File Transfer Protocol (FTP) is a popular mechanism among z/OS users for exchanging files over TCP/IP networks. However, FTP was not designed to be a secure protocol and takes no precautions to protect information transmitted during a session. This security weakness can cause misuse or loss of crucial data from mainframes during data transport. FTPS and SFTP are secure alternatives to FTP that can mitigate data risks by enabling safer, encrypted data transmissions.
FTP on z/OS
File Transfer Protocol (FTP), first defined in 1985 by RFC 959, is the standard and most commonly used TCP/IP application to transfer files between z/OS and other operating-system platforms. An FTP client and server are part of the base z/OS Communications Server functions. FTP on z/OS transfers MVS datasets and easily handles conversion between ASCII and EBCDIC. However, z/OS FTP lacks a proper management mechanism and can be easily misused. Unmanaged FTP is not secure, as it transfers data between the client and the server without encryption. That means all the confidential information-user name, password, files, and commands-are transferred in clear text, making it easy for eavesdroppers to retrieve and read the information.
FTPS on z/OS
FTPS is the regular FTP protocol extended with network security features for authentication, data integrity, and data privacy. This is done by encrypting data with SSL/TLS (Secure Socket Layer/Transport Layer Security; TLS is simply the later version of SSL). Simply said, FTPS is FTP secured with an additional layer to all transmissions. FTPS supports password authentication and X.509 certificates. It also supports Kerberos encryption. However, because FTPS encrypts the command channel, it can be difficult to use behind firewalls.
SFTP on z/OS
Secure Shell (SSH) file transport protocol is supported on z/OS by multiple tools: IBM Ported Tools OpenSSH, and Tectia™ clients and servers, for two examples. SFTP provides a command set similar to, but not the same as, the FTP command set. It uses the SSH protocol to provide encryption and connection management. SFTP is common on Linux and Unix platforms. For SFTP support on z/OS, you need to install SFTP clients and servers. By re-writing batch jobs, z/OS FTP clients and servers can be made to pass some data transfers through SFTP clients and servers, thus transmitting data through secure SSH “tunnels.” That conversion can also be automated by installing software that “wraps around” the z/OS FTP client and diverts transfers through SSH proxies.
Advantages of SFTP
FTPS support is built into the z/OS platform. It handles MVS datasets, ASCII-EBCDIC translation, and JES. However, SFTP is technologically superior: It encrypts and compresses transfer data. It provides a more sophisticated checksum mechanism to guard against data corruption in transit. And multiple application channels are multiplexed through a single port, making SFTP more firewall-friendly.