connecting to ftp.ecurep.ibm.com 9.39.0.2, port 21
220-FTPSERVE IBM FTP CS V2R10 at MCEVS1, 16:24:21 on 2002-03-19.
220-************************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep)*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* *
220-* All FTP'able software is (c) copyright International Business *
220-* Machines Corporation. *
220-* *
220-* Before using this service refer to the terms of use for *
220-* Exhanging Diagnostic Data with IBM *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) Ü *
220-* *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-************************************************************************
220-* please report questions to: ftp.emea§mainz.ibm.com *
220 Connection will close if idle for more than 5 minutes.
USER (identify yourself to the host):
anonymous
>>>USER anonymous
331 Send email address as password please.
Password:
>>>PASS ********
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /
.
Command:
cd /toibm/s390
>>>CWD /toibm/s390
250-Here you can place s390 related support material for IBM
250-
250-To ensure quick and proper problem determination you should consider
250-these principals and naming convention:
250-
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-
250-Take care to use the binary Option before transfer.
250-Due to security reasons you will not be able to list the directory contents.
250-
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transferred. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/s390 is the current working directory.
Command:
put qt.rextrace.a 12345.111.724.qt.test
>>>SITE VARrecfm
200 Site command was accepted
>>>PORT 9,39,62,3,10,72
200 Port request OK.
>>>STOR 12345.111.724.qt.test
125 Storing data set /toibm/s390/12345.111.724.qt.test
250 Transfer completed successfully.
52 bytes transferred in 0.034 seconds. Transfer rate 1.53 Kbytes/sec.
Command:
quit
>>>QUIT
221 Quit command received. Goodbye.
Ready; T=0.02/0.03 17:26:12
cl con
Skip to main content
SFTP and firewalls
When using Secure FTP (FTPS) it is possible that you will get problems with your firewall. This is due to the nature of the protocol and the different types of firewalls.
FTP uses two connections between the FTP client and FTP server. The control connection is used to exchange FTP commands and control information, and the data connection is used to transmit the files and for output of commands.
The control connection is established when an FTP client connects an FTP server. If data has to be transfered, the data connection is set up dynamically. There are no fixed TCP ports which are used for this connection. The FTP server tells the client the TCP port to be used within the control connection. The port changes for every data transmission. Modern firewalls read the port information exchanged within the control connection and dynamically create rules to allow the data transfer.
While FTPS is in use, the control and data connection is encrypted. A firewall can no longer read the content of the control connection and dynamic rule creation for the data connections is no longer possible.
There are also some firewalls which run more or less intensive checks on the traffic within the control connections. They drop the connection if they detect traffic which is not mentioned in the FTP protocol definition. Those checks must fail with encrypted connections.
In case of problems please read our help page.
Skip to main content
GeoTrust certificate installation instructions
MVS (OS/390, z/OS) FTP Clients only
Please follow the directives below to establish the necessary RACF definition.
- Obtain the Equifax CA certificate.
- New intermediate certificates
Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----
It is not necessary to install these certificates.
- New certificate, valid from 23 March 2011:
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgICfEYwDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDkdlb1RydXN0LCBJbmMuMRgwFgYDVQQDEw9HZW9UcnVzdCBTU0wg
Q0EwHhcNMTEwMzIzMjEyMzQ1WhcNMTYwNjEyMjM0ODI3WjCBozEpMCcGA1UEBRMg
YWNnU1dOYTZBVy9KZ2JaZUFKcW9rV0VwenlORDlscUIxCzAJBgNVBAYTAkRFMR0w
GwYDVQQIExRSaGluZWxhbmQtUGFsYXRpbmF0ZTEOMAwGA1UEBxMFTWFpbnoxHTAb
BgNVBAoTFElCTSBEZXV0c2NobGFuZCBHbWJIMRswGQYDVQQDExJmdHAuZWN1cmVw
LmlibS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7fmw1g5xB
YY1fXqZbSb1GrS7B1yfGkJulbxQFW+i1sbgfgcMGgopAJrWUc4Zat0CXFbC9vuQz
