Northwest Regional Data Center

The Ultimate Solution to Simplify Your Data Center

SSL/TLS-Protected FTP Connections

If you have any questions about the content of this page, please email Requests for clarification

This page contains information regarding the data center’s support for SSL/TLS-protected FTP connections between the NWRDC mainframe and other IP-hosts.  Instructions on how to use SSL/TLS with FTP are provided in this document.

Some important terms used in this article and their meanings are:

  • FTP – File Transfer Protocal
  • SSL – Secure Sockets Layer
  • TLS – Transport Layer Security
  • FTP-S – FTP with SSL/TLS protection

FTP-S is an extension to the Internet standard FTP with support added for the SSL and TLS cryptographic protocols.  It is available to all customers of the data center and can be immediately integrated into customers’ routine daily work environment.

With FTP-S, secure communications between any FTP customer and the NWRDC mainframe can be enabled, including communications over non-secure IP networks such as the Internet.  All information exchanged with NWRDC between the FTP-S client and server is encrypted.  This includes user-id, password, and all transmitted data.

The NWRDC mainframe supports FTP-S as both server and client. 

Mainframe FTP Server:

Inbound connections from remote FTP-S cleints to the NWRDC mainframe server are supported over standard FTP control port, 21.  Use of FTP-S is optional at this time for connections to mainframe port 21. 

Inbound connections from remote FTP-S clients are also supported over NWRDC locally-customized FTP control port, 1990.  Use of FTP-S is required for connections to mainframe port 1990.

This means that both non-secure FTP, as well as FTP-S, are supported by NWRDC mainframe port 21.  However, mainframe port 1990 supports FTP-S connections only; connections to port 1990 by FTP clients without SSL/TLS-protection are rejected.

Please note that NWRDC may require certain remote sites to use FTP-S and port 1990 in the near future, particularly those which connect via non-secure networks.  We will post additional information soon.

Remote FTP-S clients should specify “explecit mode” when connecting to the NWRDC mainframe server ports, both 21 and 1990.  “Implicit mode” FTP-S is not supported.  I.e., the remote FTP-S client should include the “AUTH TLS” or “AUTH SSL” command to initialize SSL/TLS negoiation.  Details of how FTP-S is implimented by the client will vary.

Mainframe FTP Client:

Outbound connections to remote FTP-S servers from NWRDC mainframe clients are supported; particular port requirements are determined by the remote host.

To request a FTP-S connection to a remote server, a locally customized “SYSFTPD” configuration file must be referenced which contains required options for SSL/TLS.

For mainframe batch job FTP-S, include the following DD card in the FTP step:
   //SYSFTPD DD DSN=NWR.TCPIP.TCPDATA(FTPCDATA),DISP=SHR

For mainframe TSO session FTP-S, the SYSFTPD file must be dynamically allocated:
   ALLOC FI(SYSFTPD) DA('NWR.TCPIP.TCPDATA(FTPCDATA)') SHR

Please see “Setting FTP Client Parameters Using FTP.DATA” for further information regarding client configuration settings.

The customized SYSFTPD file shown will result in a “AUTH TLS” initialization command being sent to the remote server.  Other SSL/TLS related parameters are also included in the SYSFTPD file, such as local keyring name and cipher suites.

If the remote FTP-S server does not use a digital certificate signed by a Certificate Authority recognized by NWRDC, a copy of the server’s certificate will be needed.  NWRDC must manually import the remote server’s certificate into the local keyring.  Please contact NWRDC technical support for further information.

Please note that NWRDC may require certain remote sites to use FTP-S  in the near future, particularly those which connect via non-secure networks.  We will post additional information soon.

Both client and server FTP-S connections will take advantage of the Integrated Cryptographic Service Facility (ICSF) installed at the data center.   The purpose of the ICSF is to help improve system performance by making special hardware available to cryptography related processes.   Please see our web article "IBM z9 Cryptographic Elements Installed at NWRDC" for information about ICSF.

Please feel free to contact NWRDC if you have any questions regarding FTP-S, or to let us know of any other communications-related concerns that you have.