Things You Need to Know about Mainframe FTP Processing
FTP (file transfer protocol) is used by mainframes to transfer files to and from different computers via TCP/IP. Currently, TCP/IP is the primary networking protocol used by most organizations that use client-server applications. TCP/IP on z/OS supports all of the well-known server and client applications.
On z/OS, FTP is a UNIX System Services (USS) application. It starts in an MVS environment, “but it does not remain there very long. It immediately forks itself into the z/OS UNIX environment and tells the parent task to kill itself” (Networking on z/OS, 2010). Via TCP/IP, the FTP server communicates with any FTP client that can reach it through the network.
FTP uses two ports, one for commands and the other for data. In active FTP the client initiates a connection to the server’s command port. The server then initiates a connection with the client from the server’s data port. In passive FTP, the client initiates both connections with the server, which remains “passive.”
FTP On the Mainframe
Because of security concerns, many IT managers do not support the utilization of FTP on mainframes without strong security protocols. That is because FTP…
- Enables unauthorized access to data
- Exposures user IDs and passwords across networks
- Enables unauthorized anonymous log-ons
- Provides access to printouts (job output) that can contain sensitive information
- Enables denial of service (DOS) attacks by allowing buffer overflow at the server
- Enables a conversation between a mainframe and PC to be seized by unauthorized persons
- Does not provide verification of data integrity at the application level
- Allows unauthorized persons to submit batch jobs
- Allows for unauthorized inquires into DB2 data
A number of strategies can reduce FTP security threats (z/Journal, Dec. 2008).
- The IBM system authorization facility (SAF), typically managed by one of three applications: RACF, ACF2, or TopSecret. SAF is the standard means of invoking security software on the mainframe. It integrates user authentication and access control, protecting datasets, IP addresses, ports, FTP clients and servers, TCP/IP, and USS.
- Encryption of user IDs, passwords, and data
- Program exits to modify the logic of FTP
Because of the risks, may organizations (but probably not enough) have stopped using FTP, implementing SFTP and SSH file transfer instead. SFTP, like FTP, enables file transfers between hosts. However, SFTP encrypts commands and data before it transmits them.