lWEuzSeDkaIcJ7YlM+8RhHGiMK0gma2JGnnXBXHgAM7g1mjmQRzmJI5u+JlzKIfn
dFhHtOcCIAIHU8equgaENDOFgkNMQHD8w4mxd1SAlf2nyf2v/YQu+SZWCmJRLg/D
K2loHRIyXECfdkMui4ooZeD2x1ZMlD+GDxKG075OQwTd52UDxRNQi2bO0Ko5Ctmu
oIXAgpcsEIsnOvDzBnARa7I5bGOUlfGG89SZ/LLHDngVuREtwGwkSA7c55Qnd0Qm
UmyC991IqFcNAgMBAAGjggEkMIIBIDAfBgNVHSMEGDAWgBRCeVQbYc1VKz5j1TxI
V/Wf+0XOSjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMB0GA1UdEQQWMBSCEmZ0cC5lY3VyZXAuaWJtLmNvbTA9BgNVHR8ENjA0
MDKgMKAuhixodHRwOi8vZ3Rzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL2d0c3Ns
LmNybDAdBgNVHQ4EFgQUm4EpB+2i3mJsN9H5TiiaNPWNW6IwDAYDVR0TAQH/BAIw
ADBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9ndHNzbC1haWEu
Z2VvdHJ1c3QuY29tL2d0c3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEARM4k2WiY
UbfYAUrJ9aWBGZxj8P32LexvWcekUv2SRp9bDs0BJxvavMfmhH3PSUav4b4EpzPD
/ue4ph5ZfBjqsCLhg4c3Qi518Rw+plYsDz+weA7jdpIA0I/JiMGtw5RmHxWRX8MN
ivZ0OXHEsFZ4sHK38VC2sD7+zueBraxWdqYraUp9C3h5EmRD536JfVWCegYhEg8H
9VufdrWTZHGNdEO7wMv0b3XlSEpAKnyCFENHk9Pb3/UlEur0DpDAOYBWgRW5V334
qSi2rAqTN4nUgYfTm8yBBf5DuwH/JCO+cy8Q5+ndiMTrAv6K/Rj7cDOpfjD5HqpX
RBIkl2YOm/eURQ==
-----END CERTIFICATE-----
Use Copy and Paste
to place this Certificate into a second SEQUENTIAL, VARIABLE BLOCKED dataset, be sure to include the top and bottom dashed
lines. Name this dataset 'SYS1.FTPEMEA.CERT'.
Do NOT change the content!
- Add the GeoTrust Trusted Root Certificate to your RACF database as a CERTAUTH Certificate. Use the RACF dialogs as follows:
- From the RACF Primary Panel (ICHP00), select Option
7 - DIGITAL CERTIFICATES AND KEY RINGS
- On the next panel (ICHPB70), select Option
4 - Add, Alter, Delete, or List certificates.....
- On the next panel (ICHPB0), select Option
1 - Add a digital certificate to the RACF database
and enter any character under the Certificate Authority
-heading in the next line, then press ENTER
- On the next panel (ICHPB01A), you will now notice the highlighted word
CERTAUTH
.
- Enter the Data Set Name (in quotes) 'SYS1.CA.CERT' in the first input field.
- Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'Equifax Secure Certificate Autho'. Caution, this field is case-sensitive.
- In the Field
Status Trust
enter the character H
for Hightrust, then press ENTER.
Alternatively, you can issue the RACF command:
RACDCERT CERTAUTH -
ADD('SYS1.CA.CERT') -
HIGHTRUST -
WITHLABEL('Equifax Secure Certificate Autho')
- Add the ECuRep FTP Server Certificate to your RACF database as a SITE Certificate. Use the RACF dialogs as follows:
- From the RACF Primary Panel (ICHP00), select Option
7 - DIGITAL CERTIFICATES AND KEY RINGS
- On the next panel (ICHPB70), select Option
4 - Add, Alter, Delete, or List certificates.....
- On the next panel (ICHPB0), select Option
1 - Add a digital certificate to the RACF database
and enter any character under the Site
-heading in the next line, then press ENTER
- On the next panel (ICHPB01A), you will now notice the highlighted word
SITE
.
- Enter the Data Set Name (in quotes) 'SYS1.FTPEMEA.CERT' in the first input field.
- Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'ftp.ecurep.ibm.com'. Caution, this field is case-sensitive.
- In the Field
Status Trust
enter the character T
for Trust, then press ENTER.
Alternatively, you can issue the RACF command:
RACDCERT SITE -
ADD('SYS1.FTPEMEA.CERT') -
TRUST -
WITHLABEL('ftp.ecurep.ibm.com')
- Create a RACF KEYRING for EACH userid(!) who would like to use Secure FTP. Use the RACF dialogs as follows:
- From the RACF Primary Panel (ICHP00), select Option
7 - DIGITAL CERTIFICATES AND KEY RINGS
- On the next panel (ICHPB70), select Option
6 - Create, List, or Delete an entire key ring...
.
- On the next panel (ICHP75), select Option
1 - Create a new key ring
and enter the userid for which you create this keyring.
- On the next panel (ICHP75A), enter a name for the keyring (WITHOUT quotes), e.g. SECURE.FTP.KEYRING
Alternatively, you can issue the RACF command:
RACDCERT ID(userid) ADDRING(SECURE.FTP.KEYRING)
- Connect the CA certificate to each user's(!) keyring. Use the RACF dialogs as follows:
- From the RACF Primary Panel (ICHP00), select Option
7 - DIGITAL CERTIFICATES AND KEY RINGS
- On the next panel (ICHPB70), select Option
6 - Create, List, or Delete an entire key ring...
.
- On the next panel (ICHP75), select Option
4 - Connect a digital certificate to a key ring
and enter the userid to whose keyring you connect this certificate.
