VitalSigns for FTP | VFTP | Easily Encrypt z/OS FTP

Many legacy z/OS batch jobs use FTP to transfer plain text--a security crisis waiting to happen. VFTP and SSH can easily encrypt those transfers--WITHOUT you having to edit the batch jobs.

FTP was built long, long ago, with no attention to security. The data is clear-text. The commands are clear-text. The IDs and passwords are clear-text too. You simply can't keep sending that clear-text data anywhere outside the building, not anymore. You've got to secure them, and probably very soon.


VFTP - SSH encrypts FTP coming out of z/OS batch jobs


without you having to edit and test a single line of batch JCL code.



There are at least two very reliable ways to secure that FTP traffic from z/OS. Both of those solutions involve securing FTP traffic by encrypting it with SSH.

Secure FTP with SSH Tectia® and VitalSigns for FTP:

Secure Shell (SSH) is a widely trusted cryptographic protocol. It uses public/private key encryption (a.k.a. PKI) to authenticate users and machines, to encrypt traffic, and to ensure the integrity of data. It is the standard network security tool in the Linux/Unix world. Remote access to a Linux/Unix system is almost always guarded by SSH. Microsoft® promises a implementation for Windows® in 2016.

With help from VFTP, SSH Tectia clients/servers (built by SSH Communications Security, the creators of SSH) provide unique SSH services for collaboration with z/OS FTP clients/servers.

SSH Tectia can secure z/OS FTP traffic in either of two ways. The difference is the number of FTP installations involved.

FTP through an SSH Tunnel:

SSH tunneling means transferring data between two z/OS FTP installations, with SSH in the middle. A file transfer gets encrypted before it leaves its home machine, then decrypted after it is safely inside the destination machine. SSH clients/servers reside at either end, guarding the passage between the FTP clients/servers and the outside world. The SSH tunnel transports safely encrypted FTP commands and data between them.

Converting FTP to Secure FTP (SFTP):

FTP-to-SFTP conversion lets FTP and SSH at one end transfer data to an SSH client/server living alone at the other end--a common situation on Linux/Unix boxes.

SFTP is the SSH version of FTP; it's the file transfer mechanism built into SSH clients and servers. But SFTP commands are different than FTP commands, so the batch jobs can't speak to SSH directly. They need some kind of translator in between.

So you put an SSH client on z/OS, between your FTP client and the outside world. The batch jobs talk to FTP. The FTP client passes commands and data to the SSH client, which translates FTP to SFTP. Then secure SFTP traffic travels the SSH connection to the SSH server at the other end.

What's the Hard Part?

It is relatively simple to install the SSH clients/servers and get them talking to one another.

The harder part is telling the FTP clients/servers to work with their SSH partners.

Thats where VFTP comes in. VFTP is smart controlling software that sits between the batch jobs and the native z/OS FTP client.

VFTP acts as a proxy FTP client. You configure z/OS to use VFTP as the default for outgoing FTP commands and data. Then when a batch job wants to send a transfer, it talks to VFTP, which looks at the job name, or the user ID, or the destination, then passes the message to native z/OS FTP along with configuration instructions about SSH encryption and/or conversion.


The VitalSigns for FTP-SSH Tectia collaboration from Software Diversified Services will easily secure any and all outgoing FTP traffic that has SSH installed at the other end.


VFTP - SSH encrypts FTP coming out of z/OS batch jobs


without you having to edit and test a single line of batch JCL code.



On top of that, VFTP provides far simpler and more thorough monitoring of z/OS FTP traffic than z/OS itself does. Auditors love it.