Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

17.2: FTP client with SOCKS proxy protoc... > Description of the SOCKS proxy proto... - Pg. 719

In addition to native TLS support, the FTP server and client can use AT-TLS to manage TLS security. TLS managed by AT-TLS (TLSMECHANISM ATTLS) supports more security functions than TLS managed natively by the FTP (TLSMECHANISM FTP). Be aware of these AT-TLS capabilities and requirements when planning the preferred AT-TLS support for FTP: Specify the label of the certificate to be used for authentication instead of using the default. Support SSL session key refresh. Support SSL sysplex session ID caching. Trace decrypted SSL data for FTP in a data trace. Receive more detailed diagnostic messages in syslogd. There are no restrictions for the FTP ATTLS function. Policy agent must be active for FTP ATTLS to work. TLS security defined natively to FTP will continue to be available in addition to AT-TLS. 17.1.3 How FTP security can be applied FTP security can be applied by implementing restricted access to FTP servers with firewalls, and then requiring the use of a SOCKS proxy server to control client access to the intended destination server. Digital certificates can be used for client and server authentication and to enable the use of data encryption. If you already have TLS implemented for an existing instance of the FTP server, it is easy to migrate from TLS to AT-TLS support. AT-TLS support is implemented by moving most of the TLS definitions from the FTP server's FTP.DATA file into the policy agent's AT-TLS configuration profile section. The FTP server is defined as an AT-TLS controlling application to the policy agent, and can retain its control of the secure relationship with the client. The AT-TLS implementation provides more flexibility and functionality than basic TLS, and is therefore the preferred method of implementing digital certificate support for the FTP server. The IBM Configuration Assistant GUI is used to create the appropriate policy agent statements for AT-TLS. 17.2 FTP client with SOCKS proxy protocol In this section we discuss the configuration changes necessary to add SOCKS server support to the base FTP client we introduced in IBM z/OS Communications Server TCP/IP Implementation Volume 2: Standard Applications, SG24-7997. This section discusses the following topics: Description of the SOCKS proxy protocol Configuration of the SOCKS proxy protocol Activation and verification of the SOCKS proxy FTP 17.2.1 Description of the SOCKS proxy protocol An FTP client can be permitted to access an FTP server either directly, or it can be required to access the server indirectly by passing through a SOCKS proxy server to get to the FTP server. If the FTP client must pass through a SOCKS proxy, the client must use the SOCKS protocol to successfully navigate through the proxy server. The client must be able to Chapter 17. Secure File Transfer Protocol 719