FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default.


FTP instructions (non-secure)

FTP is the protocol of choice to send data over the Internet. A wide range of command lines and GUI clients are available. Most operating systems have an FTP client installed by default. To be able to process the data automatically, a file naming convention needs to be met. Please read the file naming convention page that is related to your operating system.

Addresses

Note: Please use the server closest to your physical location.

  1. Americas

    ftp://testcase.boulder.ibm.com/

  2. Asia Pacific

    ftp://ftp.ap.ecurep.ibm.com/

  3. Europe

    ftp://ftp.ecurep.ibm.com/

Active vs. passive transfer mode

The FTP protocol supports two transfer modes: active and passive. Both are supported by the ECuRep FTP server. The active mode is the default for many FTP clients. If you encounter problems after logging onto the ECuRep's FTP server, try to switch to the passive mode. This is needed because most corporate firewall policies only allow the use of the passive mode. If your client does not support the passive mode, please use another client. If you are in doubt, try an ls command right after login. If nothing is returned and a timeout occurs passive FTP is required.

ASCII vs. binary transfer mode

One of the least-understood aspects of FTP transfers is the difference between ASCII and binary mode data transfers. ASCII stands for American Standard Code for Information Interchange, and is a type of character encoding based on the English language used on devices that handle information stored in text. It includes 33 non-printed control characters and 94 printed characters such as letters and punctuation.

When files are transferred in ASCII mode, the transferred data is considered to contain only ASCII formatted text. The party that is receiving the transferred data is responsible for translating the format of the received text to one that is compatible with their operating system. The most common example of how this is applied pertains to the way Windows and UNIX handle newlines. On a Windows computer, pressing the "enter" key inserts two characters in an ASCII text document - a carriage return (which places the cursor at the beginning of the line) and a line feed (which places the cursor on the line below the current one). On UNIX systems, only a line feed is used. ASCII text formatted for use on UNIX systems does not display properly when viewed on a Windows system and vice versa.

Binary mode refers to transferring files as a binary stream of data. Where ASCII mode may use special control characters to format data, binary mode transmits the raw bytes of the file being transferred. In binary mode, the file is transferred in its exact original form.
For our FTP server transfer must be done in binary mode.

Examples

To help you use our FTP server, we provide several operating system-specific descriptions. For more information, please go to the description of your operating system.

FTPS instructions (secure)

A default FTP connection does not have any security. Secure and trusted data transfer is important.
We offer a secure and trusted way to transfer your data to IBM via Secure FTP.
Secure FTP provides File Transfer Protocol capability plus the security of Transport Layer Security (TLS) for your data transfers.
In order to use this, your FTP client must support TLS and your firewall must be transparent for secure FTP.
The FTP client decides whether it wants the session to be encrypted by sending the AUTH command to the server to switch to using TLS.

For detailed description of secure FTP please have a look at your system related documentation.

Note: Using cryptographic functions may reduce the transfer rate considerably.

If your FTP client supports TLS, activate these options and use port 21. See below a sample logon log of a FTP client, the important lines applicable to TLS are marked. During initial establishment of the session, the server and your client will decide about a method which is supported at both ends. After this, our server will ask you to accept our certificate and, when you accept it, a secure session is established.
Please check whether the certificate is a valid IBM certificate.

Addresses

Note: Please use the server closest to your physical location.

  1. Americas

    testcase.boulder.ibm.com

  2. Asia Pacific

    ftp.ap.ecurep.ibm.com

  3. Europe

    ftp.ecurep.ibm.com


Port, protocols & security certificates:

  1. Port

    21

  2. Protocols

    TLS

  3. Security protocol

    The certificate is from Equifax Secure Certificate Authority.

    When using MVS (OS/390, z/OS) FTP client, please be sure to obtain the CA ROOT Certificate from GeoTrust or view the certificate and installation instructions.

Examples

We have successfully tested several different implementations of FTP clients. Take a look at the documentation of your FTP client to check whether secure FTP is supported. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client.

SFTP instructions (secure)

Secure FTP over SSH is based on the Secure Shell protocol. In contrast to standard FTP, only one port is used for session handling and data transfer. Therefore, the implementation is firewall friendly.

In general, the directory structure of the SFTP server is the same as on the standard FTP server except that only the toibm directory is available. Because SFTP Windows GUI clients require directory listing, files can be listed in upload directories. Downloads of such files is administratively prohibited. They are also moved to another directory a few seconds after the upload is started, and therefore vanish from the directory listing after a short period.

Address

Note: Please use the server closest to your physical location.

  1. Americas

    anonymous@testcase.boulder.ibm.com

  2. Europe

    anonymous@sftp.ecurep.ibm.com

Supported ciphers:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

Hashing algorithm:

  • sha1

Port & protocol:

  1. Port

    22

  2. Protocol

    SFTP based on SSH version 2; Secure Copy (SCP) requests are denied

Server host key information and fingerprint

  • Key type: ssh-dss
  • Key length: 2048
  • Fingerprint: 95:b8:ee:38:61:b7:ce:24:f6:d7:74:5f:db:7d:18:3f
  • Key type: ssh-rsa
  • Key length: 2048
  • Fingerprint: 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64

Examples

We have successfully tested different implementations of SFTP clients. The tests included command line and GUI clients. Some Windows FTP clients support FTP, FTPS and SFTP. Please have a look at the documentation of your client. If you have problems configuring secure FTP on your system, contact your local support or the provider of your FTP client. Secure Copy (SCP) is not supported.

Related links

Skip to main content

SFTP example

The following is an example of performing an anonymous SFTP upload of a file to IBM Enhanced Customer Data Repository using a line mode SFTP client. Of course you can use any SFTP client.

Command/Response Description
$ sftp anonymous@sftp.ecurep.ibm.com The customer enters the SFTP command to invoke the SFTP client log into the SFTP server..
The authenticity of host 'sftp.ecurep.ibm.com (192.109.81.25)' can't be established.
RSA key fingerprint is 19:94:4d:8f:81:b3:94:9c:c8:87:34:49:a9:bf:44:64.
Are you sure you want to continue connecting (yes/no)?
The connection is established. The SFTP clients asks for verification of the SFTP server key fingerprint. The fingerprint can be found on the ECuRep Web page. If the fingerprint is verified, it needs to be accepted by entering yes. Entering no will end the connection.
Depending on the SFTP client, this step is only required once. Most clients store the accepted fingerprint or they ask if the fingerprint should be remembered.
Welcome to the IBM Centralized Customer Data Repository (ECuRep).
By using this service, you agree to all terms of the IBM Service User Licence Agreement (see http://www.ibm.com/de/support/ecurep/service.html)!
For FAQ/ Documentation please see ECuRep - Homepage http://www.ibm.com/de/support/ecurep/index.html
LOGIN user: anonymous pw: <not required>
Please report questions to: ftp.emea@mainz.ibm.com
Connection will close if idle for more than 30 minutes.
Here you can deliver support material to IBM.
use command 'cd toibm'
Connected to sftp.ecurep.ibm.com.
The connection is established. A welcome message is posted. Not all SFTP clients display this message.
sftp cd toibm/aix The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here.
ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation.
your_data_at_the_workstation 100% 591KB 197.1KB/s 00:03 Most client will show information about the transfer progress.
ftp>quit The customer then terminates the FTP session by using the quit subcommand.
ftp> quit The customer then terminates the FTP session by using the quit subcommand.
Skip to main content

FTP example

The following is an example of performing an anonymous FTP upload of a file to IBM Enhanced Customer Data Repository using a line mode FTP client. Of course you can use any FTP client.

Command/Response Description
C:\> ftp ftp.ecurep.ibm.com The customer enters the FTP command to invoke the FTP client and begin an FTP session with Testcase Data Exchange.
Connected to ftp.ecurep.ibm.com. 220-FTPD1 IBM FTP CS V1R5 at MCEFTP, 17:14:35 on 2005-06-22.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep)
The customer receives verification that the session has been established and that the Testcase Data Exchange FTP server is ready
User (ftp.ecurep.ibm.com:(none)): anonymous The customer is prompted for their user name. They should enter the keyword anonymous indicating that this will be an anonymous FTP session.
331 Send email address as password please. The FTP server responds that anonymous access is permitted and prompts the customer to enter any text as a password.
Password: test@anyone The customer should enter any text as a password. In this case, the customer entered the password test@anyone.
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver  use command 'cd toibm'
230- get      use command 'cd fromibm'.
The FTP server responds that the login was successful.
ftp> cd toibm/windows The customer should then change to the directory where they will upload the file using the cd FTP subcommand. You need to inform the customer of the directory to use here.
250 HFS directory /toibm/windows is the current working directory. The FTP server responds that the change (working) directory command was successful.
ftp> binary
200 Type set to I.
ftp> put your_data_at_the_workstation 12345.123.724.DUMP.ZIP
The customer may then upload the file using the put FTP subcommand. In this case, the customer is uploading a file called your_data_at_the_workstation. Depending on your requirements, you may want them to upload the file in binary format by first specifying the binary subcommand.
200 PORT command successful.
150 Opening binary mode connection for your_data_at_the_workstation
226 Transfer complete.
The FTP server responds that the connection has started and also responds when the upload is complete. Upload times will vary depending on network connection speed and file size.
ftp> quit The customer then terminates the FTP session by using the quit subcommand.
Skip to main content

FTP example (DOS command prompt)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.


C:\>ftp ftp.ecurep.ibm.com
Connected to ftp.ecurep.ibm.com.
220-FTPD1 IBM FTP CS V2R10 at MCEFTP, 15:13:33 on 2002-05-01.
220-***********************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* By using this service, you agree to all terms of the *
220-* Service User Licence Agreement *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) ! *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-***********************************************************************
220-* please report questions to: contact@ecurep.ibm.com *
220 Connection will close if idle for more than 10 minutes.
User (ftp.ecurep.ibm.com:(none)): anonymous
331 Send email address as password please.
Password:
230-Here you can deliver/get support material to/from IBM.
230-
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.
ftp> cd toibm
250-Here you can deliver Support Material to IBM.
250-Directories for: aix, cae, intel, tivoli, ssa,
250-san, dm, netw-hw, imageplus, swm, tsm, websphere,
250-s390 and as/400
250-To enter the folder of your operating-system type 'cd'
250-Example: To enter the folder AIX type 'cd aix'.
250-Please use command 'bin' prior transfer.
250-===================================================================
250- IMPORTANT : only use the following characters for filenames:
250- Upper- or lowercas (A-Z), numbers (0-9),
250- period (.) and hyphen (-)
250- ==> Using other characters may lead to UNPREDICTABLE RESULTS,
250- ==> your file may NOT be processed |
250- E.g. Do NOT use BLANK characters, $-sign etc. in FILE NAMES |
250-===================================================================
250 HFS directory /toibm is the current working directory.
ftp> ls
200 Port request OK.
125 List started OK
aix
hw
linux
mvs
os2
os400
swm
unix
readme.msg
vm
vse
windows
250 List completed successfully.
ftp: 119 bytes received in 0,00Seconds 119000,00Kbytes/sec.
ftp> cd aix
250-Here you can place AIX related support material for IBM
250-For better identifaction purposes please use the following naming
250-convention:
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-Take care to use the 'bin' Option before transfering data
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transfered. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/aix is the current working directory.
ftp> bin
200 Representation type is Image
ftp> put boot.ini 34143.055.000.test.nixx
200 Port request OK.
125 Storing data set /toibm/aix/34143.055.000.test.nixx
250 Transfer completed successfully.
ftp: 523 bytes sent in 0,00Seconds 523000,00Kbytes/sec.
ftp> bye
221 Quit command received. Goodbye.


C:\>

Skip to main content

FTP example (MVS or z/OS command prompt)

The following JCL can be tailored and used to process the data sets to be transmitted to the FTP server.

Note: Please be sure to TURN OFF the LINE NUMBERING.

/XXXXX JOB CLASS=A,MSGCLASS=X,REGION=64M
//*----------------------------------------------------
//* Be sure that line numbering is set to off (unnum)

//*----------------------------------------------------
//* Delete the temporary file
//*----------------------------------------------------
//DELETE EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
DELETE YOUR.TERSED.DATASET
DELETE YOUR.CRYPTED.DATASET
SET MAXCC=0
//*----------------------------------------------------
//* Terse the file
//* THIS STEP IS MANDATORY
//*----------------------------------------------------
//TERSE EXEC PGM=TRSMAIN,PARM=PACK
//SYSPRINT DD SYSOUT=*
//INFILE DD DISP=SHR,DSN=YOUR.INPUT.DATASET
//OUTFILE DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.TERSED.DATASET
//*----------------------------------------------------
//* Encrypt the file
//* Optional step if you can not use secure FTP
//*----------------------------------------------------
//DFSMSENC EXEC PGM=CSDFILEN
//SYSPRINT DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//SYSUT1 DD DISP=SHR,
// DSN=YOUR.TERSED.DATASET
//SYSUT2 DD DISP=(NEW,CATLG),UNIT=SYSDA,
// SPACE=(CYL,(10,5),RLSE),
// DSN=YOUR.CRYPTED.DATASET
//SYSIN DD *
DESC='Optional information'
CLRTDES
PASSWORD=sample password please change
//*----------------------------------------------
//* SEND THE FILE TO THE IBM FTP SERVER
//* WHEN CRYPTED, SEND THE CRYPTED DATASET
//* WHEN TERSED ONLY, SEND THE TERSED DATASET
//* USE NON-SECURE OR SECURE FTP
//*----------------------------------------------
//* EXEC Statement for NON-Secure-FTP
//FTP EXEC PGM=FTP,PARM='-v (EXIT '
//* Uncomment next line for Secure-FTP
//*FTP EXEC PGM=FTP,PARM='-a TLS -v (EXIT '
//SYSTCPD DD DSN=YOUR.TCPPARMS(TCPDATA),DISP=SHR
//SYSFTPD DD DSN=YOUR.TCPPARMS(FTPDATA),DISP=SHR
//SYSPRINT DD SYSOUT=*
//INPUT DD *
ftp.ecurep.ibm.com
anonymous
your@email.address
bin
cd /toibm/mvs
put 'YOUR.CRYPTED.DATASET' 12345.123.724.DUMP.TRS[.EFZ]
quit
/*

Where
TRS - Mandatory identifier for tersed files
EFZ - Identifier only for encrypted files

Skip to main content

FTP example (z/VM)

Ready; T=0.01/0.01 17:25:05
ftp ftp.ecurep.ibm.com
VM TCP/IP FTP Level 320
Connecting to ftp.ecurep.ibm.com 9.39.0.2, port 21
220-FTPSERVE IBM FTP CS V2R10 at MCEVS1, 16:24:21 on 2002-03-19.
220-************************************************************************
220-* Welcome to the IBM EMEA Centralized Customer Data Repository (ECuRep)*
220-* INTERNET ADDRESS 192.109.81.7 (ftp.ecurep.ibm.com) *
220-* IBM INTRANET ADDRESS 9.39.51.27 (ftp.ecurep.ibm.com) *
220-* *
220-* All FTP'able software is (c) copyright International Business *
220-* Machines Corporation. *
220-* *
220-* Before using this service refer to the terms of use for *
220-* Exhanging Diagnostic Data with IBM *
220-* (see http://www.ibm.com/de/support/ecurep/service.html) Ü *
220-* *
220-* For FAQ/Documentation please see ECuRep - Homepage *
220-* http://www.ibm.com/de/support/ecurep/index.html *
220-* *
220-* LOGIN user: anonymous pw: your_email_address *
220-************************************************************************
220-* please report questions to: ftp.emea§mainz.ibm.com *
220 Connection will close if idle for more than 5 minutes.
USER (identify yourself to the host):
anonymous
>>>USER anonymous
331 Send email address as password please.
Password:
>>>PASS ********
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230- deliver use command 'cd toibm'
230- get use command 'cd fromibm'
230-
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.
Command:
cd /toibm/s390
>>>CWD /toibm/s390
250-Here you can place s390 related support material for IBM
250-
250-To ensure quick and proper problem determination you should consider
250-these principals and naming convention:
250-
250-xxxxx.bbb.ccc.yyy.yyy ---> xxxxx = PMR-Number
250- bbb = Branch Office (if known)
250- ccc = IBM Country Code (f.e. Germany 724)
250- yyy.yyy = Short description for the file type
250- f.e. tar.Z, restore.Z, restore.gz
250-
250-Take care to use the binary Option before transfer.
250-Due to security reasons you will not be able to list the directory contents.

250-
250-Some additional Remarks:
250-1.) If possible inform your IBM Software Support about the files
250- transferred. This will reduce the reaction Time.
250-2.) The Material will be automatically deleted after 3 Working days.
250-3.) The FTP GET und LS option are intentionally disabled.
250 HFS directory /toibm/s390 is the current working directory.
Command:
put qt.rextrace.a 12345.111.724.qt.test

>>>SITE VARrecfm
200 Site command was accepted
>>>PORT 9,39,62,3,10,72
200 Port request OK.
>>>STOR 12345.111.724.qt.test
125 Storing data set /toibm/s390/12345.111.724.qt.test
250 Transfer completed successfully.
52 bytes transferred in 0.034 seconds. Transfer rate 1.53 Kbytes/sec.
Command:
quit
>>>QUIT
221 Quit command received. Goodbye.
Ready; T=0.02/0.03 17:26:12
cl con

Skip to main content

FTPS and firewalls

When using Secure FTP (FTPS) it is possible that you will get problems with your firewall. This is due to the nature of the protocol and the different types of firewalls.

FTP uses two connections between the FTP client and FTP server. The control connection is used to exchange FTP commands and control information, and the data connection is used to transmit the files and for output of commands.

The control connection is established when an FTP client connects an FTP server. If data has to be transfered, the data connection is set up dynamically. There are no fixed TCP ports which are used for this connection. The FTP server tells the client the TCP port to be used within the control connection. The port changes for every data transmission. Modern firewalls read the port information exchanged within the control connection and dynamically create rules to allow the data transfer.

While FTPS is in use, the control and data connection is encrypted. A firewall can no longer read the content of the control connection and dynamic rule creation for the data connections is no longer possible.

There are also some firewalls which run more or less intensive checks on the traffic within the control connections. They drop the connection if they detect traffic which is not mentioned in the FTP protocol definition. Those checks must fail with encrypted connections.

In case of problems please read our help page.

Skip to main content

GeoTrust certificate installation instructions

MVS (OS/390, z/OS) FTP Clients only

Please follow the directives below to establish the necessary RACF definition.

  1. Obtain the Equifax CA certificate.
    • Below you will find the contents of the CURRENT Equifax CA certificate. Please note that this certificate is subject to change, i.e., it may get invalid or it may expire.
    • You can find the ORIGINAL certificate on the GeoTrust webpage under Web Security, SSL certificates, TrueBusiness ID, Installation Instructions, or you can use this link for the certificate and installation.
    • On the GeoTrust site follow the link for HTTP server, ignore all references to HTTP server, the certificate is at the bottom.
    • Current Contents of the GeoTrust Trusted Root Certificate: Equifax Secure Certificate Authority
    • (valid starting June 6th, 2016):

                  -----BEGIN CERTIFICATE-----
                  MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCB
                  mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
                  MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
                  eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
                  cml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIzNTk1OVowgZgxCzAJ
                  BgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAoYykg
                  MjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0
                  BgNVBAMTLUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
                  LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANziXmJYHTNXOTIz
                  +uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5jK/BGvESyiaHAKAxJcCGVn2TAppMSAmUm
                  hsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdEc5IiaacDiGydY8hS2pgn
                  5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3CIShwiP/W
                  JmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exAL
                  DmKudlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZC
                  huOl1UcCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
                  HQYDVR0OBBYEFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IB
                  AQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9cr5HqQ6XErhK8WTTOd8lNNTB
                  zU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbEAp7aDHdlDkQN
                  kv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD
                  AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUH
                  SJsMC8tJP33st/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2G
                  spki4cErx5z481+oghLrGREt
                  -----END CERTIFICATE-----
                
    • Use Copy and Paste to place this Certificate into a SEQUENTIAL, VARIABLE BLOCKED dataset on your MVS System, be sure to include the top and bottom dashed lines.
    • Name this dataset SYS1.CA.CERT.
    • Do NOT change the contents!

  2. GeoTrust Intermediate certificates
    (valid starting June 6th, 2016):

                  -----BEGIN CERTIFICATE-----
                  MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB
                  mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT
                  MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
                  eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv
                  cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG
                  A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry
                  dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
                  AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq
                  i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA
                  d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv
                  k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j
                  szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO
                  J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w
                  KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD
                  VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
                  BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7
                  BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz
                  dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD
                  VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG
                  oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3
                  DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc
                  fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab
                  Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF
                  ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb
                  qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso
                  w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9
                  -----END CERTIFICATE-----
                

    It is not necessary to install these certificates.

  3. Certificate for ftp.ecurep.ibm.com
    (valid starting June 6th, 2016):

                  -----BEGIN CERTIFICATE-----
                  MIIG4zCCBcugAwIBAgIQdPJY+C7fMapAMnl1qh4y8TANBgkqhkiG9w0BAQsFADBG
                  MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW
                  R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNjA1MTgwMDAwMDBaFw0xOTA3MTcy
                  MzU5NTlaMHMxCzAJBgNVBAYTAkRFMRgwFgYDVQQIDA9SaGVpbmxhbmQtUGZhbHox
                  DjAMBgNVBAcMBU1haW56MR0wGwYDVQQKDBRJQk0gRGV1dHNjaGxhbmQgR21iSDEb
                  MBkGA1UEAwwSZnRwLmVjdXJlcC5pYm0uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
                  AQ8AMIIBCgKCAQEA1Rs6yYxtPwrRr8rQdH1pzB2CgvAH/7epESzwxpJl+imLfCum
                  SXI6X2otnvOhn6jaIKxQJV7brAdX0mGu2tKIAz+SY/cXiGaUTnXy8qBcajg10tXc
                  HbVn/A770EDF2sygei8ADxW6BtuoJko65TqzmDwiGsi5QtfCRZVm9DYN0b7DfUSv
                  qlIBqJgAsD1/e3bk++I0tM3FXhkbitUvFHRcwkbXNlPfi3r4YBOp1xX5tG212lTt
                  DKbpafNd8j4eISER82Rk7wNj0eKIm4BzB+f1B6Aek8OiArF/ToD5BjAHP1U94cRS
                  3DiaLnUNgusOUXrBuX1l6ugSSBx3PC/7eB/uAwIDAQABo4IDnjCCA5owHQYDVR0R
                  BBYwFIISZnRwLmVjdXJlcC5pYm0uY29tMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
                  AgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9nai5zeW1jYi5jb20vZ2ouY3Js
                  MIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCBhDA/BggrBgEFBQcCARYzaHR0cHM6
                  Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMEEG
                  CCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMv
                  cmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
                  HwYDVR0jBBgwFoAUFGeO7YNP1h6dQAQMBEahcDSyD3IwVwYIKwYBBQUHAQEESzBJ
                  MB8GCCsGAQUFBzABhhNodHRwOi8vZ2ouc3ltY2QuY29tMCYGCCsGAQUFBzAChhpo
                  dHRwOi8vZ2ouc3ltY2IuY29tL2dqLmNydDCCAfYGCisGAQQB1nkCBAIEggHmBIIB
                  4gHgAHUA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFUxAp8xgAA
                  BAMARjBEAiAZ51b4ic34Y4m+m7ioGleK8AmokV+LCYEDe1GZ7+NZTAIgRMTTv45X
                  peHRTjW/H3vk4dXCcGoYpyiTtrXils5LG1AAdwCkuQmQtBhYFIe7E6LMZ3AKPDWY
                  BPkb37jjd80OyA3cEAAAAVTECnzkAAAEAwBIMEYCIQC29LgBNeDqOKaLkQJ4zOng
                  Auca82UJutJYZBfoh0PUHgIhAP5XQp4OIKukbKxUf9WU10KIf6XD7QbwBTotSecM
                  tjsSAHUAaPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFUxAp83QAA
                  BAMARjBEAiBieYt0VsERq5mEuPl0TZP5aSCPdC6NEvASFbj4+cP+0QIgHxb92xLU
                  ZPciYW3Bf79LjDwb3WtOFoIXfTGKGeUhUtAAdwDuS723dc5guuFCaR+r4Z5mow9+
                  X7By2IMAxHuJeqj9ywAAAVTECn69AAAEAwBIMEYCIQD8j7aznQje35Ex7T2tZTpB
                  vLStg9U33vk6voMLFr9HyAIhAJrvYAbkR4unJ4N8WY7fZUgsLkCQgfrfcK3T8TqL
                  rGydMA0GCSqGSIb3DQEBCwUAA4IBAQC/f+cqDnkOJXctUydDfV6FIgbZSiybnSFl
                  bmSMxN0K06u0jurie7JkD7CFSZlUie9FMTvMPSGsOWN6JmyM4w7KBSKbC84eH/ow
                  zvSxCVAOXoh3GniYCsVAlwKrNetGViNfoU7JgUfbueEgXX8AaF3xGtUQRL/ITrOD
                  XWQc3NCJTjdzhGsnMc6O56wiYCDhLVPClNKpEPwX0DLEeNQ4kQIKdvxyAOwO2ZQJ
                  sZhuIryUkxWylUr4PCgu1T2Vkk+21/5PjPbuzLd+0MGInRAfiH4nCT9Mh7pG+VYL
                  TtiWH/Cu9OSUDWvtvQb6fWFWHzYF8dASWr92sgLQLGD6XFAnh8Fa
                  -----END CERTIFICATE-----
                

    Use Copy and Paste to place this Certificate into a second SEQUENTIAL, VARIABLE BLOCKED dataset, be sure to include the top and bottom dashed lines. Name this dataset 'SYS1.FTPEMEA.CERT'.

    Do NOT change the content!

  4. Add the GeoTrust Trusted Root Certificate to your RACF database as a CERTAUTH Certificate. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS.
    • On the next panel (ICHPB70), select Option 4 - Add, Alter, Delete, or List certificates...
    • On the next panel (ICHPB0), select Option 1 - Add a digital certificate to the RACF database and enter any character under the Certificate Authority-heading in the next line, then press ENTER.
    • On the next panel (ICHPB01A), you will now notice the highlighted word CERTAUTH.
    • Enter the Data Set Name (in quotes) 'SYS1.CA.CERT' in the first input field.
    • Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'Equifax Secure Certificate Autho'. Caution, this field is case-sensitive.
    • In the Field Status Trust enter the character H for Hightrust, then press ENTER.

    Alternatively, you can issue the RACF command:

                  
                    RACDCERT CERTAUTH -
                    ADD('SYS1.CA.CERT') -
                    HIGHTRUST -
                    WITHLABEL('Equifax Secure Certificate Autho')
                  
                
  5. Add the ECuRep FTP Server Certificate to your RACF database as a SITE Certificate. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS.
    • On the next panel (ICHPB70), select Option 4 - Add, Alter, Delete, or List certificates...
    • On the next panel (ICHPB0), select Option 1 - Add a digital certificate to the RACF databaseand enter any character under the Site-heading in the next line, then press ENTER.
    • On the next panel (ICHPB01A), you will now notice the highlighted word SITE.
    • Enter the Data Set Name (in quotes) 'SYS1.FTPEMEA.CERT' in the first input field.
    • Enter the Label Name (in quotes) in the next input field. The label name must be specified as : 'ftp.ecurep.ibm.com'. Caution, this field is case-sensitive.
    • In the Field Status Trust enter the character T for Trust, then press ENTER.

    Alternatively, you can issue the RACF command:

                  
                    RACDCERT SITE -
                    ADD('SYS1.FTPEMEA.CERT') -
                    TRUST -
                    WITHLABEL('ftp.ecurep.ibm.com')
                  
                
  6. Create a RACF KEYRING for EACH userid(!) who would like to use Secure FTP. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS.
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring...
    • On the next panel (ICHP75), select Option 1 - Create a new key ring and enter the userid for which you create this keyring.
    • On the next panel (ICHP75A), enter a name for the keyring (WITHOUT quotes), e.g. SECURE.FTP.KEYRING

    Alternatively, you can issue the RACF command:

                  
                    RACDCERT ID(userid) ADDRING(SECURE.FTP.KEYRING)
                  
                
  7. Connect the CA certificate to each user's(!) keyring. Use the RACF dialogs as follows
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS.
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring...
    • On the next panel (ICHP75), select Option 4 - Connect a digital certificate to a key ring and enter the userid to whose keyring you connect this certificate.
    • On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields Certificate Type and Usage, enter any character under Certificate Authority and enter the Label Name (in quotes) 'Equifax Secure Certificate Autho', then press ENTER. (The field Default defaults to NO, that's fine).

    Alternatively, you can issue the RACF command:

                  
                    RACDCERT ID(userid) -
                    CONNECT( -
                    CERTAUTH -
                    LABEL('Equifax Secure Certificate Autho') -
                    RING(SECURE.FTP.KEYRING) -
                    USAGE(CERTAUTH) -
                    )
                  
                
  8. Connect the ECuRep FTP Server Certificate to each user's(!) keyring. Use the RACF dialogs as follows:
    • From the RACF Primary Panel (ICHP00), select Option 7 - DIGITAL CERTIFICATES AND KEY RINGS.
    • On the next panel (ICHPB70), select Option 6 - Create, List, or Delete an entire key ring...
    • On the next panel (ICHP75), select Option 4 - Connect a digital certificate to a key ring and enter the userid to whose keyring you connect this certificate.
    • On the next panel (ICHP754), enter the keyring name, e.g. SECURE.FTP.KEYRING. In the fields Certificate Type and Usage, enter any character under Site and enter the Label Name (in quotes) 'ftp.ecurep.ibm.com', then press ENTER. (The field Default defaults to NO, that's fine).

    Alternatively, you can issue the RACF command:

                  
                    RACDCERT ID(userid) -
                    CONNECT( -
                    SITE -
                    LABEL('ftp.ecurep.ibm.com') -
                    RING(SECURE.FTP.KEYRING) -
                    USAGE(SITE) -
                    )
                  
                
  9. Do a RACF Refresh of the (hopefully) RACLISTed classes DIGTCERT and DIGTRING. Issue the RACF command:
                  
                    SETROPTS RACLIST(DIGTCERT DIGTRING) REFRESH
                  
                
  10. That's it! However, please remember that each userid now has his/her own keyring. In the TCP/IP parameters for your FTP CLIENT, you can just enter ONE keyring. That implies that you will have to create a separate FTPDATA dataset/member/file for EVERY userid who wants to exploit Secure FTP.
Skip to main content

FTPS example

EZA1736I FTP -a tls -n -v -p TCPIP (EXIT
EZY2640I Using dd:SYSFTPD=TCPIP.IVN.TCPPARMS(FTPCDATS) for local site configuration parameters.
EZYFT26I Using 7-bit conversion derived from 'ISO8859-1' and 'IBM-1047' for the control connection.
EZYFT32I Using the same translate tables for the control and data connections.
EZA1450I IBM FTP CS V1R4
EZA2807I Executing under single stack configuration. Specified TCPIP name TCPIP ignored.
EZA1772I FTP: EXIT has been set.
EZA1456I Connect to ?
EZA1736I 192.109.81.7
EZYFT18I Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
EZA1554I Connecting to: 192.109.81.7 port: 21.
220-FTPD1 IBM FTP CS V1R2 at MCEFTP, 15:27:37 on 2004-03-17.
220-Welcome to the IBM Centralized Customer Data Repository (ECuRep)
220-INTERNET ADDRESS 192.109.81.7 ()
220-BBefore using this service refer to the terms of use for
220-Exhanging Diagnostic Data with IBM
220-(see http://www.ibm.com/de/support/ecurep/service.html)!
220-For FAQ/Documentation please see ECuRep - Homepage
220-http://www.ibm.com/de/support/ecurep/index.html
220- LOGIN user: anonymous pw: your_email_address
220-please report questions to: contact@ecurep.ibm.com
220 Connection will close if idle for more than 15 minutes.
EZA1701I >>> AUTH TLS
234 Security environment established - ready for negotiation
EZA2895I Authentication negotiation succeeded
EZA1701I >>> PBSZ 0
200 Protection buffer size accepted
EZA1701I >>> PROT P
200 Data connection protection set to private
EZA2906I Data connection protection is private
EZA1460I Command:
EZA1701I >>> USER anonymous
331 Send email address as password please.
EZA1789I PASSWORD:
EZA1701I >>> PASS
230-Here you can deliver/get support material to/from IBM.
230-Directories for:
230-deliver use command 'cd toibm'
230-get use command 'cd fromibm'
230-for CADCAM/CATIA/VPM/ENOVIA/SMARTEAM use command 'cd cadcam'
230-Please use command 'bin' prior transfer. See special instructions
230-displayed when changing to the sub directory.
230 'ANONYMOUS' logged on. Working directory is /.

Skip to main content

Stat command example

If you cannot see the AUTH TLS command, you can check the status of the session with a remote stat command. The highlighted lines indicate a secure session.

EZA1736I stat
EZA1701I >>> STAT
211-Server FTP talking to host 195.212.29.163, port 21061
211-User: Anonymous Working directory: /
211-The control connection has transferred 707 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-to host 195.212.29.163, port 21061,
211-using Mode Stream, Structure File, type Image, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is set to 900
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are not removed from a fixed format
211-data set when it is retrieved.
211-Data set mode. (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 450 tracks. Secondary allocation 45 tracks.
211-Partitioned data sets will be created with 50 directory blocks.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 2
211-Xlate name is STANDARD
211-SMS is active.
211-Data sets will be allocated using unit SYSDA
211-New data sets will be catalogued if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 777
211-Process id is 50333504
211-Checkpoint interval is 0
211-Authentication type: TLS
211-Control protection level: Private
211-Data protection level: Private
211-Record format VB, Lrecl: 256, Blocksize: 27968
211 *** end of status ***
EZA1460I Command:

%%sidebarspace%%