- On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields
Certificate Type
and Usage
, enter any character under Certificate Authority
and enter the Label Name (in quotes) 'Equifax Secure Certificate Autho', then press ENTER. (The field Default
defaults to NO, that's fine)
Alternatively, you can issue the RACF command:
RACDCERT ID(userid) -
CONNECT( -
CERTAUTH -
LABEL('Equifax Secure Certificate Autho') -
RING(SECURE.FTP.KEYRING) -
USAGE(CERTAUTH) -
)
- Connect the ECuRep FTP Server Certificate to each user's(!) keyring. Use the RACF dialogs as follows:
- From the RACF Primary Panel (ICHP00), select Option
7 - DIGITAL CERTIFICATES AND KEY RINGS
- On the next panel (ICHPB70), select Option
6 - Create, List, or Delete an entire key ring...
.
- On the next panel (ICHP75), select Option
4 - Connect a digital certificate to a key ring
and enter the userid to whose keyring you connect this certificate.
- On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields
Certificate Type
and Usage
, enter any character under Site
and enter the Label Name (in quotes) 'ftp.ecurep.ibm.com', then press ENTER. (The field Default
defaults to NO, that's fine)
Alternatively, you can issue the RACF command:
RACDCERT ID(userid) -
CONNECT( -
SITE -
LABEL('ftp.ecurep.ibm.com') -
RING(SECURE.FTP.KEYRING) -
USAGE(SITE) -
)
- Do a RACF Refresh of the (hopefully) RACLISTed classes DIGTCERT and DIGTRING. Issue the RACF command:
SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
- That's it! However, please remember that each userid now has his/her own keyring. In the TCP/IP parameters for your FTP CLIENT, you can just enter ONE keyring. That implies that you will have to create a separate FTPDATA dataset/member/file for EVERY userid who wants to exploit Secure FTP.
Skip to main content
FTPS example
EZA1736I FTP -a tls -n -v -p TCPIP (EXIT
EZY2640I Using dd:SYSFTPD=TCPIP.IVN.TCPPARMS(FTPCDATS) for local site configuration parameters.
EZYFT26I Using 7-bit conversion derived from 'ISO8859-1' and 'IBM-1047' for the control connection.
EZYFT32I Using the same translate tables for the control and data connections.
EZA1450I IBM FTP CS V1R4
EZA2807I Executing under single stack configuration. Specified TCPIP name TCPIP ignored.
EZA1772I FTP: EXIT has been set.
EZA1456I Connect to ?
EZA1736I 192.109.81.7
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
EZA1554I Connecting to: 192.109.81.7 port: 21.
220-FTPD1 IBM FTP CS V1R2 at MCEFTP, 15:27:37 on 2004-03-17.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep)
220-INTERNET ADDRESS 192.109.81.7 ()
220-BBefore using this service refer to the terms of use for
220-Exhanging Diagnostic Data with IBM
220-(see http://www.ibm.com/de/support/ecurep/service.html)!
220-For FAQ/Documentation please see ECuRep - Homepage
220-http://www.ibm.com/de/support/ecurep/index.html
220- LOGIN user: anonymous pw: your_email_address
220-please report questions to: contact@ecurep.ibm.com
220 Connection will close if idle for more than 15 minutes.
EZA1701I >>> AUTH TLS
234 Security environment established - ready for negotiation
EZA2895I Authentication negotiation succeeded
EZA1701I >>> PBSZ 0
200 Protection buffer size accepted
EZA1701I >>> PROT P
200 Data connection protection set to private
EZA2906I Data connection protection is private
EZA1460I Command:
EZA1701I >>> USER anonymous
331 Send email address as password please.
EZA1789I PASSWORD:
EZA1701I >>> PASS
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230-deliver use command 'cd toibm'
230-get use command 'cd fromibm'
230-for CADCAM/CATIA/VPM/ENOVIA/SMARTEAM use command 'cd cadcam'
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /
.
Skip to main content
Stat command example
If you cannot see the AUTH TLS command, you can check the status of the session with a remote stat
command. The highlighted lines indicate a secure session.
EZA1736I stat
EZA1701I >>> STAT
211-Server FTP talking to host 195.212.29.163, port 21061
211-User: Anonymous Working directory: /
211-The control connection has transferred 707 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-to host 195.212.29.163, port 21061,
211-using Mode Stream, Structure File, type Image, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is set to 900
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are not removed from a fixed format
211-data set when it is retrieved.
211-Data set mode. (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 450 tracks. Secondary allocation 45 tracks.
211-Partitioned data sets will be created with 50 directory blocks.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 2
211-Xlate name is STANDARD
211-SMS is active.
211-Data sets will be allocated using unit SYSDA
211-New data sets will be catalogued if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 777
211-Process id is 50333504
211-Checkpoint interval is 0
211-Authentication type: TLS
211-Control protection level: Private
211-Data protection level: Private
211-Record format VB, Lrecl: 256, Blocksize: 27968
211 *** end of status ***
EZA1460I Command: