MVS / z/OS UNIX file system Files

Use this panel to access settings for the creation, transfer, and treatment of MVS data sets and z/OS UNIX file system files.

Steps

  1. Click "Data Set Attributes..." to customize the attributes to associate with newly created MVS data sets. A wizard will direct you through the settings. You can choose to obtain attributes from SMS classes, inherit attributes from a model data set, or specify individual values for the attributes. Clicking this button is optional, defaults are already set.
  2. Click "Data Set Transfer Options..." to customize options related to the transfer and treatment of MVS data sets. Clicking this button is optional, defaults are already set. Options include:
  3. Click "HFS Options..." to customize options related to the files. Clicking this button is optional, defaults are already set. Options include:

You have completed this panel after clicking the buttons to modify all desired settings.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



FTP Server Wizard: Welcome

Welcome to the z/OS FTP server configuration wizard.

As you proceed through the wizard, you will use the "Next", "Back" and "Finish" buttons to proceed through a few basic panels where you will configure:

  1. The start procedure name of the FTP server. An FTP server start procedure will be created as a member of a partitioned data set extended (PDSE). The name of the PDSE is set in the Basic Settings task.
  2. The member name of the FTP server configuration file. An FTP configuration file will be created as a member of a partitioned data set extended (PDSE). The name of the PDSE is set in the Basic Settings task.
  3. The control connection port. The FTP server will listen for logins on this port.
  4. Settings for either the Transport Layer Security (TLS) or Kerberos protocols, if security is desired.
  5. Whether the FTP server initially logs in users to access the z/OS UNIX hierarchical file system or to access MVS data sets.
  6. Whether FTP server events should be logged using the SYSLOGD daemon.

After completion of the wizard:

Push buttons
Click Next to advance to the next wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Create SOCKS Configuration File

Use this panel to add configuration definitions to the FTP client SOCKS configuration file.

A SOCKS configuration file consists of entries where each entry defines an FTP server address and an indication whether to access that FTP server directly or through a SOCKS server. An entry can alternatively define a subnet, and indicate whether to access FTP servers in the subnet directly or through a SOCKS server.

When the FTP client logs in, the user specifies an FTP server address to connect to. The FTP client code accesses the SOCKS configuration file and looks for the FTP server's address or a matching subnet. It scans the entries from the top down and the first match found is used to determine whether to access the FTP server directly or through a SOCKS server.

Since the SOCKS configuration file entries can contain either individual FTP server addresses or subnets, its possible for the login address to match multiple entries. Therefore, the order of the entries is important.

Steps

  1. Enter the member name of this SOCKS configuration file. This SOCKS configuration file will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic Settings task.
  2. Use the "Add..." button to create as many entries as necessary in this SOCKS configuration file. Each entry will define an FTP server address or subnet, and an indication whether to access the FTP server directly or through a SOCKS server.
  3. Use the "Move Up" and "Move Down" buttons to ensure the entries are in the preferred order.

You have completed this panel once you have entered the member name, added all the desired entries, and set the entries in the order of preference.

You can find more detailed help on the following elements of this window:

Member name

SOCKS table entries

Push buttons
Click Add... to add an entry to the table.
Click Edit... to modify a selected entry.
Click Remove to remove a selected entry from the table.
Click Move Up to move a selected entry up one position.
Click Move Down to move a selected entry down one position.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Member name

The SOCKS configuration file will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To modify the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



SOCKS table entries

This table lists each entry in the SOCKS configuration file. Each entry shows the defined FTP server address or subnet and indicates whether it will be accessed directly or through a SOCKS server, by displaying "Directly to FTP Server" or "Use SOCKS Server", respectively.

Use the "Add..." button to add new entries to the table, use the "Edit..." button to modify a selected entry, and use the "Remove" button to remove a selected entry from the table.

Since the SOCKS configuration file entries can contain either individual server addresses or subnets, its possible for the login address to match multiple entries. Therefore, the order of the entries is important. Use the "Move Up" and "Move Down" buttons to ensure the entries are in the preferred order. For example, you will likely want all entries with individual FTP server addresses to be at the top and entries with subnets below them.

The table always contains the entry displayed as "All other FTP Servers". This entry cannot be removed and you cannot change its position in the table. It will always be the last entry in the table. This entry represents a subnet which matches all login addresses. This entry indicates how to connect to the FTP server for any login address not matching any other entries in the SOCKS configuration file. You can edit this entry to indicate whether the FTP servers should be accessed directly or through a SOCKS server.

Example

You add the following entries in the order shown:

  1. An FTP server address or 3.3.3.3, which will be accessed directly.
  2. An FTP server address of 5.5.5.5, which will be accessed through a SOCKS server.
  3. A subnet of 6.6.0.0 : 255.255.0.0, which will be accessed through a SOCKS server.

Then you edit the "All other FTP Servers" entry to indicate FTP servers should be accessed directly.

As a result, this is what happens during a login:

  1. If a client logs in to FTP server address 3.3.3.3, this matches the SOCKS configuration file entry with the FTP server address of 3.3.3.3, so the client connects directly to the FTP server.
  2. If a client logs in to FTP server address 5.5.5.5, this matches the SOCKS configuration file entry with the FTP server address of 5.5.5.5, so the client accesses the FTP server through a SOCKS server.
  3. If a client logs in to FTP server address 6.6.6.6, this matches the SOCKS configuration file entry with the subnet of 6.6.0.0 | 255.255.0.0, so the client accesses the FTP server through a SOCKS server.
  4. If a client logs in to FTP server address 9.9.9.9, this login address does not match any of the entries added. However, it matches the "All other FTP Servers" entry. Since this entry indicates FTP servers should be accessed directly, the client connects directly to the FTP server.



Iconv Encoded Character Sets

FTP allows you to specify multi-byte translation tables in two different ways.

Use this panel to specify the iconv settings for multi-byte data connections.

FTP uses the iconv application programming interface to translate between two code pages.

These tables are active only when ENCODING is set to multi-byte character sets. By default, FTP sets ENCODING for single byte data transfers. ENCODING can be set to multi-byte character sets by either the SITE command or by selecting the "Use multi-byte translation" radio button. If you select the "Use multi-byte translation" radio button, all data transfers will be done using multi-byte translation unless you use the SITE command to set ENCODING for single byte translation.

Before you begin, know the name of the iconv character sets and if you want the data connection to use multi-byte translation tables by default.

Steps

  1. Enter the name of the network iconv character set.
  2. Enter the name of the file system iconv character set.
  3. Optionally, indicate the default translation tables used are the multi-byte tables you entered.

You have completed this panel after you have entered the iconv network and file system character sets.

Fields

Network transfer encoded character set

File system encoded character set

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Network transfer encoded character set

Enter an iconv encoded character set.

Click below to see a listed of supported ICONV codepage pairs.

Supported Multi-byte ICONV encoded character sets



Supported Multi-byte ICONV encoded character sets

Supported codepage pairs:
Support for: file system network transfer
Chinese standard GB18030 IBM-1388 or UTF-8 IBM-5488
BIG5 IBM-937 IBM-950 or BIG5
EUCKANJI IBM-930 IBM-eucJP
JIS78KJ (JISROMAN IBM-930 IBM-5053
JIS78KJ (ASCII IBM-939 IBM-5055
JIS83KJ (JISROMAN IBM-930 IBM-5052
JIS83KJ (ASCII IBM-939 IBM-5054
KSC5601 IBM-933 IBM-949
SCHINESE IBM-935 IBM-1381
SJISKANJI IBM-930 or IBM-939 IBM-932 or IBM-eucJC
TCHINESE IBM-937 IBM-948
Other code page pairs might be accepted when specified. However, the ones listed in this table have been verified to produce the support that is listed in the table.



File system encoded character set

An iconv encoded character set.

Click below to see a listed of supported ICONV codepage pairs.

Supported Multi-byte ICONV encoded character sets



SQL

Use this panel to customized settings related to FTP SQL queries.

FTP enables you to submit a Structured Query Language (SQL) SELECT query to the DB2 subsystem and receive the results of the SQL query. FTP can perform this function as either the server or the client.

In order to perform the SQL SELECT query, the server requires that you define both the DB2 subsystem name and the DB2 plan name. The DB2 subsystem name is required since an MVS system can run several DB2 systems simultaneously. The plan name specifies the name of the specific DB2 system that you want to query. The DB2 plan name is the name of the plan built during the DB2 bind process. The plan specifies the access paths to the DB2 tables, checks the user's authority, and validates the SQL statements.

Before you begin, know the name of the DB2 subsystem and the DB2 plan for the database you want to query.

Steps

  1. Enter the name of the DB2 subsystem.
  2. Enter the name of the DB2 plan.
  3. Optionally, you may select the format for the SQL output and the column header names to be used.

You have completed this panel if you have entered a DB2 subsystem and plan names.

Fields

DB2 Subsystem Name

DB2 Plan Name

Output format

Client login mode (FILETYPE=SQL) (only available for FTP clients)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



DB2 Subsystem Name

Syntax rules:



DB2 Plan Name

Syntax rules:



Output format

FTP allows you to specify the format for the output of the SQL query, and choose column header.

The default report format puts one or more blank spaces between the columns, and it lists the SQL query, the column headings, and the resulting columns. You may also select the spreadsheet format option. The spreadsheet option puts a TAB character before the first character of each column entry, except the first column. The spread format enabled the SQL output data to be easily imported into a spreadsheet program. See your spreadsheet program documentation for instructions about how to import the output of the SQL query.

FTP also allows you specify if the column headers are determined from the column's name or label in the DB2 database.

To use the spreadsheet output format check the box labeled "Use spreadsheet format for query output (SPREAD)".

To use the DB2 database's column name, select the radio button labeled "Names of database columns". To use the DB2 database's column label, select the radio button labeled "Labels of database columns".

Since the column label is optional in DB2, if you chose to use column labels for the output header you also need to specify whether the column name or column number should be used if no column label is found.



Client login mode (FILETYPE=SQL)

This setting is only available when configuring an FTP client.

If you would like use this client configuration mainly for the purpose of running SQL queries on DB2 databases select the box labeled "Start the client in SQL mode". If you have started an FTP session in SQL mode you may return at anytime to normal FTP processing by issuing the SITE FILETYPE=SEQ command.



FTP Client Wizard: Welcome

Welcome to the z/OS FTP client configuration wizard.

As you proceed through the wizard, you will use the "Next", "Back" and "Finish" buttons to proceed through a few basic panels where you will configure:

  1. The member name of the FTP client configuration file. An FTP configuration file will be created as a member of a partitioned data set extended (PDSE). The name of the PDSE is set in the Basic Settings task.
  2. Settings for either the TLS or Kerberos protocols, if security is desired.

After completion of the wizard:

Push buttons
Click Next to advance to the next wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Cipher Selection

Use this panel to select which cipher algorithm to add to your cipher choices.

Steps:

  1. Select a cipher from the drop down list.
  2. Click "OK", to add the selected cipher to your list of cipher choices.

Push buttons
Click OK to add the selected cipher your list of cipher choices.
Click Cancel to exit without adding the selected cipher to your list.
Click Help to understand more about this panel.



FTP Client Wizard: Member Name

Use this panel to enter the member name of the FTP client configuration file. An FTP configuration file will be created as a member of a partitioned data set extended (PDSE). The name of the PDSE was assigned in the Basic Settings task. To modify the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go the Basic Settings task.

Syntax rules:

You have completed this panel after you have entered the member name and clicked on the "Next" button.

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Checkpoint / Restart

Use this panel to specify settings related to restarting data transfers that fail when the transfer was executed in block or compressed mode.

Before you begin, understand that FTP supports two subcommands for restarting data transfers that fail.

If you want to be able to use the restart command to restart data transfers for block or compressed mode, you must use the settings on this panel to enable the checkpoint function prior to issuing a restart.

No settings are required to issue the srestart command for stream mode and the settings on this panel do not apply to stream mode.

Block, Compressed, and Stream Mode Information

Steps

  1. If you want to use the checkpoint/restart function for failed transfers when the client is the sending site, select, "Yes; specify the checkpoint interval (CHKPTINT):" and enter the checkpoint interval.
  2. If you want to use the checkpoint/restart function for failed transfers when the server is the sending site, select "Yes" under the question "Should checkpointing occur when data is transferred from the server to the client during a GET operation (RESTGET)?".
  3. If you select to enable the checkpoint/restart function, select the high level qualifier for the required checkpoint file.

You have completed this panel after indicating whether you want to enable the checkpoint/restart function and entering the checkpoint interval.

You can find more detailed help on the following elements of this window:

Should checkpointing occur when data is transferred from the client to the server during a PUT operation?

Records

Should checkpointing occur when data is transferred from the server to the client during a GET operation (RESTGET)?

Checkpoint data will be stored in a file with a low level qualifier of FTP.CHECKPOINT. Select the high level qualifier (CHKPTPREFIX)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Should checkpointing occur when data is transferred from the client to the server during a PUT operation?

This setting applies for data transfers when the FTP client is the sending site, for example, with a put command.

If you do not want to use the restart command, select "No".

If you do want to use the restart command, select "Yes; specify the checkpoint interval" and enter the checkpoint interval.

If you select "Yes", you must specify a checkpoint interval to indicate how often a restart marker is transmitted.



Records

Indicates the checkpoint interval for restart marker transmits. The marker is transmitted after the specified number of records are sent.

Syntax rules:



Should checkpointing occur when data is transferred from the server to the client during a GET operation (RESTGET)?

This setting applies for data transfers when the FTP server is the sending site, for example, with a get command.

If you do not want to use the restart command, select "No".

If you do want to use the restart command, select "Yes".

If you want to use the restart command to restart a failed data transfer, you must enable this support for the client and the server. If the server is not enabled for this function, the setting on the client has no effect.



Checkpoint data will be stored in a file with a low level qualifier of FTP.CHECKPOINT. Select the high level qualifier (CHKPTPREFIX)

A checkpoint file residing on the client's system is required for the checkpoint/restart function, regardless of the direction of the file transfer (i.e. whether sending data from the client or receiving data from the server).

You can choose the location where the checkpoint data set will be created.



FTP Server Wizard: Finish

You have completed the z/OS FTP server configuration. Click "Finish" to save your settings.

After clicking "Finish":

Push buttons
Click Back to return to the previous wizard panel.
Click Finish to complete the wizard panels' specification.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Auto Mounting

Use this panel to indicate whether FTP should attempt to mount unmounted DASD volumes and unmounted tapes.

Steps

  1. Indicate whether to allow FTP to mount unmounted DASD volumes.
  2. Indicate whether to allow FTP to mount unmounted tapes.

You have completed this panel after making your selections.

You can find more detailed help on the following elements of this window:

AUTOMOUNT

AUTOTAPEMOUNT

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



AUTOMOUNT

Indicate if FTP should attempt to mount unmounted DASD volumes.

Select "Permit automatic mounting of unmounted DASD volumes" to indicate FTP should attempt the mount.

Select "Prevent automatic mounting" to indicate FTP should not attempt to mount unmounted volumes, and should fail the FTP transfer if the volume is not mounted.

This setting is available both when configuring FTP clients and FTP servers. It is applicable to the client when accessing files on the client's system. It is applicable to the server when accessing files on the server's system.



AUTOTAPEMOUNT

Indicate if FTP should attempt to mount unmounted tapes.

Select "Permit automatic allocation and mounting of unmounted tapes" to indicate FTP should attempt the mount.

Select "Prevent automatic allocation and mounting" to indicate FTP should not attempt to mount unmounted tapes, and should fail the FTP transfer if the volume is not mounted.

This setting is available both when configuring FTP clients and FTP servers. It is applicable to the client when accessing files on the client's system. It is applicable to the server when accessing files on the server's system.



MVS Data Set Attributes

Use this panel to specify the data set size for newly created data sets and settings related to partitioned data set creation.

All settings are available both when defining FTP clients and FTP servers. The settings are applicable to FTP clients when creating data sets on the client's system. The settings are applicable to FTP servers when creating data sets on the server's system.

Steps

  1. Indicate the data set size settings. These settings can be obtained from a data class or explicitly set by selecting "Use this value:".
  2. Indicate the directory block setting. This setting can be obtained from a data class or explicitly set by selecting "Use this value:".
  3. Indicate whether a newly created partitioned data set should be created as a PDS or PDSE. This setting can be obtained from a data class, or explicitly set by selecting "Use this value:".

You have completed this panel after selecting how FTP should obtain the data set size settings, the number of directory blocks, and the PDS or PDSE indication.

You can find more detailed help on the following elements of this window:

Data set size

Primary and Secondary

Partitioned data sets

DIRECTORY Blocks

Push buttons
Click Next to advance to the next wizard panel, which is available only if no storage class was specified.
Click Back to return to the previous wizard panel.
Click Finish to complete the wizard panels' specification, which is available only if a storage class was not specified.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Data set size

Use the data set size values to specify the size of newly created data sets.

The data set size is determined by the number of primary extents specified. The primary value is the number of desired blocks, tracks or cylinders which you select from the drop down "SPACETYPE" list. For example, if you select a SPACETYPE value of Blocks, then the value specified for Primary is a specified number of blocks. Likewise, if you select a SPACETYPE value of Tracks, then the value specified for Primary is a specified number of tracks. The secondary value is used when creating a data set if the primary value is not large enough.

The data set size values can be obtained from an SMS data class or you can specify the values.

If you did not specify an SMS data class on the first wizard panel, you are required to select a SPACETYPE entry and enter values for Primary and Secondary extents.

If you did specify an SMS data class set on the first wizard panel, then the data size values are obtained from the SMS data class. You can choose to override the obtained values by selecting "Use this value:", selecting a "SPACETYPE" entry, and entering values for "Primary" and "Secondary" extents.



Primary and Secondary

Syntax rules:



Partitioned data sets

Use the partitioned data set values to specify settings for newly created partitioned data sets (PDS) and newly created partitioned data set extended (PDSE).

Directory Blocks

The directory blocks value is used only for creating a PDS. The PDS contains a directory used as an index to locate members in the PDS. The directory is a set of 256-byte directory blocks. Each directory block contains pointers for 3 - 21 PDS members. If you expect to have 10 members in a PDS, you may want to specify 3 directory blocks, although 1 directory block may be sufficient.

The directory blocks value can be obtained from an SMS data class or you can enter a value.

If you did not specify an SMS data class on the first wizard panel, you are required to enter a directory blocks value; the default is 27.

If you did specify an SMS data class set on the first wizard panel, then the directory blocks value will be obtained from the SMS data class. You can choose to override the obtained value, by selecting "Use this value:" and entering the number of directory blocks.

Data set name type

When creating a partitioned data set, indicate whether it should be created as a partitioned data set (PDS) or as a partitioned data set extended (PDSE).

The PDS or PDSE decision will be obtained from an SMS data class if you do not indicate which to create.

If you did not specify an SMS data class on the first wizard panel, you should indicate your PDS or PDSE choice.

If you did specify an SMS data class set on the first wizard panel, then the PDS or PDSE choice is obtained from the SMS data class. You can choose to override the choice by selecting "Use this value:" and selecting your "PDS" or "PDSE" choice.



DIRECTORY Blocks

Syntax rules:



SOCKS: How to Access the FTP Server

Use this panel to define an entry in a FTP client SOCKS configuration file.

A SOCKS configuration file entry consists of an FTP server address and an indication whether to access that FTP server directly or through a SOCKS server. An entry can alternatively define a subnet, and indicate whether to access FTP servers in the subnet directly or through a SOCKS server.

When the FTP client logs in, the user specifies an FTP server address to connect to. The FTP client code accesses the SOCKS configuration file and looks for the FTP server's address or a matching subnet. It scans the entries from the top down and the first match found is used to determine whether to access the FTP server directly or through a SOCKS server.

Steps

  1. Identify the FTP server
    1. Select either to enter "A specific FTP server" or "FTP servers in a subnet".
    2. If you select to enter "A specific FTP server", enter its IP address.
    3. If you select to enter "FTP servers in a subnet", enter the IP address and subnet mask combination.
  2. Indicate whether the logins to the FTP server address or subnet should Connect the client directly to the FTP server or through a SOCKS server.
  3. If you select to connect through a SOCKS server, enter the address of the SOCKS server and select the SOCKS protocol.

You have completed this panel after you have entered the FTP server address or subnet and indicated whether logins to the FTP server address or subnet should connect directly to the FTP server or connect through a SOCKS server. If you selected to connect through a SOCKS server, the SOCKS server address is required.

You can find more detailed help on the following elements of this window:

Identify the FTP server

IP address

Subnet mask

FTP server access

IP address or host name of the SOCKS server

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Identify the FTP server

A SOCKS configuration file entry consists of an FTP server address and an indication whether to access that FTP server directly or through a SOCKS server. An entry can alternatively define a subnet, and indicate whether to access FTP servers in the subnet directly or through a SOCKS server.

To define an entry identifying a specific FTP server, select "A specific FTP server" and enter the server's IP address.

To define an entry identifying a subnet where FTP servers reside, select "FTP servers in a subnet" and enter the IP address and subnet mask combination. The IP address and subnet mask are logically ANDed together to calculate the subnet.



IP address

Syntax rules



Subnet mask

Syntax rules

The subnet value will be logically ANDed with the subnet mask to determine the subnet.



FTP server access

A SOCKS configuration file entry consists of an FTP server address and an indication whether to access that FTP server directly or through a SOCKS server. An entry can alternatively define a subnet, and indicate whether to access FTP servers in the subnet directly or through a SOCKS server.

To indicate logins to the FTP server or subnet, identified on this panel, should connect the client directly to the FTP server, select "Connect directly to the FTP server".

To indicate logins to the FTP server or subnet, identified on this panel, should connect the client to the FTP server through a SOCKS server:

  1. Select "Connect through a SOCKS server" .
  2. Identify which SOCKS server the client should connect to at login. The SOCKS server can be identified by either its IP address of host name.
  3. Select the SOCKS protocol version as either Version 5 or Version 4.



IP address or host name of the SOCKS server

Your entry will first be checked to see if it is a valid IP address. If it is not, it is assumed to be a host name.

Syntax rules:

For an IP address:

For a host name:

For example:
mycomputer.city.company.com



List of Client Configurations

Use this panel to create new z/OS FTP client configurations or to modify existing client configurations.

The table shows the client configurations that are currently defined. Each table entry lists the configuration name and indicates if a security protocol is configured for the client.

Use the buttons on this panel to perform the desired tasks.

Push buttons



Banners

Use this panel to specify file names containing messages displayed to clients when connecting or logging in to the FTP server. This panel is also used to access additional configuration options to display customized messages to clients when users change directories.

Before you begin, decide if the FTP server should send customized messages to clients when starting a new connection, logging in, or changing directories.

Steps:

  1. If you want the FTP server to send a message to all users starting a new connection:
    1. Create an MVS data set or zFS file containing the message. Enter the message into the file as plain EBCDIC text.
    2. Enter the file name in the field labeled, "Message file for all users (BANNER):".
  2. If you want the FTP server to send a message to named users after login completion:
    1. Create an MVS data set or zFS file containing the message. Enter the message into the file as plain EBCDIC text.
    2. Enter the file name in the field labeled, "Message file for name users only (LOGINMSG):".
  3. If you want to make use of the %E keyword substitution function in any of the message files, enter the e-mail address.
  4. If you want FTP server to send customized messages to the user when directory changes occur, click the "Message Files..." button to configure this function.

You have completed this panel when you have entered the file names associated with the respective messages. All fields are optional, therefore, no entries are required if these functions are not desired.

You can find more detailed help on the following elements of this window:

Login messages (Optional)

Message file for all users (BANNER)

Message file for named users only (LOGINMSG)

E-mail substitution (ADMINEMAILADDRESS)

E-mail address

Directory messages (Optional)

Push buttons
Click Message Files... to configure to send customized messages when directory changes occur.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Login messages (Optional)

You can configure the FTP server to display customized welcome or login messages to clients. Two configuration options are available, the BANNER message and the LOGINMSG message.

"Message file for all users (BANNER):"
Displays a message to the client when a new connection is started. This option applies to all users.
"Message file for named users only (LOGINMSG):"
Displays a message to the client after login completion. This option applies to named users only.

To activate any of these messages, specify the file name containing the message in the respective field on the configuration panel. Use of welcome and login messages is optional. Any of these options can be used in conjunction with the others.



Message file for all users (BANNER)

Use of the BANNER file is optional. If no BANNER file is specified, no message is displayed when starting a new connection. If a BANNER file is specified, up to 100 lines of the file are displayed to FTP clients starting a new connection.

Example:
A file is specified that contains the message:
HELLO WORLD; THIS IS MY BANNER MESSAGE!

When the client connects in, the following is displayed to the client:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 14:27:04 on 2002-10-29.

220-HELLO WORLD; THIS IS MY BANNER MESSAGE!
220 Connection will not timeout.
User (9.42.103.112:(none)):

To show a message to the client when starting a new connection, enter the name of the MVS data set or zFS file containing the message.

If it is an zFS file, it must adhere to the following syntax rules:

If it is an MVS data set, it must adhere to the following syntax rules:

The BANNER message may be used in conjunction with the LOGINMSG. The LOGINMSG is applicable only to named users. The LOGINMSG is shown to the client after the login is complete.

Example:
A BANNER file is specified that contains the message:
HELLO WORLD; THIS IS MY BANNER MESSAGE!

A LOGINMSG file is specified that contains the message:
HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!

When the client connects and logs in, the following is displayed to the client:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 14:43:04 on 2002-10-29.

220-HELLO WORLD; THIS IS MY BANNER MESSAGE!
220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
230-HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!
230 USER1 is logged on.  Working directory is "/u/user1".
ftp>



Message file for named users only (LOGINMSG)

Use of the LOGINMSG file is optional. If no LOGINMSG file is specified, no message is displayed after login completion. If a LOGINMSG file is specified, up to 100 lines of the file are displayed to the FTP client after login completion. The message is shown only to named FTP users.

Example:
A LOGINMSG file is specified that contains the message:
HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!

When the named user logs in, the following is displayed to the client:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 15:17:11 on 2002-10-29.

220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
230-HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!
230 USER1 is logged on.  Working directory is "/u/user1".
ftp>

To show a message to named users at login completion, enter the name of the MVS data set or zFS file containing the message.

If it is an zFS file, it must adhere to the following syntax rules:

If it is an MVS data set, it must adhere to the following syntax rules:

The LOGINMSG file may be used in conjunction with the BANNER file. The BANNER message is shown when a new connection is started, while the LOGINMSG message is shown after login completion.

Example:
A BANNER file is specified that contains the message:
HELLO WORLD; THIS IS MY BANNER MESSAGE!

A LOGINMSG file is specified that contains the message:
HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!

When the client connects and logs in, the following is displayed to the client:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 14:43:04 on 2002-10-29.

220-HELLO WORLD; THIS IS MY BANNER MESSAGE!
220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
230-HELLO NAMED USER; THIS IS MY LOGIN MESSAGE!
230 USER1 is logged on.  Working directory is "/u/user1".
ftp>



E-mail substitution (ADMINEMAILADDRESS)

The message files specified on the Banners panel (BANNER, LOGINMSG) may include the keyword %E as part of the message text. You can specify a value that the FTP server will substitute for the %E keyword. This substitution is also applicable for the MVSINFO and HFSINFO and message files located on the panel titled, Directory Change Messages which is accessed by clicking the "Message Files..." button.

This configuration option allows the specification of the FTP server administrator. However, the value you entered is not restricted to be an e-mail address and its specification is optional.

Example:
If a BANNER message file contains the following text:
MY BANNER MESSAGE. THIS IS MY EMAIL ADDRESS: %E

And you specified the following value as the E-mail address:
myaddress@us.mycompany.com

The following would be seen at the client when a new connection is started:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 18:49:45 on 2002-10-29.

220-MY BANNER MESSAGE.  THIS IS MY EMAIL ADDRESS myaddress@us.mycompany.com
220 Connection will not timeout.
User (9.42.103.112:(none)):



E-mail address

Syntax rules:



Directory messages (Optional)

After a client logs in, the user can change directories using the "cd" command. The FTP server can be configured to display customized messages to the client when the user changes to certain directories. If this function is desired, click the "Message Files..." button to configure this function.



UCS-2

Insert overview help for the 'UCS-2' dialog, here.



Copy an FTP Client

Use this panel to configure a z/OS FTP client when you want to base its configuration on an existing FTP client. All settings for the new client will be identical to the old client except for the member name.

Steps

  1. Enter the member name for the new client. An FTP client configuration file will be created as a member of partitioned data set extend (PDSE). This PDSE name was assigned in the Basic settings task.
  2. Click "OK" when you are done.

You have completed this panel after you have entered the configuration file's PDSE member name.

You can find more detailed help on the following elements of this window:

FTP client being copied

New FTP client information

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



FTP client being copied

You are creating a new FTP client and basing its configuration on an existing client. All settings for the new client will be identical to the existing client except for the member name.

Each configured FTP client is identified in the customization panels by the configuration file member name you defined. The member name of the existing client, which is being copied, is shown for your convenience.



New FTP client information

You are creating a new FTP client and basing its configuration on an existing client. All settings for the new client will be identical to the existing client except for the member name.

An FTP client configuration file will be created as a member of partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

You are required to enter the configuration member name for the client you are creating.

Syntax rules:



JES

Use this panel to specify the type of JES interface the FTP server uses, the data set options for files submitted to JES, and the timeout for the submitted jobs.

The FTP server provides users with a JES interface. This interface allows:

Before you begin, know the what level of JES interface that you use, if you want to specify the data set for JES jobs, and the time limit you want placed on the submitted jobs.

Steps

  1. Select the level of JES interface that you wish to use.
  2. If you selected JES interface level 2, enter the maximum number of entries you want displayed at one time.
  3. Enter the record length.
  4. Select the record format.
  5. Enter the time the server wait for the job to complete.

You have completed this panel if you have selected a JES interface level, selected the JES data set options and specified JES timeout seconds.

Fields

JES interface level (JESINTERFACELEVEL)

Maximum JES entries

JES data set options (JESLRECL / JESRECFM)

Record Length

Record Format

JES time out (JESPUTGETTO)

Number of seconds

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



JES interface level (JESINTERFACELEVEL)

FTP allows for two settings for using the JES interface.

Select "Only jobs that match the ID under which user logged in (JESINTERFACELEVEL=1)", to specify the FTP server to use the JES interface provided in releases prior to OS/390 CS V2R10. At this level, the FTP user can submit jobs to JES, retrieve held output matching their logged-in user ID plus one character, and delete held jobs matching their logged-in user ID plus one character.

Select "Any job on any system where the user has JESSPOOL access. Requires special security setup. (JESINTERFACELEVEL=2)" to allow FTP users the ability to retrieve and delete any job in the system permitted by the security access facility (SAF) resource class JESSPOOL. For that reason, this setting should be specified only if the proper JES and SDSF security measures are in place. The SAF controls used for JESINTERFACELEVEL=2 are essentially a subset of those used by SDSF. Therefore, if an installation has customized SAF facilities for SDSF, then they are configured for FTP JES level 2. Before customizing the FTP-to-JES interface, complete JES customization. For example, JESJOBS is a Security Access Facility (SAF) class that controls which users can submit jobs to JES. JESSPOOL is the SAF that controls which users can access output jobs. Customize these SAF classes before beginning customization of the FTP-to-JES interface.

JESSPOOL defines resource names as <nodeid>.<userid>.<jobname>.<Dsid>.<dsname>. An FTP user can delete an output job if they have ALTER access to the resource that matches their nodeid, userid, and job name. If the FTP user has UPDATE access to the resource, they can list, retrieve, or GET the job output. (JESINTERFACELevel 2 uses the SAPI interface to JES, so UPDATE authority is required to list job status or retrieve job output.) For more information on JES security, refer to z/OS JES2 Initialization and Tuning Guide, SA22-7532. For more information on the SAPI interface, refer to z/OS MVS Using the Subsystem Interface, SA22-7642.

The FTP server employs SDSF resources to use three filters that control display of jobs.

  1. JESSTATUS can be changed with the SITE command to filter jobs in INPUT, ACTIVE, or OUTPUT state. The SDSF resources checked for these states are ISFCMD.DSP.INPUT.jesx, ISFCMD.DSP.ACTIVE.jesx, and ISFCMD.DSP.OUTPUT.jesx, respectively. At login time (USER command), the default value is set to ALL if READ access is allowed to all three classes. Otherwise SDSF attempts to set JESSTATUS to OUTPUT, ACTIVE, and then INPUT if the appropriate READ access is allowed. If no READ access is allowed to any of the classes, JESSTATUS is set to OUTPUT but JESOWNER and JESJOBNAME cannot be changed from the default. In this way, SAF controls can be put in place to limit FTP users to whatever status of jobs an installation requires.
  2. At login time, JESOWNER will have the value of the logged-in user ID. Authority to change JESOWNER is obtained through READ access to RACF profile ISFCMD.FILTER.OWNER. An FTP user who has READ access to ISFCMD.FILTER.OWNER can change the JESOWNER parameter with the SITE command.
  3. JESJOBNAME - At login time, JESJOBNAME will have the value of the logged-in user ID plus an asterisk (*). Authority to change JESJOBNAME is obtained through READ access to RACF profile ISFCMD.FILTER.PREFIX. An FTP user who has READ access to ISFCMD.FILTER.PREFIX can change the JESJOBNAME parameter with the SITE command.



Maximum JES entries

Syntax rules:



JES data set options (JESLRECL / JESRECFM)

The FTP server allows you specify the record format and length of the jobs submitted. The record format is used during dynamic allocation of the internal reader when submitting jobs to JES.

Both the record format and record length values can be specified here or can be set to the same value that FTP uses when creating data sets.

To set the JES record length to use the same value used in data set creation, specify the * character.

To set the JES record format to use the same value used in data set creation, select the "Default" value from drop down list.



Record Length

Syntax rules:



Record Format

Select an entry from the drop down list of record format options.

Select the "Default" option if you would like to use the same record format FTP uses when creating data sets. This value is specified in "Data Set Attributes..." under the MVS/HFS Files tab.



JES time out (JESPUTGETTO)

The JES put/get timeout is used when the FTP client performs a GET with a source and a target name. The source job is submitted to JES. The server waits until the JES PutGet timeout expires or until the job completes. If the job completes, it stores the output in the target name file. If the job does not complete, the FTP client displays a reply to the end user.

Set the JES timeout value high enough for most jobs to complete within the specified time but not so high (for example, 86400) that end users wait excessive amounts of time for job completion.



Number of seconds

Syntax rules:



Translation

Use this panel to access the FTP translation settings.

FTP uses translation tables to convert transmitted data from the z/OS UNIX file system (host EBCDIC) to the network (usually ASCII). FTP supports three different forms of translation tables:

  1. Iconv - FTP uses the iconv application programming interface to translate between two code pages. Iconv uses the network and z/OS UNIX file system character code pages you specify to create the translation tables used by FTP.
  2. FTP internal tables - FTP provides an internal table for single byte translation and a set of internal tables for multi-byte translations. The FTP single byte translation table is the same as the one shipped in TCPXLBIN(STANDARD).
  3. Translation tables generated by the CONVXLAT utility. Since translation tables do not always include all the desired characters, you may use the CONVXLAT utility to create or customize your own translation tables. TCP/IP provides a set of tables that you can customize under the hlq.SEZATCPX data set. Using iconv conversion to retrieve EBCDIC data that was created with the CONVXLAT-generated conversion tables could result in data corruption due to possible conversion table differences.

Control connection translation

For the control connection, FTP generally uses ISO8859-1 for the network code page and IBM-1047 for the z/OS UNIX file system code page. FTP also allows you to specify either the internal single byte or CONVXLAT created translation tables to be used. To allow for UTF-8 support, you may select the allow UTF8 pathnames option under control connection settings. This starts FTP using the ISO8859-1 iconv code page and negotiates a switch to UTF8 encoding of the control connection, as described in RFC 2640.

Data connection translation

For the transfer of data on the data connection, FTP supports:

Steps

  1. If you want to modify your translation settings for the control connection, click the "Control Connection Settings..." button.
  2. If you want to modify your translation settings for data connection using single-byte translations, click the "Single Byte Data Connection Settings..." button.
  3. If you want to modify your translation settings for data connection using multi-byte translations, click the "Multi-byte Data Connection Settings..." button.

You have completed this panel after you have made your translation modifications.

Push buttons
Click Control Connection Settings... to modify your translation settings for the control connection.
Click Single Byte Data Connection Settings... to modify your translation settings for single byte data connections.
Click Multi-byte Data Connection Settings... to modify your translation settings for multi-byte data connections.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Volume Serial

Use this panel to enter a volume serial number to be added to the volume list.

Syntax rules

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



SOCKS Server

Use this panel to define settings allowing FTP clients to use SOCKS servers to access FTP servers.

Steps

  1. If you do not want to use SOCKS servers, select "Do not use SOCKS servers to access FTP servers".
  2. If you want to use SOCKS servers to access FTP servers,
    1. You must create a SOCKS configuration file.
    2. If you have already created the SOCKS configuration file, select "Use SOCKS configuration file I already have" and enter the fully qualified name of the file.
    3. Or you can create SOCKS configuration files from this panel. Select "Use the created SOCKS configuration file selected below" and click the "New..." button to create a SOCKS configuration file.

You have completed this panel after indicating you do not want to use SOCKS servers, or indicating which SOCKS configuration file the FTP client should use.

You can find more detailed help on the following elements of this window:

The fully qualified MVS data set or the absolute zFS pathname of the SOCKS configuration file (SOCKSCONFIGFILE)

Use the created SOCKS configuration file selected below

Push buttons
Click New... to create a SOCKS configuration file.
Click Edit... to modify the selected SOCKS configuration file.
Click Delete to delete the selected SOCKS configuration file from the list.
Click Report... to show the configuration file of the selected entry.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



The fully qualified MVS data set or the absolute zFS pathname of the SOCKS configuration file (SOCKSCONFIGFILE)

Syntax rules:
If it is an zFS file, it must adhere to the following syntax rules:


If it is an MVS data set, it must adhere to the following syntax rules:



Use the created SOCKS configuration file selected below

Selecting "Use the created SOCKS configuration file selected below" allows you to use the GUI to create SOCKS configuration files for FTP clients.

Click the "New..." button to create a SOCKS configuration file, click the "Edit..." button to modify a selected SOCKS configuration file, and click the "Remove" button to remove the selected SOCKS configuration file from the list.

The first time you select "Use the created SOCKS configuration file selected below" you will see the following displayed:

"Active SOCKS configuration file: None"

After you have created a SOCKS configuration file, the display will be updated to indicate the Active SOCKS configuration file as the one you just created.

You may create multiple SOCKS configuration files. All FTP clients you create using the GUI will see the list of all SOCKS configuration files created using the GUI. Once you have created a SOCKS configuration file using the GUI, if you create new FTP clients, you can just click on a SOCKS configuration file in the list to make it the client's active SOCKS configuration file.

If there are multiple SOCKS configuration files listed, you can change the active configuration file for a client by clicking on a different SOCKS configuration file in the list. The display of the active SOCKS configuration file will be updated immediately to indicate your new selection.

You can use the "Report..." button at any time to show the complete SOCKS configuration file for a selected entry. This will show you the exact configuration statements and parameters that will be produced by the GUI.

Be aware that selecting an entry from the SOCKS configuration file list will ultimately produce the FTP.DATA client configuration statement SOCKSCONFIGFILE. The SOCKSCONFIGFILE statement's parameter is a fully qualified MVS data set name, which contains the SOCKS configuration file. Therefore, the SOCKSCONFIGFILE's parameter will be the name of the PDSE with the SOCKS configuration file name concatenated as the member name. Keep this in mind in case you relocate the SOCKS configuration file.



Browser Access

Use of the browser access token it optional. If you use a browser to access the FTP server, and you will access MVS data sets with the browser, then you need to specify the token. The token represents an arbitrary set of characters that you will enter in your FTP URL to signify that an MVS data set name follows the token.

It is recommended that you avoid using symbols in the token, which the browser might interpret as special or meta characters.

Websphere Application Server (WAS) provides a similar MVS data set token and you may want to use the same token for WAS and FTP.

Syntax rules

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Security Behavior

Use this panel to customize the security behavior.

Before you begin, you should understand:

Steps

  1. If you require FTP sessions to use a security protocol, check the box "Clients must use secure connections".
  2. If you require client certificate authorization, check the box "Require client certificate authentication". In addition to client certificate authentication:
    1. If you require additional verification of the user ID, check the box "Verify client user ID".
    2. If you want to use the client certificate authentication to eliminate the need for clients to specify a password when logging in, check the box "Do not prompt for a password". This setting is only applicable if you indicated to enable the server for the TLS protocol and has no effect on Kerberos protocol behavior.
    These settings are available only when configuring a server and do not apply when configuring a client.
  3. Select the data connection security level.
  4. Select the control connection security level. This setting is available only if you indicated to use the Kerberos protocol and has no effect if using TLS.

You have completed this panel after making your security protocol required selection, your client certificate authentication selection, your data connection security level selection, and your control connection security level selection.

You can find more detailed help on the following elements of this window:

Security protocol required (SECURE_FTP)

Client certificate authentication (SECURE_LOGIN, SECURE_PASSWORD) (only available for FTP servers)

Data connection security level (SECURE_DATACONN)

Control connection security level (SECURE_CTRLCONN) (only available for Kerberos)



Security protocol required (SECURE_FTP)

Use this setting to indicate whether use of a security protocol is optional or required.

This setting is applicable both when configuring an FTP client and an FTP server.

If configuring an FTP Server:

You have indicated the server is enabled for Transport Layer Security (TLS), or Kerberos, or both.

If you check the box labeled "Clients must use secure connections", the server requires all clients to login using a security protocol.

If you do not check the box labeled "Clients must use secure connections", the server allows clients to login using a security protocol, but it is not required.

If configuring an FTP Client:

You have selected the security mechanism Transport Layer Security (TLS) or Kerberos. The client logs in using the specified security mechanism.

If you check the box labeled "Clients must use secure connections", the client logs in using the specified security mechanism. If the server does not support the client's security mechanism, the login fails and the client cannot login.

If you do not check the box labeled "Clients must use secure connections", the client logs in using the specified security mechanism. If the server does not support the client's security mechanism, the server indicates this back to the client. The client then completes the login, but without using a security mechanism.



Client certificate authentication (SECURE_LOGIN, SECURE_PASSWORD)

These settings are available only when configuring an FTP server.

Use these settings to indicate whether the FTP server requires client authentication.

These settings apply to both TLS and Kerberos, however, only the "Verify client user ID" selection modifies the behavior for Kerberos. Also note the term "certificate" is actually TLS terminology. In Kerberos terminology, the equivalent of a certificate is a ticket which contains credentials.

"Require client certificate authentication"
Check to indicate you want the server to authenticate client certificates.

This selection does not affect Kerberos behavior. Kerberos always processes the client's ticket.

For TLS, client certificate authentication occurs during the SSL handshake. To pass authentication, the Certificate Authority (CA) that signed the client certificate must be considered trusted by the server. This means a certificate for the CA that issued the client certificate is listed as trusted in the server's keyring.
"Verify client user ID"
Check to indicate that in addition to client certificate authentication, the user's ID is further verified.

For TLS: For Kerberos the user ID in the client's ticket is verified to match the login user ID.
"Do not prompt for a password"
Check to indicate the client certificate authentication process is used to eliminate the login password prompt. A client supplies only the login user ID to establish the session.

This setting is applicable only to TLS.

The certificate received from the client must be registered in the security product and must be associated with the login user ID. You can use RACDCERT ADD command to register and associate the certificate.

If either the certificate is not registered or is not associated with the user ID, then the user will be prompted for a password. However, if you checked "Verify client user ID", the login will fail because the user ID could not be verified.



Data connection security level (SECURE_DATACONN)

This setting is used to indicate the level of security used on data connections and applies to both TLS and Kerberos.

Terminology

Definitions for terms used on the page.
Integrity protected, data integrity, or data authentication
Indicates an algorithm is applied to the data being transferred, which modifies the data such that the receiving program can verify the data was not modified or changed during the transfer.
Privacy protected
Indicates an algorithm is applied to the data being transferred which encrypts or scrambles the data such that only the receiving program can use a special key to decrypt or unscramble the data to its original format. The original data cannot be seen or interpreted while the data is in transit.
Raw
Indicates data is transmitted without being modified by any encryption or data integrity algorithms.
Encipher or cipher algorithm
Data being transferred is encrypted, integrity protected, or both. This term does not imply which algorithm is used and does not imply the data is encrypted.

There are differences between TLS and Kerberos.

For TLS, system SSL services and protocols are used to negotiate which cipher algorithm is used for the FTP session. The system SSL has multiple cipher algorithms, which provide both encryption and data authentication (i.e. data integrity). Encryption scrambles the data so it is transferred confidentially and cannot be interpreted without a special key. Data authentication algorithms ensure the data was not modified during transfer. Some of the supplied cipher algorithms provide only data authentication, and some provide both encryption and authentication. You can customize which cipher algorithms should be used by FTP. However, be aware that the actual cipher algorithm used for the session is determined after a negotiation between the server and client. For example, if you configure an FTP server to use the "Triple DES encryption, SHA authentication" algorithm, but the client does not support that algorithm, it will not be used.

For Kerberos, the system Kerberos (Network Authentication Service) provides the encryption and integrity algorithms. You can request data to be enciphered for integrity protection, or for both privacy and integrity protection. However, the algorithms used by Kerberos cannot be customized or negotiated.

The data connection security level is available both when configuring a client and a server.

Selections when configuring an FTP Server

NEVER
Indicates the server requires data to be transferred raw with no cipher algorithm applied to the data. Clients attempting to use ciphers are rejected.
CLEAR
Indicates the client decides whether data will be transferred raw or enciphered.

For TLS, the client decides whether data will be enciphered or not. If it indicates it should be enciphered, the cipher algorithm is chosen using TLS protocols.

For Kerberos, the client can specify whether data will be transferred raw, integrity protected only, or both integrity and privacy protected.
PRIVATE
Indicates the server requires data to be transferred enciphered. Clients attempting to send raw data are rejected.

For TLS, the cipher algorithm is chosen using TLS protocols.

For Kerberos, the data must be transferred using both integrity and privacy protection. Clients attempting to send data that is only integrity protected are rejected.
SAFE
For TLS, selecting this option is identical to the PRIVATE selection.

For Kerberos, the data must be transferred using integrity protection only, or using both integrity and privacy protection. Clients attempting to send raw data are rejected.

Selections when configuring an FTP Client

Before you begin you should understand the level of security for data connections is determined by both the configuration settings on this page and by commands an FTP user may issue during an FTP session. The following commands can be issued by the user:

clear
resets the security level so that data is transferred raw.
private
resets the security level so that data is transferred enciphered. If the client is using the Kerberos security mechanism, the data is transferred both integrity protected and privacy protected. If the client is using the TLS security mechanism, the cipher algorithm is chosen using the TLS protocol negotiation.
safe
resets the security level so that data is transferred integrity protected only. This command is applicable only to sessions using the Kerberos security mechanism.
NEVER
Indicates the client requires data to be transferred raw with no cipher algorithm applied to the data.
CLEAR
Indicates the data can be transferred raw or enciphered.

By default, data is transferred raw. However the user can issue the private command during the FTP session to change the data connection security level so data is transferred enciphered. The user can also issue the clear command to reset the data connection security level back, so data is transferred raw again.

For TLS, if the private command is issued, the cipher algorithm is chosen using TLS protocols.

For Kerberos, if the private command is issued, data is transferred both integrity and privacy protected. In addition to the private and clear commands, the user can issue the safe command to change the data connection security level so data is transferred integrity protected only.
PRIVATE
Indicates the client requires data to be transferred enciphered.

For TLS, the cipher algorithm is chosen using TLS protocols.

For Kerberos, data is transferred both integrity and privacy protected.
SAFE
For TLS, selecting this option is identical to the PRIVATE selection.

For Kerberos, indicates the data can be transferred integrity protected only, or both integrity and privacy protected. By default, data is transferred integrity protected only. However, the user can issue the private command during the FTP session to change the data connection security level so data is transferred both integrity and privacy protected. The user can also issue the safe command to reset the data connection security level back, so data is transferred integrity protected only.



Control connection security level (SECURE_CTRLCONN)

This setting is used to indicate the level of security used on control connections and applies only to Kerberos. When using TLS, the control connection is required to be enciphered and this setting has no effect on the TLS behavior.

Terminology

Definitions for terms used on the page.
Integrity protected, data integrity, or data authentication
Indicates an algorithm is applied to the data being transferred, which modifies the data such that the receiving program can verify the data was not modified or changed during the transfer.
Privacy protected
Indicates an algorithm is applied to the data being transferred which encrypts or scrambles the data such that only the receiving program can use a special key to decrypt or unscramble the data to its original format. The original data cannot be seen or interpreted while the data is in transit.
Raw
Indicates data is transmitted without being modified by any encryption or data integrity algorithms.
Encipher or cipher algorithm
Data being transferred is encrypted, integrity protected, or both. This term does not imply which algorithm is used and does not imply the data is encrypted.

The system Kerberos (Network Authentication Service) provides the encryption and integrity algorithms. You can request the control connection data (FTP commands and replies) to be enciphered for integrity protection, or for both privacy and integrity protection. However, the algorithms used by Kerberos cannot be customized or negotiated.

The data transferred on control connections is always FTP command and reply protocols.

The control connection security level setting is available both when configuring a client and a server.

Selections when configuring an FTP Server

CLEAR
Indicates the client decides whether data will be transferred raw, integrity protected only, or both integrity and privacy protected.
PRIVATE
Indicates the server requires data to be transferred using both integrity and privacy protection. Clients attempting to send raw data or data integrity protect only, are rejected.
SAFE
Indicates the server requires data to be transferred using integrity protection only, or using both integrity and privacy protection. Clients attempting to send raw data are rejected.

Selections when configuring an FTP Client

Before you begin you should understand the level of security for control connections is determined by both the configuration settings on this page and by commands an FTP user may issue during an FTP session. The following commands can be issued by the user:

cprotect clear
resets the security level so that data is transferred raw.
cprotect private
resets the security level so that data is transferred both integrity protected and privacy protected.
cprotect safe
resets the security level so that data is transferred integrity protected only.
CLEAR
Indicates the data can be transferred raw, integrity protected, or both integrity and privacy protected.

By default, data is transferred raw. However the user can issue the cprotect private and cprotect safe commands during the FTP session to change the control connection security level. Issuing the cprotect private command changes the control connection security level so data is transferred both integrity and privacy protected. Issuing the cprotect safe command changes the control connection security level so data is transferred integrity protected only. The user can also issue the cprotect clear command to reset the control connection security level back, so data is transferred raw again.
PRIVATE
Indicates the client requires data to be transferred both integrity and privacy protected.
SAFE
Indicates the data can be transferred integrity protected only, or both integrity and privacy protected.

By default, data is transferred integrity protected only. However, the client can issue the cprotect private command during the FTP session to change the control connection security level so data is transferred both integrity and privacy protected. The user can also issue the cprotect safe command to reset the control connection security level back, so data is transferred integrity protected only.



Encryption Choices

Use this panel to customize cryptographic algorithms. FTP uses the encryption services of SSL or TLS to protect data. Your z/OS system SSL/TLS provides a defined set of encryption and data authentication algorithms we refer to as ciphers. The encryption algorithm scrambles the data so that it cannot be interpreted. The data authentication algorithm ensures that the data is delivered completely without alteration.

Before you begin, make some decisions about security.

Steps

  1. Click the button that describes what you want to do (use the defaults, or select which algorithms).
  2. If you select that you want to specify algorithms, specify if this system is subject to export regulations.
  3. Click the "Add..." button to select which ciphers you want FTP to use. Repeat until you have added all the cipher choices you desire.
  4. The order of the ciphers is important. FTP will attempt to use the top entry in the cipher list first. If it is not available or not supported by its session partner, FTP will attempt to use the next one in the list. Therefore, use the "Move Up" and Move Down" buttons to ensure the ciphers are in priority order.

You have completed this panel after you have:

You can find more detailed help on the following elements of this window:

Is this system subject to export regulations?

Cipher choices listed in preferred order.

Radio Buttons
Click I want to use the defaults to use defaults.
Click I want to select which algorithms to use to indicate you will be selecting particular algorithms to use.
Click Yes to indicate your system is subject to export regulations.
Click No to indicate your system is not subject to export regulations.

Push buttons
Click Add... to add a cipher to the list.
Click Remove... to remove the selected cipher from the list.
Click Move Up to move the selected cipher up one position.
Click Move Down to move the selected cipher down one position.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Is this system subject to export regulations?

Select "Yes" if you are. This disables the choices that are not available due to export restrictions. "No" is the default. The ciphers that are not available for export are:

If you select "Yes" and already added restricted ciphers to your list of preferred ciphers, they will be removed automatically.



Cipher choices listed in preferred order.

Use the "Add...", "Remove", "Move Up" and "Move Down" buttons to manage the list of cipher algorithms you desire. The order of the ciphers is important. FTP will attempt to use the top entry in the cipher list first. If it is not available or not supported by its session partner, FTP will attempt to use the next one in the list. Therefore, use the "Move Up" and "Move Down" buttons to ensure the ciphers are in priority order.

If you select multiple algorithms, FTP must exchange information with the session partner to determine which of the algorithms to use. This is based on:

Available cipher algorithms are:

  1. Triple DES encryption, SHA authentication
  2. RC4 (128-bit) encryption, SHA authentication
  3. RC4 (128-bit) encryption, MD5 authentication
  4. RC4 (40-bit) encryption, MD5 authentication
  5. RC2 (40-bit) encryption, MD5 authentication
  6. DES encryption, SHA authentication
  7. No encryption, SHA authentication
  8. No encryption, MD5 authentication


Return Codes

Use this panel to customize settings related to FTP client return codes.

An FTP client enters the FTP environment by issuing the ftp command. If you issue the ftp command with the option ( EXIT, ( EXIT=nn, or, if executing from UNIX System Services, the -e option, you enable the FTP client return code function. This results in closing the FTP environment for certain FTP errors, and setting return codes for the client.

If you do not specify the ( EXIT, ( EXIT=nn, and -e options on the ftp command line, the client's FTP environment will not end if an error occurs, and the client's return code will always be set to 0.

The format of the return code and how the return code is seen by the client depend both on the customization settings from this panel and the client's execution environment.

For clients running interactively from TSO or the z/OS UNIX System Services shell, the client sees message EZA1735I when an error occurs. EZA1735I shows a 2 digit client error code, the failing FTP subcommand, and a 3 digit reply code. The 2 digit client error codes and FTP subcommands are described in z/OS Communications Server IP User's Guide and Commands (SC31-8780). The 2 digit client error codes are in section 'FTP client error codes' and the FTP subcommands are in section 'FTP subcommand codes'. The 3 digit reply codes are described in z/OS Communications Server IP and SNA Codes (SC31-8791) in the section 'FTPD reply codes'.

For clients running in batch mode, as TSO clists, or from REXX applications, the return codes are passed back to the client, in addition to being posted in message EZA1735I. The return codes may also be logged in SMF type 30, Step Termination, records. The format of the return codes passed to the client depends on the settings you choose in the Converting return codes (CLIENTERRCODES) section. However, the format of the return code shown in message EZA1735I is fixed and cannot be customized.

It is possible to see client return codes regardless of whether or not the ftp command option ( EXIT, ( EXIT=nn, or -e is specified. Checking the box "Report errors with message EZZ9830I" allows you to see the return codes logged in message EZZ9830I.

Steps

  1. If you run FTP in batch mode, from a TSO clist, or from a REXX application, or if you want to log the return codes using message EZZ9830I, select the format of the posted return codes.
  2. If you want to log the return codes using message EZZ9830I, check its associated box.

You have completed this panel after selecting the return code format and indicated whether you want to log return codes using message EZZ9830I.

You can find more detailed help on the following elements of this window:

Converting return codes (CLIENTERRCODES)

Reporting error return codes (LOGCLIENTERR)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Converting return codes (CLIENTERRCODES)

Below lists the possible formats for FTP return codes for clients running in batch mode, as a TSO clist, or from a REXX application.

The format of the return code is determined both by the settings on this panel and by parameters entered on the ftp command when the user logs in. The use of the EXIT=nn ftp command parameter will override the settings on this panel as explained below.

Using the EXIT=nn ftp command option
This option is set on the ftp command when the client enters the FTP environment. This instructs the client to exit with the return set to your nn value, when an error occurs.

Using this option on the initial ftp command overrides the "Converting return codes" settings on this panel.

Limitations
The same nn return code value is returned for all errors.
Selecting "2 digit client error return code set"
This option uses a set of 2 digit client error codes described in z/OS Communications Server IP User's Guide and Commands (SC31-8780) in the section "FTP client error codes". Each 2 digit client error code is listed with the name of the error and possible causes of the error.

Limitations
The failing subcommand is not returned.
The 3 digit reply code is not returned. It can be derived from message EZA1735I if the ftp command option ( EXIT, ( EXIT=nn, or -e was specified, or from message EZZ9830I if you checked the box labeled "Report errors with message EZZ9830I".
Selecting 4 digit XXYY format; where XX is the 2 digit client error return code and YY is the FTP subcommand"
This option returns both the 2 digit client error code and the FTP subcommand that failed. The 2 digit client error codes are the same as those described in "2 digit client error return code set".

The complete list of 2 digit client error codes and FTP subcommands are described in z/OS Communications Server IP User's Guide and Commands (SC31-8780). The 2 digit client error codes are in the section 'FTP client error codes' and the FTP subcommands are found in section 'FTP subcommand codes'.

Limitations
The 3 digit reply code is not returned. It can be derived from message EZA1735I if the ftp command option ( EXIT, ( EXIT=nn, or -e was specified, or from message EZZ9830I if you checked the box labeled "Report errors with message EZZ9830I".
Selecting 5 digit XXYYY format; where XX is the FTP subcommand and YYY is the FTP server reply code"
This option returns both the FTP subcommand that failed, and a 3 digit reply code.

The FTP subcommands are described in z/OS Communications Server IP User's Guide and Commands (SC31-8780) in section 'FTP subcommand codes'. The complete list of the 3 digit reply codes are described in z/OS Communications Server IP and SNA Codes (SC31-8791) in the section 'FTPD reply codes'.

Limitations Due to the limitations, IBM does not recommend using this format.

The settings on this panel apply to interactive clients, running under TSO or the z/OS UNIX System Services shell, only if you checked the box labeled "Report errors with message EZZ9830I". The return code format in message EZZ9830I is shown according to the return code format selected. If ftp command option ( EXIT, ( EXIT=nn, or -e is specified for interactive clients, errors are also reported with EZA1735I. However, EZA1735I shows the return code values and failing subcommands in a fixed format which cannot be customized.



Logging error return codes (LOGCLIENTERR)

Use this option to see client return codes logged with message EZZ9830I.

Checking the box "Report errors with message EZZ9830I" results in return codes being logged in message EZZ9830I.

A list of errors are described in z/OS Communications Server IP User's Guide and Commands (SC31-8780) in section 'FTP subcommand codes'.

If the client is running in batch mode the message is logged in the system log, SYSLOGD, and in the batch job's log. Otherwise, the message is posted to the client's display.

Message EZZ9830I contains:



MVS Data Set Attributes

Use this panel to specify the target volumes, the unit type and the unit count for newly created data sets. If creating data sets on a tape, the volume count parameter can also be set.

All settings are available both when defining FTP clients and FTP servers. The settings are applicable to FTP clients when creating data sets on the client's system. The settings are applicable to FTP servers when creating data sets on the server's system.

If you specify an SMS storage class on the first wizard panel, then the settings from this panel are not used, rather the values are obtained from the storage class.

Steps

  1. Add the volume IDs to the list of volumes and place them in your preferred order. If you do not add any volumes to the list, the system default volumes are used.
  2. If creating data sets on tape, you may want to enter a value for the Volume count.
  3. Specify whether to use the system default for unit type or enter the unit type name.
  4. Specify whether to use the system default for unit count or enter a value for the unit count.

You have completed this panel after adding your preferred volumes, optionally modifying the volume count value, specifying the unit type, and specifying the unit count.

You can find more detailed help on the following elements of this window:

Volume settings (Optional)

Volume count for writing to tapes (VCOUNT)

Unit settings

Specify UNITNAME

Specify UCOUNT

Push buttons
Click Add... to add a volume ID to the volume list.
Click Edit... to modify the selected volume ID.
Click Remove to remove the selected volume ID from the list.
Click Move Up to move the selected volume ID up one position in the list.
Click Move Down to move the selected volume ID down one position in the list.
Click Back to return to the previous wizard panel.
Click Finish to complete the wizard panels' specification.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Volume settings (Optional)

You may define a list of volume serial numbers to indicate where newly created data sets should reside. If you do not add any volumes to the list, the system default volume list is used.

You can add up to 10 volumes to the list using the "Add..." button. The order of the volumes is significant. The system will first attempt to create the data set on the first volume in the list, and use the following volumes in the list if more space is needed. Use the "Move Up" and "Move Down" buttons to ensure the volumes are in your preferred order.

Use the "Add..." button to add new volumes, the "Edit..." button to modify the selected entry, and the "Remove" button to remove the selected volume from the list.



Volume count for writing to tapes (VCOUNT)

The volume count setting is used only when creating data sets on tapes. This value indicates the maximum number of volumes that can be used when creating a data set.

Syntax rules:



Unit settings

Unit type

Use to specify a device by its generic name, which is an IBM-supplied name that identifies a device by its machine type and model; for example, 3390. You can select to use the system default device type or enter your preferred device type.

Unit count

Use to specify the number of devices for new data sets. The system uses the unit-count to determine how many devices to allocate.

Specify a value of P to use the same number of devices specified in the volume list or the volume count value, whichever is higher. Specifying a value of P causes all volumes for the data set to be mounted in parallel.



Specify UNITNAME

Syntax rules:



Specify UCOUNT

Syntax rules:



TLS Security Settings

Use this panel to specify the certificate location required for SSL/TLS security functions. The server certificate authentication process defined in the SSL protocol requires a certificate location. This location can be either:

Before you begin, decide:

Steps

  1. Specify the certificate ring location by entering the key ring name or file name.
  2. Click on the "Ciphers..." button to select ciphers.
  3. Click on the "Advanced..." button to specify more security settings.

You have completed this panel when you have:

Fields

Certificate (key ring) location (KEYRING)

Key ring name

Key database name

Radio Buttons
Click Key ring in security server to specify a key ring name within a security server.
Click Key database in HFS to specify an z/OS UNIX file system key database file name.

Push buttons
Click Ciphers... to specify cryptographic algorithms.
Click Advanced... to specify additional security settings.



Certificate (key ring) location (KEYRING)

SSL requires server and optionally client authentication. Such authentication requires the server certificate location. Client authentication certificates reside in the same data base.

System SSL supports the following two methods for managing PKI private keys and certificates.



Key ring name



Key database name

Create this file using the z/OS shell-based program, gskkyman. When running gskkyman:

Enter the key database name and extension on the panel. FTP can locate the stash file since it has the same file name.

When you are done, ensure you have created 2 files:



Configuration File

This is a snapshot of your configuration file.

Push buttons
Click Save to save this configuration file to local disk.
Click Print to print this configuration file.
Click Close to end this panel.



Configuration File

This is a snapshot of your SOCKS configuration file.

Push buttons
Click Save to save this configuration file to local disk.
Click Print to print this configuration file.
Click Close to end this panel.



General

Use this panel to configure the following general settings:

Before you begin you should:

Steps

  1. Enter the control connection port number.
  2. Optionally, enter that lower and upper port range to restrict which ports can be used for data connections.
  3. If you want to enable the server for TLS, check the "Enable TLS security" box.
  4. If you want to enable the server for Kerberos, check the "Enable Kerberos security" box.
  5. If you checked "Enable TLS security" or "Enable Kerberos security", click the "Security Settings..." button to customize your security settings. This is required if you checked TLS.
  6. Select which z/OS UNIX file system users should start in after a login.
  7. Enter the FTP server's start procedure name.
  8. Indicate if you want to automatically (Autolog) start the FTP server.
  9. Enter the FTP server's configuration file name.

You have completed this panel once you have specified the control connection port, optionally restricted the data connection port range, optionally selected to enable security, indicated the user's initial z/OS UNIX file system, entered the start procedure name, and entered the configuration file member name.

You can find more detailed help on the following elements of this window:

Control connection port number

Optionally, you may restrict the port range for data connections.

Enable TLS security

Enable Kerberos security

Starting z/OS UNIX file system (STARTDIRECTORY)

Configuration file member names

Start procedure name

Autolog

FTP configuration member name

Push buttons
Click Security Settings... to customize your security settings.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Control connection port number

Specify the FTP server's control connection port.

The FTP server will listen for incoming logins on the control connection port number.

This port number must not conflict with other port reservations. Both the port number you specify and port number - 1, are reserved for the FTP server. Therefore, other applications must not already have reserved these ports.

If another application has already reserved the ports, you will be asked if you want to negate the reservation for the other application and proceed with your FTP server's port reservation request.

If the port is already reserved for another FTP server, you will be asked if you want to bind an IP address to this FTP server's port reservation. If you decide to bind an IP address, then your server will connect only to clients using this bind IP address when logging in.

To see all port reservations, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



Optionally, you may restrict the port range for data connections.

When an FTP client logs in to a server, a connect request always flows from the client to the server to establish a control connection. When a client wants to transfer data, for example with a get command, a different connection, referred to as a data connection, must be established to handle the transfer. Unlike the control connection, there are multiple ways a data connection can be established. The server can initiate the connect request or the client can initiate the connect request, depending on the level of FTP RFC support.

You may restrict which ports are used for data connections for the cases where the clients use firewall friendly protocols. While the client opens the data connection, it is the server that tells the client which port to connect to. By specifying the lower and upper range, you direct the server to pick a data connection port within the specified range. The server randomly selects a port within the range. This may be helpful in defining firewall policies to accommodate the range of ports FTP data connections will use.

The specified range of ports are reserved for FTP by coding the PORTRANGE configuration statement, with the AUTHPORT parameter, in PROFILE.TCPIP. The GUI automatically does this reservation for you. If any of the ports in the range are already reserved for another application, you will be asked if you want to negate the other application's reservation. A complete list of port reservations can be seen in the Basic Settings task.

The port range specification for data connections not using firewall friendly protocols has no effect.

Syntax rules:



Enable TLS security

Check this box to enable the FTP server to support clients using the Transport Layer Security protocol (TLS) protocol. The Security Sockets Layer (SSL) protocol is included in TLS.

After checking the box "Enable TLS security", click the "Security Settings..." button to customize security settings for TLS.

Clicking the "Security Settings..." button is required to specify the certificate (key ring) location. For other security settings, you can use the defaults if desired.



Enable Kerberos security

Check this box to enable the FTP server to support clients using the Kerberos security protocol.

After checking the box "Enable Kerberos security", click the "Security Settings..." button to customize security settings.

If you select only Kerberos, and not TLS, clicking the "Security Settings..." button is optional. The default security settings are used.



Security Settings...

This button is available only if you have indicated the server should be enabled to support clients using the Transport Layer Security (TLS) or the Kerberos security protocols.

If TLS is checked, you are required to enter a key ring database by clicking this button.

You may also further customize your security settings by clicking this button.

If you select TLS, clicking the "Security Settings..." button allows you to set the following:

If you select Kerberos, clicking the "Security Settings..." button allows you to set the following:



Starting z/OS UNIX file system (STARTDIRECTORY)

Indicate the file system a user will see after a login.

You may select for users to see the z/OS UNIX hierarchical file system (zFS) or MVS data sets.

If you select zFS, when the user logs in, the initial working directory is the user's root directory in the zFS.

If you select MVS data sets, when the user logs in, the initial working directory is an MVS data set. The data set name is the same as the login user ID.



Configuration file member names

An FTP start procedure and configuration file will be created as members of a partitioned data set extended (PDSE). The name of the PDSE was assigned in the Basic Settings task. To modify the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go the Basic Settings task.



Start procedure name

An FTP server start procedure will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

This start procedure name is also used as the FTP server's job name. If the name is 7 characters or less, the job name is the start procedure name with a 1 concatenated to the end of the name. If the start procedure name is 8 characters, the job name is the same as the start procedure name.

Example

Syntax rules:



Autolog

Check the "Autolog" box if you want the FTP server to be started automatically when TCP/IP is started.

Checking "Autolog" may also restart your FTP server if it is stopped or hung. TCP/IP will check every five minutes to see if the server is still running or hung. If it is not running, TCP/IP will restart the server. If it is hung, TCP/IP will cancel it and restart it. It is considered hung if the server is no longer listening for incoming logins.



FTP configuration member name

An FTP server configuration file will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



FTP Client Wizard: Security

Use this panel to indicate if the client should use a security protocol to provide data privacy and integrity as well as login authentication.

The client can use either the Transport Layer Security (TLS) (Secure Sockets Layer (SSL) is included in TLS) or the Kerberos security protocol.

Both protocols provide login authentication, data encryption, and data integrity to ensure the data is not modified during transmission.

Steps

  1. To indicate the client should use a security protocol, select "Yes. Select a security mechanism".
  2. Select which security protocol the client should use.

You have completed this panel after selecting your security choice. If you choose to use security, the wizard will direct you to the security settings.

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Advanced

Use this panel to indicate the desired protocol for opening data connections and to specify how the client should work with NETRC files.

Before you begin:

Steps

  1. Select how data connections and ports should be established.
  2. If you use NETRC files, select how the client should work with NETRC files.

You have completed this panel after making your desired selections.

You can find more detailed help on the following elements of this window:

Data port assignment

NETRC login files (NETRCLEVEL)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Data port assignment

Your selection is applicable only when clients log in using IPv4 addresses.

When an FTP client logs in to a server, a connect request flows from the client to the server to establish a control connection. When a client wants to transfer data, for example with a get, a different connection, referred to as a data connection, must be established to handle the transfer. Unlike the control connection, there are multiple ways a data connection can be established. The server can initiate the connect request or the client can initiate the connect request, depending on the level of FTP RFC support.

There are differences between the RFC 1579 and the RFC 2428 protocols.

The use of the EPSV command may be useful if you are encrypting data on the control connection, for example with Transport Layer Security (TLS). If your data passes through a firewall using Network Address Translation (NAT), the firewall is not be able to interpret the IP address on the PASV reply, which may cause problems. By using the EPSV command and reply, no IP address is sent, rather the client and server already understand the address.



NETRC login files (NETRCLEVEL)

Using a NETRC file provides an alternative to specifying a user ID and password when logging in. The NETRC file contains a set of configuration statements consisting of the keywords MACHINE, LOGIN, and PASSWORD as follows:
MACHINE server_address LOGIN user_ID PASSWORD password

Location of NETRC file:

Clients using the NETRC file can log in by specifying only the FTP server's IP address or host name. The client locates the NETRC file and searches for a match of the MACHINE value to know which user ID and password to use on the login.

If the NETRC file identifies FTP servers by host name, but the client's login specifies an IP address, the client would have to resolve the IP address to a host name to find a match.

If you want the client to resolve all IP addresses to host names prior to searching the NETRC file, select "Yes, I use NETRC login files which need the host name."



Logging

Use this panel to configure your FTP logging preferences. FTP makes use of both the SMF facility and system SYSLOGD facility to log specific FTP events. Both methods of logging are configured from this panel.

Before you begin, understand if you want to log events using SMF records or using the system logging daemon, SYSLOGD.

Steps

  1. If you do not want to log FTP events using SMF records, select "Do not use SMF to log FTP events".
  2. If you want to log FTP events using SMF records, select "Log all FTP events: (SMF)", and select the "All Type 119 records" check box. This is the recommended choice for SMF logging.
  3. Advanced users desiring SMF records may want to log only certain FTP events, or may want to use Type 118 records. These options are also available. If you want to log only certain FTP events, select "Log selected events" and click the "Event List..." button.
  4. If you want to log events using the system logging facility, SYSLOGD, check the box labeled, "Log activity related to logins".

You have completed this panel when you have completed your SMF logging and SYSLOGD logging decisions.

You can find more detailed help on the following elements of this window:

SMF records

SYSLOGD (FTPLOGGING)

Push buttons
Click Event List... to configure specific FTP events to log using SMF.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



SMF records

The FTP server can log specific FTP events using the SMF facility. Following is the list of events logged using SMF:

APPEND
Logs an event when the APPEND command is processed.
DELETE
Logs an event when the DELETE command is processed.
Login failures
Logs an event when a login fails.
RENAME
Logs an event when RENAME command is processed.
RETRIEVE
Logs an event when the RETRIEVE command is processed.
STORE
Logs an event when the STORE or STORE UNIQUE commands are processed.

For each of these events you can choose to write the SMF records as Type 118 or Type 119. Type 119 records provide more information, including information about sessions using IPv6. Type 119 records are recommended. You can record both Type 118 and Type 119, but this is not recommended due to performance implications.

If you select the "Log all FTP events: (SMF)", then the server will log an event record for each of the events listed above. You can also select whether the record Type is 118 or 119.

The subtypes for the events for Type 118 records are:

The subtypes for the events for Type 119 records are:

More advanced users may want to log only specific events or may want to use Type 118 records with non-standard subtypes. Select "Log selected events:" and click the "Event List..." button to configure more advanced customization for SMF logging.

If you use the FTP exit FTPSMFEX, you can select to record an event each time the EXIT is called. This applies only when using type 118 records. No FTP-specific exit is called for type 119 records.

Your SMF settings are applicable only when the FTP server is in FILETYPE=SEQ (normal) mode. If you want the SMF settings to also apply when the server is in FILETYPE=JES or FILETYPE=SQL mode, check the respective boxes.



SYSLOGD (FTPLOGGING)

The FTP server provides event logging using the system SYSLOGD facility. Following are the types of events logged by the server:

Each event is logged as a message with message numbers in the range EZYFS50 to EZYFS95.

Following is an example of one of the logged messages.


EZYFS50I ID=sessionID CONN starts Client IPaddr=ipaddr hostname=hostname

Explanation: This log entry is made by the FTP daemon when it accepts a client connection request. The keyword CONN identifies the entry as a connection log entry.

sessionID uniquely identifies the FTP session between a client and a server. The identifier is created by combining the jobname of the FTP daemon with a five-digit number in the range 00000-99999. This identifier is in each log entry for the session until message EZYFS52I, which is the last entry for the session.

ipaddr is the IP address of the FTP client. The IP address may be either an IPv4 or an IPv6 address.

hostname is the name of the FTP client. If the name cannot be resolved, UNKNOWN is displayed.

System Action: FTP continues.

User or Operator Response: None.

System Programmer Response: None.

Source Data Set: EZAFTPBU

Procedure Name: logCONN.



Timers and Intervals for the FTP client

Use this panel to set timer intervals used by the FTP client.

Here you are able to specify timers that determine when a session is closed due to no response. You can also specify the keepalive interval to keep the control connection active.

The timers are all optional. If you do not want to use a timer make sure that the check box is not selected.

Before you begin, know if you want to specify keepalive, session timeout intervals, or any data connection timers.

Steps

  1. Check the box for the timers you want to use.
  2. Enter the interval, in seconds, for each timer you have selected.
  3. Click "Data Connection Timers..." to customize any of the timers used on the data connection.

You have completed this panel if you have made desired changes to the timers.

Fields

Keepalive (FTPKEEPALIVE)

Keepalive interval

Login timeout (MYOPENTIME)

Login timeout interval

Response timeout (INACTTIME)

Response timeout interval

Closing control connection timeout (CCONNTIME)

Closing control connection interval

Push buttons
Click Data Connection Timers... to customize data connection timers.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Keepalive (FTPKEEPALIVE)

Keepalive is used to send packets over the control connection to keep a session active. This helps avoid the firewall from timing out and closing the control connection. Use the keepalive interval to specify the number of seconds that the keepalive mechanism should wait before sending another packet.

Check the box labeled "Use keepalive" to activate this function and optionally you may modify the interval.



Keepalive interval

Syntax rules:



Login timeout (MYOPENTIME)

Use the login timeout interval to specify the amount of time in seconds that the client should wait for a session to be opened. If a session is not opened in the time specified the attempt will be ended and an error is reported.

Check the box labeled "Use login timeout" to activate this function and optionally you may modify the interval.



Login timeout interval

Syntax rules:



Response timeout (INACTTIME)

Use the response timeout interval to specify the amount of time in seconds that the client should wait for a response from the server. If a response is not receive before the timer expires the session is closed and an error is reported. Response timeout applies to both the control and data connections.

Check the box labeled "Use response timeout" to activate this function and optionally you may modify the interval.



Response timeout interval

Syntax rules:



Closing control connection timeout (CCONNTIME)

Use the closing control connection timeout interval to specify the amount of time in seconds that the client should wait for a session to be closed. If a session is not closed in the time specified the control connection will be closed and an error is reported.

Check the box labeled "Use CCONNTIME function" to activate this function and optionally you may modify the interval.



Closing control connection timeout interval

Syntax rules:



Data Connection Timers...

Clicking this button takes you to a panel that displays timers that are used only on the data connection. You be able to customize the data connection timers. When finished, you will be returned to this panel.



FTP Server Wizard: Default Working Directory

Use this panel to indicate the file system a user will see after a login.

You may choose whether users see the z/OS UNIX hierarchical file system (zFS) or MVS data sets.

If you select zFS, when the user logs in, the initial working directory is the user's root directory in the zFS.

If you select MVS data sets, when the user logs in, the initial working directory is an MVS data set. The data set name is the same as the login user ID.

You have completed this panel after selecting the default working directory.

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Read / Write

Use this panel to set options related to reading and writing MVS data sets.

Steps

  1. Indicate whether trailing blanks in fixed format data sets should be transmitted during file transfers.
  2. Indicate the action FTP should take if an incoming data record is longer than the logical record length of the target data set.
  3. Indicate whether partial files should be kept or deleted if a file transfer ends prematurely.

You have completed this panel after you have made your selections.

You can find more detailed help on the following elements of this window:

Trailing blanks (TRAILINGBLANKS)

Wrap record settings (WRAPRECORD / TRUNCATE)

Conditional disposition (CONDDISP)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Trailing blanks (TRAILINGBLANKS)

Specify whether trailing blanks in a fixed format data set are transferred when the data set is transferred.

This option is available when configuring an FTP client or an FTP server. If you are configuring a client, this applies when transferring files to the server's system (for example with a PUT). If you are configuring a server, this applies when transferring files to the client's system (for example with a GET).



Wrap record settings (WRAPRECORD / TRUNCATE)

Specify which action FTP should take if an incoming data record is longer than the logical record length of the target data set.

You can choose to truncate the record, wrap the record to the next line, or end the transfer and report an error.

This option is available when configuring an FTP client or an FTP server. If you are configuring a client, this applies when transferring files to the client's system (for example with a GET). If you are configuring a server, this applies when transferring files to the server's system (for example with a PUT).



Conditional disposition (CONDDISP)

Indicate whether a file should be kept or deleted if a file transfer ends prematurely.

This option is available when configuring an FTP client or an FTP server. If you are configuring a client, this applies when writing files to the client's system (for example with a GET). If you are configuring a server, this applies when writing the file to the server's system (for example with a PUT).

Your selection on this panel will apply to both zFS file transfers and MVS data set transfers.

Select "Keep the partial file" to indicate the file or data set should be kept if the transfer ends prematurely. For MVS data sets, it is both kept and cataloged.

Select "Delete the partial file" to indicate the file or data set should be deleted if the transfer ends prematurely.



Copy an FTP Server

Use this panel to configure a z/OS FTP server when you want to base its configuration on an existing FTP server. All settings for the new server will be identical to the old server except for the control connection port, the start procedure name, and the configuration file member name.

An FTP server configuration file and start procedure will be created as members of partitioned data set extend (PDSE). The PDSE name was assigned in the Basic settings task.

Steps

  1. Enter the control connection port number.
  2. Enter the server's start procedure name.
  3. Enter the member name for the new server configuration file.
  4. Click "OK" when you are done.

You have completed this panel after you have entered the server's control port number, the server's configuration file PDSE member name, and the server's start procedure name.

You can find more detailed help on the following elements of this window:

FTP server being copied

New FTP server information

Control connection port

Start procedure

FTP configuration member

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



FTP server being copied

You are creating a new FTP server and basing its configuration on an existing server. All settings for the new server will be identical to the existing server except for the control connection port, the start procedure name, and the configuration file member name.

The control connection port number, the configuration file member name, and the start procedure name of the existing server, which is being copied, is shown for your convenience.



New FTP server information

You are creating a new FTP server and basing its configuration on an existing server. All settings for the new server will be identical to the existing server except for the control connection port, the start procedure name, and the configuration file member name.

You must specify the control connection port number, the start procedure name, and the configuration file member name for the new server.

An FTP server configuration file and start procedure will be created as members of partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task.



Control connection port

You are creating a new FTP server and basing its configuration on an existing server. All settings for the new server will be identical to the existing client except for the control port, the start procedure name, and the configuration file member name.

The control connection port number is the port number the FTP server will use to listen for incoming logins.

This port number must not be conflict with other port reservations. Both the port number you specify and the port number - 1, will be reserved for the FTP server. Therefore, other applications must not already have reserved these ports.

If another application has already reserved the ports, you will be asked if you want to negate the reservation for the other application and proceed with your FTP server's port reservation request.

If the port is already reserved for another FTP server, you will be asked if you want to bind an IP address to this FTP server's port reservation. If you decide to bind an IP address, then your server will connect only to clients using this bind IP address when logging in.

To see all port reservations, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



Start procedure

You are creating a new FTP server and basing its configuration on an existing server. All settings for the new server will be identical to the existing server except for the control port, the start procedure name, and the configuration file member name.

An FTP server start procedure will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



FTP configuration member

You are creating a new FTP server and basing its configuration on an existing server. All settings for the new server will be identical to the existing server except for the control port, the start procedure name, and the configuration file member name.

An FTP server configuration file will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



Data Connection Timers

Use this panel to set timeout intervals on the data connection.

Here you are able to specify the maximum time allowed for the data transfer, or to specify the time to wait for the finished flag(FIN) after attempting to close the connection. If any of these timers expire, they will close the data connection and report an error.

All of the timers are optional. If you do not want to user a timer, make sure that the check box is not selected.

Before you begin, know if you want to specify a time limit on the data transfer and if you want to specify the time to wait for the finished flag.

Steps

  1. Check the box for the timers you want to use.
  2. Enter the interval, in seconds, for each timer you have selected.

You have completed this panel if you have made desired changes to the data connection timers.

Fields

Client transfer timeout (DATACTTIME)

Client transfer timeout interval

FIN wait timeout (DCONNTIME)

FIN wait timeout interval

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Client transfer timeout (DATACTTIME)

Use the client transfer timeout interval to set the amount of time in seconds that the client waits after attempting to send or receive data before terminating the connection and reporting an error to the user.

The client transfer timeout interval is used to set the maximum amount of time, in seconds, that the client keeps the data connection open. The timer starts as soon as the data connection is opened, and if the transfer is not completed when the timer expires, an error is reported and the data connection is closed.

Check the box labeled "Use data timeout function" to activate this function and optionally you may modify the interval.



Client transfer timeout interval

Syntax rules:



FIN wait timeout (DCONNTIME)

Use the FIN wait timeout interval to set the amount of time in seconds to wait for the finished flag(FIN) in the TCP packet header after a close request is issued. If the FIN is not received before the time specified, the connection is closed and an error is reported.

Check the box labeled "Use DCONNTIME function" to activate this function and optionally you may modify the interval.



FIN wait timeout interval

Syntax rules:



File Access and Transfer Options

Use this panel to configure the action FTP should take when a file transfer ends prematurely and to configure the scope of a wildcard search FTP should use.

Steps

  1. Indicate whether partial files should be kept or deleted if a file transfer ends prematurely.
  2. If you plan to use the wildcard, * , in conjunction with the FTP commands: ls, mput, mget, or mdelete, then review the detailed help for the "Wildcard search scope" and indicate the scope of wildcard searches FTP should use.

You have completed this panel after you have made your selections.

You can find more detailed help on the following elements of this window:

Conditional disposition (CONDDISP)

Wildcard search scope (LISTSUBDIR)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Conditional disposition (CONDDISP)

Indicate whether a file should be kept or deleted if a file transfer ends prematurely.

This option is available when configuring an FTP client or an FTP server. If you are configuring a client, this applies when writing files to the client's system (for example with a GET). If you are configuring a server, this applies when writing the file to the server's system (for example with a PUT).

Your selection on this panel will apply to both zFS file transfers and MVS data set transfers.

Select "Keep the partial file" to indicate the file or data set should be kept if the transfer ends prematurely. For MVS data sets, it is both kept and cataloged.

Select "Delete the partial file" to indicate the file or data set should be deleted if the transfer ends prematurely.



Wildcard search scope (LISTSUBDIR)

Indicate whether wildcard searches should span subdirectories or apply only to the current working directory.

This option is available when configuring an FTP client or an FTP server. If you are configuring a client, it applies when issuing an mput * command. If you are configuring a server, it applies when issuing any of the following commands: mget * , ls * , or mdelete * . This setting only applies when the * wildcard is used and it searches only the subdirectories of the current path. It does not search multiple depths of subdirectories.

Example

Directory: "/u/user1/xx" contains the following files and subdirectory:
areadme (file)
file_xx (file)
readme_xx (file)
ggg (subdirectory)

Directory "u/user1/xx/ggg" contains the following file and subdirectory:
file_ggg (file)
zzz (subdirectory)

Directory "u/user1/xx/ggg/zzz" contains the following file and subdirectory:
file_zzz (file)
rrr (subdirectory)

The following display shows these files and directories:

250 HFS directory /u/user1/xx is the current working directory
ftp> ls -l
200 Port request OK.
125 List started OK
total 40
-rwx------   1 IBMUSER  0             48 Oct 29 21:14 areadme
-rwx------   1 IBMUSER  0             10 Nov  1 16:02 file_xx
drwxrwxrwx   3 IBMUSER  0           8192 Nov  1 16:00 ggg
-rwx------   1 IBMUSER  0             23 Oct 29 21:06 readme_xx
250 List completed successfully.
260 bytes received in 0.03 seconds (8.67 Kbytes/sec)
ftp> cd ggg
250 HFS directory /u/user1/xx/ggg is the current working directory
ftp> ls -l
200 Port request OK.
125 List started OK
total 24
-rwx------   1 IBMUSER  0              6 Nov  1 16:00 file_ggg
drwxr-x---   3 IBMUSER  0           8192 Nov  1 16:01 zzz
250 List completed successfully.
133 bytes received in 0.02 seconds (6.65 Kbytes/sec)
cd zzz
250 zFS directory /u/user1/xx/ggg/zzz is the current working directory
ftp> ls -l
200 Port request OK.
125 List started OK
total 24
-rwx------   1 IBMUSER  0              4 Nov  1 16:00 file_zzz
drwxr-xr-x   2 IBMUSER  0           8192 Nov  1 16:01 rrr
250 List completed successfully.
133 bytes received in 0.01 seconds (13.30 Kbytes/sec)

If you select "Restrict wildcard searches to only current working directory", the client will see the following:

257 "/u/user1/xx" is the HFS working directory.
ftp> ls *
200 Port request OK.
125 List started OK
areadme
file_xx
readme_xx
250 List completed successfully.
29 bytes received in 0.02 seconds (1.45 Kbytes/sec)

If you select "Wildcard searches should span subdirectories", the client will see the following:

257 "/u/user1/xx" is the HFS working directory.
ftp> ls *
200 Port request OK.
125 List started OK
areadme
file_xx
ggg/file_ggg
readme_xx
250 List completed successfully.
42 bytes received in 0.04 seconds (1.05 Kbytes/sec)
Differences

When spanning subdirectories with the wildcard, * , the file ggg/file_ggg is shown. However, the file ggg/zzz/file_zzz is not shown since the subdirectory span is only one level deep.



Directory Change Messages

Use this panel to specify file names containing messages displayed to clients when changing directories during an FTP session.

Before you begin, decide if the FTP server should send customized messages to clients changing directories.

Steps:

  1. If you want the FTP server to send a message to named users, when changing MVS directories:
    1. Create MVS data sets containing the message for each MVS directory that should display a message when entered. Enter the message into the data set as plain EBCDIC text.
    2. Enter the Low Level Qualifier of the message files in the field labeled, "LLQ for named users (MVSINFO):".
  2. If you want the FTP server to send a message to named users, when changing file system directories:
    1. Create zFS files containing the message for each zFS directory that should display a message when entered. Enter the message into the data set as plain EBCDIC text.
    2. Enter the relative path and/or file name of the message files in the field labeled, "Message file for named users (HFSINFO):".

You have completed this panel when you have entered the files names associated with the respective messages. All fields are optional, therefore, no entries are required if these functions are not desired.

You can find more detailed help on the following elements of this window:

MVS directories (Optional)

LLQ for named users (MVSINFO)

zFS directories (Optional)

Message file for named users (HFSINFO)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



MVS directories (Optional)

The FTP server can be configured to display customized messages to the clients when the user changes MVS directories.

"Low Level Qualifier (LLQ) for named users (MVSINFO):"
Displays message to named users, when the user changes MVS directories.

To activate any of these messages, specify the LLQ of the data sets containing the messages in the respective field on the configuration panel. Use of directory change messages is optional.



LLQ for named users (MVSINFO)

Use of the MVSINFO data set low level qualifier (LLQ) is optional and is applicable only to named users. If no MVSINFO LLQ is specified, no messages are displayed to the client when the user changes MVS directories. If an MVSINFO LLQ is specified, then each time the user changes MVS directories, the FTP server appends the specified low level qualifier (LLQ) to the current path to locate the message file in the new directory. The file containing the message may be a physical sequential data set or a member of a PDS. If the server finds a matching file, the file contents are displayed to the client. If no match is found, no messages are displayed to the client.

Example:
The user configures the MVSINFO Low Level Qualifier as: README

The data set USER5.README contains the words:
This is my MVSINFO message. Entered USER5

The file USER5.XX.README contains the words:
This is an MVSINFO message. Entering USER5.XX

When the client logs in, and changes directories, the following is displayed to the client:

Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 13:52:51 on 2002-10-30.

220-MY BANNER MESSAGE.  THIS IS MY EMAIL ADDRESS myaddress@us.mycompany.com
220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
230 USER1 is logged on.  Working directory is "USER1.".
ftp> cd ..
250 "" is the working directory name prefix.
ftp> cd user5
250-This is my MVSINFO message. Entered USER5
250 "USER5." is the working directory name prefix.
ftp> cd xx
250-This is an MVSINFO message.  Entering USER5.XX
250 "USER5.XX." is the working directory name prefix.
ftp> cd ..
250 "USER5." is the working directory name prefix.
ftp> cd xx
250 "USER5.XX." is the working directory name prefix.
ftp>

In this example, when the user first changes to directory, USER5, the message "250-This is my MVSINFO message. Entered USER5" is displayed. The user next changes to directory, USER5.XX, and the message "This is an MVSINFO message. Entering USER5.XX" is displayed. However, when the user changes to directory, USER5, for the second time, no message is displayed. The server displays the MVSINFO message only the first time a directory is entered. Because the server maintains a finite history of directory changes, if the user performs frequent directory changes, it is possible the client will see the message more than just the first time.

To show a message to the client when changing MVS directories, enter the MVS data set low level qualifier of the file(s) containing the message.

Syntax rules:



zFS directories (Optional)

The FTP server can be configured to display customized messages to clients when the user changes zFS directories.

"Message file for named users (HFSINFO):"
Displays message to named users, when the user changes zFS directories.

To activate any of these messages, specify the relative path and/or file name of the files containing the messages in the respective field on the configuration panel. Use of directory change messages is optional.



Message file for named users (HFSINFO)

Use of the HFSINFO file is optional and is applicable only to named users. If no HFSINFO file is specified, no messages are displayed to the client when the user changes file system directories. If an HFSINFO file is specified, then each time the user changes zFS directories, the FTP server will search for the specified file name in the new directory. If the server finds a matching file, the files contents are displayed to the client. If no match is found, no messages are displayed to the client.

Wild cards can be specified as the last character of the HFSINFO file name, such as "readme*". This could result in multiple matches. If the server finds multiple matches, only the contents of the first match are displayed to the client.

Example:
The user configures the HFSINFO filename as: readme*

The file /u/user1/readme_user1 contains the words:
Entering directory /user1

The file /u/user1/xx/readme_xx contains the words:
Entering directory /xx

When the client logs in, and changes directories, the following is displayed to the client:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 21:06:42 on 2002-10-29.

220-MY BANNER MESSAGE.  THIS IS MY EMAIL ADDRESS myaddress@us.mycompany.com
220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
230 USER1 is logged on.  Working directory is "/u/user1".
ftp> cd xx
250-Entering directory /xx
250 HFS directory /u/user1/xx is the current working directory
ftp> cd ..
250-Entering directory /user1
250 HFS directory /u/user1 is the current working directory
ftp> cd xx
250 HFS directory /u/user1/xx is the current working directory
ftp>

In this example, when the user first changes to directory, xx, the message "250-Entering directory /xx" is displayed. The user next backs up to directory, user1, and the message "250-Entering directory /user1" is displayed. However, when the user changes to directory, xx, for the second time, no message is displayed. The server displays the HFSINFO message only the first time a directory is entered. Because the server maintains a finite history of directory changes, if the user performs frequent directory changes, it is possible the client will see the message more than just the first time.

To show a message to the client when changing file system directories, enter the zFS file containing the message.

Syntax rules:



FTP Client Wizard: Finish

You have completed the z/OS FTP client configuration. Click "Finish" to save your settings.

After clicking "Finish":

Push buttons
Click Back to return to the previous wizard panel.
Click Finish to complete the wizard panels' specification.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



MVS Data Set Attributes

Use this wizard to configure MVS data set attributes FTP will use when creating data sets. This wizard is available both when configuring FTP clients and FTP servers. The settings are applicable to clients when creating data sets on the client's system. The settings are applicable to servers when creating data sets on the server's system.

An FTP user can modify these settings using the LOCSITE and SITE commands, but the modifications apply to only that user's session.

Before you begin, decide whether to obtain settings from an existing data set, or from any Storage Management Subsystem (SMS) classes. You have the option of individually specifying data set attributes, inheriting attributes from an existing model data set, or obtaining attributes from SMS class definitions.

For example, the Logical Record Length (LRECL) attribute can be obtained from an SMS data class, from an existing model data set, or set individually.

Since you can specify SMS classes, a model data set, and individual attribute settings, the following list shows the policy used to determine an attribute value. The list is order of precedence:

  1. Any individual attribute settings.
  2. Any model data set settings.
  3. Any management class settings.
  4. Any data class or storage class settings.

Attributes obtained from model data set:

Data class attributes that can be overridden:

Management class attributes that can be overridden:

Storage class usage

When using a storage class, the values for volume, unit name, and unit count are obtained from the storage class.

Steps

  1. If you want to inherit attributes from an existing model data set, click "I want to use a model data set (DCBDSN)" and enter the model's fully qualified data set name.
  2. If you want to obtain attributes from SMS classes, click "I want SMS to control one or more attributes", and:
    1. If you want to obtain attributes from an SMS data class, enter the data class name.
    2. If you want to obtain attributes from an SMS management class, enter the management class name.
    3. If you want to obtain attributes from an SMS storage class, enter the storage class name.
  3. Click the "Next" button to proceed to the next panel.

You have completed this panel after optionally entering the fully-qualified model data set name and optionally entering SMS class names.

You can find more detailed help on the following elements of this window:

Fully-qualified data set name

Data, Management, and Storage class

Push buttons
Click Next to advance to the next wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Fully-qualified data set name

Syntax rules:



Data, Management, and Storage class

Syntax rules:



RFC Extensions

Use this panel to enable FTP server functions that were not included in RFC 959.

Steps

  1. Decide if the server should respond to client MDTM (modify time) commands. It is recommended you enable this function since there are no performance or integrity concerns.
  2. Decide if the server should respond to the client SIZE commands. There are performance considerations, since the server must count the number of bytes in the files. If you want to use the restart stream mode file transfer function, enabling the SIZE function is required.
  3. Check the "Enable the FTP server to restart stream mode file transfers" if you want use this function.

You have completed this panel after making your desired selections.

Fields

MDTM

Checking the box labeled "Enable the FTP server to respond to the MDTM command." allows the server to reply with the time a file was last modified when responding to the MDTM (modify time) command. Since this function was not part of RFC 959, you must check this box to enable this function. The MDTM command is applicable only for zFS files.

It is recommended you enable this function since there are no performance or integrity concerns.

SIZE

Checking the box labeled "Enable the FTP server to respond to the SIZE command." allows the server to reply with the size of a file or files when responding the SIZE command. Since this function was not part of RFC 959, you must check this box to enable this function. Enabling the server to respond to the SIZE command does have some performance implications, since the server must count the number of bytes in a file.

Restart stream mode file transfers

Checking the box labeled "Enable the FTP server to restart stream mode file transfers" enables the server restart function. Enabling the SIZE extension is a prerequisite for the restart function.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Volume Migration

Use this panel for settings related to data set migration.

Steps

  1. If you do not use IBM's Storage Management Subsystem's (SMS) DFShsm component, you may want to specify a volume for migrated data sets. The default is MIGRAT.
  2. If you do use IBM's Storage Management Subsystem's (SMS) DFShsm component, you may want to indicate to FTP whether to automatically recall migrated data sets.

You have completed this panel after optionally entering a volume id for migrated data sets and making your desired selection for automatic recall of migrated data sets.

You can find more detailed help on the following elements of this window:

Data set migration (MIGRATEVOL)

Volume

Recalling migrated data sets (AUTORECALL)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Data set migration (MIGRATEVOL)

Indicates the volume ID for migrated data sets which use non-IBM storage management systems. If you do not specify a value, the default, MIGRAT, will be used.

This setting is available both when configuring FTP clients and FTP servers. It is applicable to clients when accessing files on the client's system. It is applicable to servers when accessing files on the server's system.



Volume

Syntax Rules:



Recalling migrated data sets (AUTORECALL)

If you use a storage manager, such as IBM's System Management Subsystem (SMS) DFShsm, low activity data sets may be migrated from user-accessible volumes to DFSMShsm volumes to reduce space occupied by data on user-accessible volumes.

Select "Permit migrated data sets to be automatically recalled", to allow FTP to automatically recall migrated data sets.

Select "Prevent migrated data sets from being automatically recalled", if you do not want FTP to automatically recall migrated data sets.

This setting is available both when configuring FTP clients and FTP servers. It is applicable to clients when accessing files on the client's system, for example when issuing a PUT command. It is applicable to servers when accessing files on the server's system, for example when issuing a GET command.



UMASK

The FTP.DATA configuration statement used to define the default permissions for newly created zFS files is UMASK. The value specified on the UMASK statement represents which permission bits are not set on when a file is created. This value is entered as a 3 digit octal mask.

When FTP creates a file it assumes the permission bits are 666 (-rw-rw-rw-), which correspond to:

The server then uses the UMASK value to turn off the permissions bits indicated by the UMASK value.

Example:

If the UMASK value is 027

110110110 - bits from the default 666 value FTP uses
000010111 - bits from the 027 UMASK setting
_________
110100000 - the resulting value is 640

After turning off all bits from the 027 UMASK setting, the resulting default permission bits for newly created files are 640 (-rw-r-----), which correspond to:

Syntax rules:

When this panel is initially displayed, the UMASK value is set to match the permission bits setting configured on the File Permissions panel. After leaving this panel by clicking "OK", you will return to the File Permissions panel where the permission bits settings on the File Permissions panel will reflect the new UMASK value.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Advanced TLS Settings

Use this panel to set a timeout for TLS handshake processing. This timeout is the maximum time between full TLS handshakes. If this time period has not been reached since the last full handshake, a partial handshake occurs when a data connection is protected by TLS.

Syntax rules:

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



FTP Event Selection

Use this panel to select the specific FTP events you want to log using the System Management Facility (SMF).

Before you begin decide which events you want to log as SMF records.

Steps

  1. Check each event you want to log.
  2. For each event you check, also check the record Type. Type 119 records are recommended.
  3. Advanced users logging Type 118 records, may also want to modify the subtype. An entry of STD provides the default subtype for each event.

You have completed this panel when you have selected the events to log using SMF and selected the record type for the events you select. You must select to log at least one event and you must select a record type for each event you select.

You can find more detailed help on the following elements of this window:

APPEND command events (SMFAPPE)

Subtype

DELETE command events (SMFDEL)

Login failures (SMFLOGN)

RENAME command events (SMFREN)

RETRIEVE command events (SMFRETR)

STORE and STORE UNIQUE command events (SMFSTOR)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



APPEND command events (SMFAPPE)

If you want to log an SMF record when the server processes an APPE (APPEND) command, check the box labeled "APPEND command events (SMFAPPE)".

You may record Type 118 or Type 119 records for the APPEND events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 70 and can also be specified as STD. The subtype for Type 119 records is 70 and cannot be changed.



Subtype

Enter the subtype for Type 118 records.

Syntax rules:



DELETE command events (SMFDEL)

If you want to log an SMF record when the server processes a DELE (DELETE) command, check the box labeled "DELETE command events (SMFDEL)".

You may record Type 118 or Type 119 records for the DELETE events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 71 and can also be specified as STD. The subtype for Type 119 records is 70 and cannot be changed.



Login failures (SMFLOGN)

If you want to log an SMF record when the server processes a login failure, check the box labeled "Login failures (SMFLOGN)".

You may record Type 118 or Type 119 records for the login failure events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 72 and can also be specified as STD. The subtype for Type 119 records is 72 and cannot be changed.



RENAME command events (SMFREN)

If you want to log an SMF record when the server processes a RNFT or RNTO (RENAME) command, check the box labeled "RENAME command events (SMFREN)".

You may record Type 118 or Type 119 records for the RENAME events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 73 and can also be specified as STD. The subtype for Type 119 records is 70 and cannot be changed.



RETRIEVE command events (SMFRETR)

If you want to log an SMF record when the server processes a RETR (RETRIEVE) command, check the box labeled "RETRIEVE command events (SMFRETR)".

You may record Type 118 or Type 119 records for the RETRIEVE events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 74 and can also be specified as STD. The subtype for Type 119 records is 70 and cannot be changed.



STORE and STORE UNIQUE command events (SMFSTOR)

If you want to log an SMF record when the server processes a STOR (STORE) or STOU (STORE UNIQUE) command, check the box labeled "STORE and STORE UNIQUE command events (SMFSTOR)".

You may record Type 118 or Type 119 records for the STORE and STORE UNIQUE events. Type 119 provide more information, including information related to IPv6. Type 119 records are recommended.

You may check both "Type 118" and "Type 119" to log both record types, however, this is not recommended due to performance implications.

If you select to use Type 118 records, you can modify the subtype. The default subtype is 75 and can also be specified as STD. The subtype for Type 119 records is 70 and cannot be changed.



Attack Prevention

Use this panel to configure server options that could affect the integrity of your system.

Before you begin it is recommended that you read the detailed help information related to this panel to decide which options meet your needs.

Steps

  1. If you do not want to send detailed login failure information to clients, including errnos and reason codes, then check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)".
  2. If you do not want to send sensitive information to clients such as IP addresses, host names, port numbers, etc., check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)".
  3. If you want to allow clients to turn on server traces, check the boxes labeled "General tracing options (DEBUGONSITE)" and "Extended tracing options (DUMPONSITE)".
  4. Evaluate whether you should restrict the use of the port command and select the desired port command restrictions.

You have completed this panel once you have evaluated and set the desired system integrity options.

You can find more detailed help on the following elements of this window:

Information returned to clients

Remote tracing

PORT commands

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Information returned to clients

Some information returned to clients may be considered sensitive and for security reasons you may not want the end user to see it.

ACCESSERRORMSGS

If a client attempts to login, but enters an incorrect password, you may not want to provide detailed information such as the errno or reason codes on the failure message.

Example

If you do not check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and the login fails because the password was incorrect, the client will see the following:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:11:22 on 2002-10-31.

220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
530-Error on __passwd() function call, errno=111, rsncode=090C0000
530-The username is unknown
530 PASS command failed
Login failed.
ftp>

If you do check the box labeled "Do not send detailed login failure messages (ACCESSERRMSGS)" and the login fails because the password was incorrect, the client will see the following:

D:\>ftp 9.42.103.112
Connected to 9.42.103.112.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 16:21:17 on 2002-10-31.

220 Connection will not timeout.
User (9.42.103.112:(none)): user1
331 Send password please.
Password:
530 PASS command failed
Login failed.
ftp>

If you choose not to send detailed login failure messages, you can trace them instead by checking the box labeled "Log failure messages (DEBUG ACC)".

REPLYSECURITYLEVEL

You may want to configure the server not to show clients secure information such as IP addresses, host names, or port numbers, etc. Check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" to direct the server not to send such information.

Example:

If you do check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" the client will see the following:

# ftp loopback
IBM FTP CS V1R4
FTP: using TCPCS
Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21.
220-IBM FTP, 17:57:42 on 2002-10-31.
220 Connection will not timeout.
NAME (loopback:USER3):
user3
>>> USER user3
331 Send password please.
PASSWORD:

>>> PASS
230 USER3 is logged on.  Working directory is "USER3.".
Command:
stat
>>> STAT
211-User: USER3  Working directory: USER3.
211-The control connection has transferred 115 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-using Mode Stream, Structure File, type ASCII, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is disabled
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are removed from a fixed format
211-data set when it is retrieved.
211-Data set mode.  (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 55 cylinders.  Secondary allocation 55 cylinders.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 1
211-ENcoding is set to SBCS
211-SBSUB is set to FALSE
211-SBSUBCHAR is set to SPACE
211-SMS is active.
211-Dataclass for new data sets is DATAF
211-Data sets will be allocated on CPDLB2,CPDLB3.
211-New data sets will be deleted if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 027
211-Checkpoint interval is 0
211-Authentication type: None
211 *** end of status ***
Command:

If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)" the client will see the following:

# ftp loopback
IBM FTP CS V1R4
FTP: using TCPCS
Connecting to: loopback.TCP.RALEIGH.IBM.COM 127.0.0.1 port: 21.
220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31.
220 Connection will not timeout.
NAME (loopback:USER3):
user3
>>> USER user3
331 Send password please.
PASSWORD:

>>> PASS
230 USER3 is logged on.  Working directory is "USER3.".
Command:
stat
>>> STAT
211-Server FTP talking to host 127.0.0.1, port 1026
211-User: USER3  Working directory: USER3.
211-The control connection has transferred 115 bytes
211-There is no current data connection.
211-The next data connection will be actively opened
211-to host 127.0.0.1, port 1026,
211-using Mode Stream, Structure File, type ASCII, byte-size 8
211-Automatic recall of migrated data sets.
211-Automatic mount of direct access volumes.
211-Auto tape mount is allowed.
211-Inactivity timer is disabled
211-VCOUNT is 59
211-ASA control characters in ASA files opened for text processing
211-will be transferred as ASA control characters.
211-Trailing blanks are removed from a fixed format
211-data set when it is retrieved.
211-Data set mode.  (Do not treat each qualifier as a directory.)
211-ISPFSTATS is set to FALSE
211-Primary allocation 55 cylinders.  Secondary allocation 55 cylinders.
211-FileType SEQ (Sequential - default).
211-Number of access method buffers is 5
211-RDWs from variable format data sets are discarded.
211-Records on input tape are unspecified format
211-SITE DB2 subsystem name is DB2
211-Data not wrapped into next record.
211-Tape write is not allowed to use BSAM I/O
211-Truncated records will not be treated as an error
211-JESLRECL is 80
211-JESRECFM is Fixed
211-JESINTERFACELEVEL is 1
211-ENcoding is set to SBCS
211-SBSUB is set to FALSE
211-SBSUBCHAR is set to SPACE
211-SMS is active.
211-Dataclass for new data sets is DATAF
211-Data sets will be allocated on CPDLB2,CPDLB3.
211-New data sets will be deleted if a store operation ends abnormally
211-Single quotes will override the current working directory.
211-UMASK value is 027
211-Process id is 52
211-Checkpoint interval is 0
211-Authentication type: None
211 *** end of status ***
Command:

Differences in above example

If you do NOT check the box labeled "Do not send sensitive information to clients (REPLYSECURITYLEVEL)",

  1. When logging in, the following message is shown in more detail:
    220-FTPD1 IBM FTP CS V1R4 at MVS171.tcp.raleigh.ibm.com, 17:52:55 on 2002-10-31.
    
  2. On the reply to the STATUS command, the following messages are not shown.
    211-Server FTP talking to host 127.0.0.1, port 1026
    211-to host 127.0.0.1, port 1026,
    211-Process id is 52
    



Remote tracing

The server can be configured to allow clients to turn on diagnostic traces during an FTP session by issuing SITE DEBUG or SITE DUMP commands. Running excessive traces could result in performance degradation of your system and, by default, clients are not allowed to turn them on.

If you would like clients to be able to turn on and modify the internal trace settings, check the boxes labeled "General tracing options (DEBUGONSITE)" and "Extended tracing options (DUMPONSITE)". Checking these boxes will allow clients to issue the SITE DEBUG and/or SITE DUMP commands, respectively.



PORT commands

An FTP client in PROXY mode with your FTP server can establish a data connection to another FTP server and send large amounts of data from your server to the other server. Therefore, a malicious FTP client in PROXY mode can attack servers by sending large amounts of data from your server to another, resulting in severe performance degradation. Since the client is indirectly sending the data, it is more difficult to immediately determine the location of the malicious client.

You can prevent this type of attack by selecting "No" under the question "Should the server accept port commands?". However, in selecting "No", the server loses some ability to transfer data in PROXY mode. If the client is not configured as firewall friendly, the client cannot execute commands such as GET, PUT, MPUT, MGET and APPEND in proxy mode. A firewall friendly client can still execute these commands in proxy mode.

Since indicating the server should not accept PORT commands results in significant limitations, an alternative is restrict the usage of the PORT command. You can allow clients in proxy mode to do data transfers, but can apply the following restrictions.

  1. Data transfers from your server to another server will be allowed only if the other server has the same IP address as the client. This is set by checking the box labeled "If it specifies an IP address different from the client's".
  2. Data transfers from your server to another server will be allowed only if the other servers are not listening on a well known port (i.e. a port greater than 1024). This is set by checking the box labeled "If it specifies a port number lower than 1024".



Translation: Control Connection

Use this panel to specify the translation option for the control connection.

Translation is performed for FTP commands and replies sent over the control connection.

Before you begin, you should understand:

Translation options for the control connection:

  1. Select "Use defaults", to indicate FTP should use the default search order to locate the translation table. The search order for the translation table differs between an FTP server and an FTP client.

    FTP Server
    1. Original_jobname.SRVRFTP.TCPXLBIN
    2. hlq.SRVRFTP.TCPXLBIN
    3. Original_jobname.STANDARD.TCPXLBIN
    4. hlq.STANDARD.TCPXLBIN
    5. (7-bit ASCII) - FTP uses ISO8859-1 for the network code page and IBM-1047 for the file system code page
    6. Internal (hard-coded) 7-bit tables
    FTP Client
  2. Select "Use the internal FTP translate table" to use the FTP internal translation tables. The FTP internal tables are the same tables that are shipped in the TCPXLBIN(STANDARD) data set.
  3. Select "Use iconv ISO8859-1 encoded character set" to specify that the iconv ISO8859-1 character set should be used for the network code page. IBM-1047 is used for the z/OS UNIX file system code page.
  4. Select "Use translation table created by user" to specify a data set that contains translation tables used by FTP. This data set must be created using the CONVXLAT utility.
  5. Select "Use the following iconv encoded character set:" to enter any single byte iconv code page for the network code page. IBM-1047 will be used for the z/OS UNIX file system code page.

Steps

  1. Select which option should be used for translation.
  2. If you select "Use iconv ISO8859-1 encoded character set", and want to use UTF-8 support, check the box labeled "Allow UTF-8 pathnames".
  3. If you select "Use translation table created by user", enter the location of your table.
  4. if you select "Use the following iconv encoded character set:", enter the iconv code page.

You have completed this panel after selecting the translation option and entering the translation table or code page, if applicable.

You can find more detailed help on the following elements of this window:

Translation table created by user

Use the following iconv encoded character set

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Translation table created by user

The location of the translation table created by the user is specified differently for FTP clients than for FTP servers.

If you are configuring an FTP server you will enter the fully qualified MVS data set or zFS file name.

If you are configuring an FTP client, you specify only a low level qualifier (LLQ) of the data set. The client will look for your translation table in data set 'user_id.your_llq.TCPXLBIN'. If not found it will look for 'hlq.your_llq.TCPXLBIN'.
Example
If you specify a value of 'MYTRANS', FTP will look for data set 'user_id.MYTRANS.TCPXLBIN'.

The client design allows for different login user IDs to use different translation tables.

When configuring an FTP server

Input can be either a fully-qualified MVS data set or an zFS file name.

Syntax rules

If input is Fully qualified MVS data set

If input is zFS file name

When configuring an FTP client

Syntax rules



Network transfer encoded character set

An iconv encoded character set.

Syntax rules:



Multi-byte data connection settings

FTP allows you to specify multi-byte translation tables in two different ways.

Iconv encoded character sets

LOADDBCS Internal Tables



LOADDBCS Internal Tables

FTP allows you to specify multi-byte translation tables in two different ways.

Use this panel to specify which internal multi-byte tables are available for FTP.

You can select any or all of the translation tables or specify none. However, additional virtual storage may be required by the FTP server and client when a large number of translation tables are loaded at the same time.

To use these translation table during your FTP session, you must enter the TYPE command from the FTP client to enable them.

LOADDBCSTABLES is a TCPIP.DATA configuration statement which will be created automatically. If you do not use the TCPIP.DATA file created by the GUI, you will need to add a LOADDBCSTABLES statement for each table you have selected.

You have completed this panel after you have selected the DBCS tables FTP will use.

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



The CONVXLAT utility

The TSO CONVXLAT command converts a table from editable text to binary. CONVXLAT can be used to convert both SBCS and DBCS table source data sets. The basic syntax of the CONVXLAT command is:

CONVXLAT InputDataSet OutputDataSet

The InputDataSet specifies the source data set name to be converted. The OutputDataSet specifies the destination for the data set created by the conversion. For both the InputDataSet and the OutputDataSet, the names must be enclosed in quotes if fully qualified, otherwise the TSO user ID is appended as a prefix.

The following example shows the creation of a SBCS binary table from customized text tables that reside in CS390.CS14.PRD.SEZATCPX(CUSTOM).

CONVXLAT 'CS390.CS14.PRD.SEZATCPX(CUSTOM)' 'USER5.BAILEY.TCPXLBIN'
READY



General

Use this panel to define the FTP client configuration file location by specifying a member name and to indicate if the client should use a security protocol to provide data privacy and integrity as well as login authentication.

Before you begin you should:

Steps

  1. Enter the client configuration file member name.
  2. Set the security settings. If the client should use a security protocol:
    1. Select "Yes. Select the security mechanism:"
    2. Select which security protocol the client should. Choose either the Transport Layer Security ( "TLS" ) protocol, which includes Secure Sockets Layer (SSL), or the "Kerberos (GSSAPI)" security protocol.

You have completed this panel after you have entered the member name and selected your security choice. If you choose to use security, click the "Security Settings..." button to customize your security settings.

You can find more detailed help on the following elements of this window:

Configuration file member name

Security settings

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Configuration file member name

An FTP client configuration file is created as a member of a partitioned data set extended (PDSE). The name of the PDSE was assigned in the Basic Settings task. To modify the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go the Basic Settings task.

Syntax rules:



Security settings

The client can use either the Transport Layer Security (TLS) or the Kerberos security protocol. The Secure Sockets Layer (SSL) protocol is included in TLS.

Both protocols provide login authentication, data encryption and data integrity to ensure the data is not modified during transmission.

To indicate the client should use a security protocol, select "Yes. Select the security mechanism:" and select which security protocol the client should use.

If you choose to use a security mechanism, click on the "Security Settings..." button to customize your security settings.

If you select "TLS", clicking the "Security Settings..." button allows you to set the following:

If you select "Kerberos (GSSAPI)", clicking the "Security Settings..." button allows you to set the following:



Translation: Single Byte Data Connection

Use this panel to specify the translation settings for data connections using single byte conversions.

Before you begin, you should understand:

Translation options for the data connection using single bytes:

  1. Select "Use defaults", to indicate FTP should use the default search order to locate the translation table. The search order for the translation table differs between an FTP server and an FTP client.

    FTP Server
    1. SYSFTSX DD statement in the startup procedure, that specifies a CONVXLAT generated translate table. The table can be an MVS data set or a file. A start procedure for the FTP server you are configuring that does not contain a SYSFPSX DD statement is created. If you choose not to use the created start procedure, make sure you understand the implications of any SYSFTSX DD statement in your start procedure.
    2. Original_jobname.SRVRFTP.TCPXLBIN
    3. hlq.SRVRFTP.TCPXLBIN
    4. Original_jobname.STANDARD.TCPXLBIN
    5. hlq.STANDARD.TCPXLBIN
    6. If none of the above are found, FTP uses the same translation tables established for the control connection.
    FTP Client
  2. Select "Use the internal FTP translation table" to use the FTP internal translation tables. The FTP internal tables are the same tables that are shipped in the TCPXLBIN(STANDARD) data set.
  3. Select "Use translation table created by user" to specify a data set that contains translation tables. This data set must be created using the CONVXLAT utility.
  4. Select "Use the following iconv encoded character sets:" to enter any single byte iconv code page for the network and host code pages.

    With this selection, you can choose to use a substitution character for non-translatable characters encountered.

Steps

  1. Select which option should be used for translation.
  2. If you select "Use translation table created by user", enter the location of your table.
  3. If you select "Use the following iconv encoded character set:", enter the iconv code pages and choose whether to use a substitution character.

You have completed this panel after selecting the translation option and entering the translation table or code pages, if applicable.

You can find more detailed help on the following elements of this window:

Enter the fully qualified MVS data set or zFS file name

Network transfer encoded character set

z/OS UNIX file system encoded character set

Character substitution (SBSUB and SBSUBCHAR)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



User defined translation tables

Input can be either a fully-qualified MVS data set or an zFS file name.

Syntax rules:

Fully qualified MVS data set

zFS file name



Network transfer encoded character set

Any single byte iconv encoded character set.

Syntax rules:



z/OS UNIX file system encoded character set

Any single byte iconv encoded character set.

Syntax rules:



Character substitution (SBSUB and SBSUBCHAR)

This setting is only applicable when you select "Use the following iconv encoded character sets:".

Character substitution allows you to specify the action taken for data bytes that cannot be translated. If non-translatable data bytes are encountered, you can choose to fail the data transfer or have the data replaced with a space. A space specifies x'40' when the target code set is an EBCDIC code set and x'20' if the target code set is an ASCII code set.

Character substitution is valid only for single byte data transfers.

To specify a substitution character other then a space, use the FTP SITE and LOCSITE subcommands for the SBSUBCHAR keyword.



FTP Server Wizard: Server and File Names

Use this panel to enter the FTP server's start procedure name and configuration file member name.

An FTP start procedure and configuration file will be created as members of a partitioned data set extended (PDSE). The name of the PDSE was assigned in the Basic Settings task. To modify the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go the Basic Settings task.

Steps

  1. Enter the start procedure name.
  2. Enter the configuration file member name.

You have completed this panel after you have entered the start procedure name and configuration file member name.

You can find more detailed help on the following elements of this window:

Server name

Member name

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Server name

An FTP server start procedure will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

This start procedure name is also used as the FTP server's job name. If the name is 7 characters or less, the job name is the start procedure name with a 1 concatenated to the end of the name. If the start procedure name is 8 characters, the job name is the same as the start procedure name.

Example

Syntax rules:



Member name

An FTP server configuration file will be created as a member of a partitioned data set extended (PDSE). This PDSE name was assigned in the Basic settings task. To change the PDSE name, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Syntax rules:



List of Defined FTP Servers

Use this panel to create new z/OS FTP server configurations or to modify existing server configurations.

The table shows the server configurations that are currently defined. Each table entry lists the server's start procedure name, the server's control port, and indicates if the server is enable to support the Transport Layer Security (TLS) protocol or the Kerberos security protocol.

Use the buttons on this panel to perform the desired tasks.

Push buttons



Bind IP Address

Use this panel to specify the IP address that FTP clients use to login to this FTP server.

You are defining an FTP server, but the control port you selected is already reserved for another FTP server. Therefore, you are required to specify a IP address to associate with this FTP server.

Once you have completed your FTP server configuration, the FTP server's control port will be automatically reserved. The port will be reserved for the FTP jobname and will bind the IP address entered to the jobname. This allows FTP clients to login to the FTP server using the bind IP address, while another FTP server can also use the same port, but must be accessed with a different IP address.

A list of all the port reservations can be seen in the Basic Settings task.

You have completed this panel after entering the IP address.

You can find more detailed help on the following elements of this window:

IP address

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



IP address

Syntax rules



SOCKS: How to Access the FTP Server

Use this panel to specify whether an FTP login matching the "All other FTP servers" entry, should connect the client directly to the FTP server or through a SOCKS server.

Steps

  1. To indicate logins matching the "All other FTP servers" entry should connect the client directly to the FTP server, select "Connect directly to the FTP server"
  2. To indicate logins matching "All other FTP servers" entry, should connect the client to the FTP server through a SOCKS server:
    1. Select "Connect through a SOCKS server" .
    2. Identify which SOCKS server the client should connect to at login. The SOCKS server can be identified by either its IP address of host name.
    3. Select the SOCKS protocol versions as either Version 5 or Version 4.

You have completed this panel after you have indicated whether logins matching the "All other FTP servers" should connect directly to the FTP server or connect through a SOCKS server. And if you selected to connect through a SOCKS server, the SOCKS server address is required.

"All other FTP servers" - General Information

The socks configuration file will always contain the entry "All other FTP Servers". This entry cannot be removed and you cannot change its position in the table. It will always be the last entry in the table. This entry represents a subnet which matches all login addresses. This entry indicates how to connect to the FTP server for any login address not matching any other entries in the SOCKS configuration file. You can edit this entry to indicate whether the FTP servers should be access directly or through a SOCKS server.

Example

You add the following entries in the order shown:

  1. An FTP server address or 3.3.3.3, which will be accessed directly.
  2. An FTP server address of 5.5.5.5, which will be accessed through a SOCKS server.
  3. A subnet of 6.6.0.0 : 255.255.0.0, which will be accessed through a SOCKS server.

You edit the "All other FTP Servers" entry indicate FTP servers should be accessed directly.

As a result, this is what happens during a login:

  1. If a client logs in to FTP server address 3.3.3.3, this matches the SOCKS configuration file entry with the FTP server address of 3.3.3.3, so the client connects directly to the FTP server.
  2. If a client logs in to FTP server address 5.5.5.5, this matches the SOCKS configuration file entry with the FTP server address of 5.5.5.5, so the client accesses the FTP server through a SOCKS server.
  3. If a client logs in to FTP server address 6.6.6.6, this matches the SOCKS configuration file entry with the subnet of 6.6.0.0 | 255.255.0.0, so the client accesses the FTP server through a SOCKS server.
  4. If a client logs in to FTP server address 9.9.9.9, this login address does not match any of the entries were added. However, it matches the "All other FTP Servers" entry. Since this entry indicates FTP servers should be accessed directly, the client connects directly to the FTP server.

You can find more detailed help on the following elements of this window:

IP address or host name of the SOCKS server

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



IP address or host name of the SOCKS server

Your entry will first be checked to see if it is a valid IP address. If it is not, it is assumed to be a host name.

Syntax rules:

For an IP address:

For a host name:

For example:
mycomputer.city.company.com



File Permissions

Use this panel to set the file permissions for newly created zFS files. These settings apply to both FTP server and FTP client configurations. The FTP server settings are used when creating files on the server's system, for example, with a PUT command. The FTP client settings are used when creating files on the client's system, for example, with a GET command. These settings can be modified during an FTP session using the SITE UMASK command to change the server settings and the LOCSITE command to change the client settings.

You cannot choose to create zFS files with execute permissions. If you require execute permissions, you can use the SITE CHMOD or LOCSITE CHMOD commands to change the permissions after the file has been created.

Steps

  1. Select the default permissions for the owner settings.
  2. Select the default permissions for the group settings.
  3. Select the default permissions for the other settings.

You have completed this panel after making your group, owner, and other permission settings.

You can find more detailed help on the following elements of this window:

Set UMASK Parameter...

Push buttons
Click Set UMASK Parameter... to set the permission bits using UMASK syntax.
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Set UMASK Parameter...

The FTP.DATA configuration parameter used to define the default permission for newly created zFS files is UMASK. The value specified on the UMASK statement represents which permission bits are not set on when a file is created.

When FTP creates a file it assumes the permission bits are 666 (-rw-rw-rw-), which correspond to:

The server then uses the UMASK value to turn off the permissions bits indicated by the UMASK value.

Example:

If the UMASK value is 027

110110110 - bits from the default 666 value FTP uses
000010111 - bits from the 027 UMASK setting
_________
110100000 - the resulting value is 640

After turning off all bits from the 027 UMASK setting, the resulting default permission bits for newly created files are 640 (-rw-r-----), which correspond to:

If you are familiar with the UMASK configuration statement and want to set the permission bits using this syntax, click the "Set UMASK Parameter..." button.



Start Procedure

This is a snapshot of your FTP server start procedure.

Push buttons
Click Save to save this configuration file to local disk.
Click Print to print this configuration file.
Click Close to end this panel.



FTP Server Wizard: Port

Use this panel to define the FTP server's control connection port and whether the server should be enabled to support clients using the Transport Layer Security protocol or the Kerberos security protocol. The Security Sockets Layer (SSL) protocol is included in TLS.

The control connection port number is the port number the FTP server will use to listen for incoming logins.

This port number must not be conflict with other port reservations. Both the port number you specify and the port number - 1, will be reserved for the FTP server. Therefore, other applications must not already have reserved these ports.

If another application has already reserved the ports, you will be asked if you want to negate the reservation for the other application and proceed with your FTP server's port reservation request.

If the port is already reserved for another FTP server, you will be asked if you want to bind an IP address to this FTP server's port reservation. If you decide to bind an IP address, then your server will connect only to clients using this bind IP address when logging in.

To see all port reservations, return to the IBM TCP/IP Configuration Demo for z/OS main customization panel and go to the Basic Settings task.

Steps

  1. Enter the port number.
  2. Indicate the level of security the server should be enabled for. If you check one of the security protocols, the wizard will direct you to further security settings.

You can find more detailed help on the following elements of this window:

Port number

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Port number

Syntax rules:



Configuration File

This is a snapshot of your configuration file for the FTP server.

Push buttons
Click Save to save this configuration file to local disk.
Click Print to print this configuration file.
Click Close to end this panel.



Advanced

Use this panel for advanced settings.

Before you begin, read the detailed help available for each setting.

Steps

  1. If you plan to use FTP to transfer variable length MVS data sets, evaluate the treatment of Record Descriptor Words (RDWs) and indicate how FTP should handle them.
  2. If you plan to use FTP to transfer American Standards Association (ASA) text files, evaluate the treatment of the ASA control characters and indicate how FTP should handle them.
  3. If you plan to write files to tape, consider using BSAM I/O routines for faster processing, and indicate which fwrite method FTP should use.
  4. If you plan to work with multiple files, for example with the MGET or MPUT commands, indicate how FTP should view low level qualifiers when working with multiple files.

You have completed this panel after making your desired selections.

You can find more detailed help on the following elements of this window:

Record descriptor words (RDW)

American Standards Association text files (ASATRANS)

Write to tape with fast I/O option (WRTAPEFASTIO)

Data set structure view (DIRECTORYMODE)

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Record descriptor words (RDW)

Record Descriptor Words (RDWs) are the first four bytes at the start of a each record in a variable length data set that tell the reading program the actual length of the current record. When transferring a variable length MVS data set, you can have FTP transmit the RDWs or not include them in the transfer.

This setting is available both when configuring an FTP client and an FTP server. It is applicable to the client when transferring files from the client's system, for example with a PUT. It is applicable to the server when transferring files from the server's system, for example with a GET.

It is very doubtful you will want to transfer the RDWs, because it will confuse most all FTP clients and servers. Most FTP clients or servers receiving the RDWs interpret them as an additional four bytes of data and write the RDW's four bytes into the file as data. The z/OS FTP client and server do not expect the first four bytes of a record to be RDWs and do not interpret them in any special way. Therefore, a z/OS FTP server or client receiving the RDWs will write the RDWs as an additional four bytes of data, thus resulting in an invalid data transfer. You only want to transfer the RDWs if you know the receiving client or server is designed to expect the first four bytes of a record to be the RDW.

If you select "Retain and transfer the RDWs", it is recommended you transfer the file in binary mode to avoid potential translation problems.



American Standards Association text files (ASATRANS)

American Standards Association (ASA) text files contain control characters in column one. These control characters can be converted to C control characters. For example, the ASA control character, ' ' , means to skip one line. This character can be converted to the C control characters '/n'. For a complete description of the conversion process see the Using ASA Text Files chapter in the z/OS C/C++ Programming Guide, SC09-4765.

Select "Do not convert the control characters" to have FTP transfer ASA text files without converting the control characters.

Select "Convert the control characters" to have FTP convert the ASA control characters in column 1 to C control character sequences when transferring ASA text files.

This setting is available both when configuring an FTP client and an FTP server. It is applicable to the client when transferring files from the client's system, for example with a PUT. It is applicable to the server when transferring files from the server's system, for example with a GET.



Write to tape with fast I/O option (WRTAPEFASTIO)

When writing ASCII files to tape in stream mode, FTP can use either the BSAM I/O routines or the Language Environment runtime library function fwrite(). Using BSAM I/O routines allows the data set to be processed without embedded hexadecimal values being interpreted as print control characters and results in faster I/O.

This setting is available both when configuring an FTP client and an FTP server. It is applicable to the client when transferring files to the client's system, for example with a GET. It is applicable to the server when transferring files to the server's system, for example with a PUT.



Data set structure view (DIRECTORYMODE)

Indicate whether FTP should treat only the data set qualifier immediately below the directory as an entry in the directory or if all data set qualifiers below the current directory are treated as entries in the directory.

Example

If you select, "Operate with all fully qualified data sets", the client will see:

ftp> ls
200 Port request OK.
125 List started OK
AREADME
BAILEY
BAILEY.CONFIG.SPX001.I2.TEMP
BAILEY.TRANS
EZACIMJA
ISPF.ISPPROF
XMLS
XX.AREADME
250 List completed successfully.
101 bytes received in 0.03 seconds (3.37 Kbytes/sec)

If you select, "Operate with only first LLQ token", the client will see:

ftp> ls
200 Port request OK.
125 List started OK
AREADME
BAILEY
BAILEY
EZACIMJA
ISPF
XMLS
XX
250 List completed successfully.
51 bytes received in 0.03 seconds (1.70 Kbytes/sec)

This setting is available both when configuring an FTP client and an FTP server. It is applicable to the client when issuing the MPUT command. It is applicable to the server when issuing the MGET, LS, DIR and MDELETE commands.



MVS Data Set Attributes

Use this panel to specify the block size, logical record length, record format, and retention period for newly created data sets.

All settings are available both when defining FTP clients and FTP servers. The settings are applicable to FTP clients when creating data sets on the client's system. The settings are applicable to FTP servers when creating data sets on the server's system.

Steps

  1. Indicate the block size setting. This setting can be obtained from a data class, model data set, or explicitly set by selecting "Use this value:".
  2. Indicate the logical record length setting. This setting can be obtained from a data class, model data set, or explicitly set by selecting "Use this value:".
  3. Indicate the record format setting. This setting can be obtained from a data class, model data set, or explicitly set by selecting "Use this value:".
  4. Indicate the retention period setting. This setting can be obtained from a management class, data class, model data set, or explicitly set by selecting "Use this value:".

You have completed this panel after selecting how FTP should obtain the block size, logical record length, record format, and retention period values.

You can find more detailed help on the following elements of this window:

Block size (BLKSIZE)

BLKSIZE Bytes

Logical record length (LRECL)

LRECL Bytes

Record format (RECFM)

RECFM choices

Retention period (RETPD)

RETPD Days

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Block size (BLKSIZE)

Use the block size value to specify the maximum length of a block for newly created data sets.

The block size value can be obtained from an SMS data class, inherited from a model data set, or you can enter a value.

If you did not specify an SMS data class or a model data set on the first wizard panel, you are required to enter a value for the block size.

If you did specify an SMS data class or a model data set on the first wizard panel, then the block size will be obtained from the SMS data class or model data set. You can choose to override the obtained value, by selecting "Use this value:" and entering a block size.

If you specified both an SMS data class and a model data set on the first wizard panel, then the block size will be obtained from the model data set. You can choose to override the obtained value, by selecting "Use this value:" and entering a block size.



BLKSIZE Bytes

Syntax rules:



Logical record length (LRECL)

Use the logical record length value to specify the length of records for newly created data sets.

The logical record length value can be obtained from an SMS data class, inherited from a model data set, or you can enter a value.

If you did not specify an SMS data class or a model data set on the first wizard panel, you are required to enter a value for the logical record length.

If you did specify an SMS data class or a model data set on the first wizard panel, then the logical record length will be obtained from the SMS data class or model data set. You can choose to override the obtained value, by selecting "Use this value:" and entering a logical record length.

If you specified both an SMS data class and a model data set on the first wizard panel, then the logical record length will be obtained from the model data set. You can choose to override the obtained value, by selecting "Use this value:" and entering a logical record length.



LRECL Bytes

Syntax rules:



Record format (RECFM)

Use the record format value to specify the format and characteristics of the records for newly created data sets.

The record format value can be obtained from an SMS data class, inherited from a model data set, or you can select a value.

If you did not specify an SMS data class or a model data set on the first wizard panel, you are required to select a value for the record format.

If you did specify an SMS data class or a model data set on the first wizard panel, then the record format will be obtained from the SMS data class or model data set. You can choose to override the obtained value, by selecting "Use this value:" and selecting a record format.

If you specified both an SMS data class and a model data set on the first wizard panel, then the record format will be obtained from the model data set. You can choose to override the obtained value, by selecting "Use this value:" and selecting a record format.



RECFM choices

Entries in the drop down list consists of one or more of the following characters: A, B, F, M, S, U, V. Following describes the meaning of each character:

A
Records contain ISO/ANSI control.
B
Blocked records.
F
Fixed record length.
M
Records contain machine code control characters.
S
Spanned records, if variable length. Standard, if fixed length.
U
Undefined record length.
V
Variable record length.

The default is VB (Variable Block).



Retention period (RETPD)

Use the retention period value to specify the retention period for newly created data sets to help reduce the chance of later accidental deletion. After the retention period, the data set can be deleted or overwritten by another data set. The system adds the retention period value, specified in days, to the current date to calculate the expiration date.

The retention period value can be obtained from an SMS data class, an SMS management class, inherited from a model data set, or you can enter a value.

If you did not specify an SMS data class, an SMS management class or a model data set on the first wizard panel, you are required to enter a value for the retention period. If you do not want to set a retention period, select "None - data sets will have no expiration date", otherwise select "Retain for:" and enter a value. The default selection is "None - data sets will have no expiration date".

If you did specify an SMS data class or a model data set on the first wizard panel, then the retention period will be obtained from the SMS data class, or model data set. You can choose to override the obtained value, by selecting "Use this value:" and indicating the value.

If you specified both an SMS data class and a model data set on the first wizard panel, then the retention period will be obtained from the model data set. You can choose to override the obtained value, by selecting "Use this value:" and indicating the value.

If you specified a management class, then the retention period is obtained from the management class. The value of the management class's retention period can be overridden.

However, regardless of where the retention period value is obtained, when attempting to override the value set in the management class, the actual resulting retention period setting depends on the retention period limit defined in the management class. A management class is defined with a retention limit value as well as a retention period. If you attempt to override the management class's retention period, the override value must be within the retention period limit defined in the management class. Otherwise, the retention period used is the management class's retention limit value.



RETPD Days

Syntax rules:



FTP Server Wizard: Logging

Use this panel to indicate if you want to log FTP events using the system SYSLOGD facility. If you select Yes, the following events will be logged for named users.

Each event is logged as a message with message numbers in the range EZYFS50 to EZYFS95.

Following is an example of one of the logged messages.


EZYFS50I ID=sessionID CONN starts Client IPaddr=ipaddr hostname=hostname

Explanation: This log entry is made by the FTP daemon when it accepts a client connection request. The keyword CONN identifies the entry as a connection log entry.

sessionID uniquely identifies the FTP session between a client and a server. The identifier is created by combining the jobname of the FTP daemon with a five-digit number in the range 00000-99999. This identifier is in each log entry for the session until message EZYFS52I, which is the last entry for the session.

ipaddr is the IP address of the FTP client. The IP address may be either an IPv4 or an IPv6 address.

hostname is the name of the FTP client. If the name cannot be resolved, UNKNOWN is displayed.

System Action: FTP continues.

User or Operator Response: None.

System Programmer Response: None.

Source Data Set: EZAFTPBU

Procedure Name: logCONN.

Push buttons
Click Next to advance to the next wizard panel.
Click Back to return to the previous wizard panel.
Click Cancel to negate any entries you have made in this wizard.
Click Help to understand more about this panel.



Timers and Intervals

Use this panel to specify the timers and intervals to be used by the server.

This panel allows you to specify timeout intervals for the data connection, inactivity and keepalive timers for the control connection, and check point intervals used for restarting transfers.

All timers are optional. If you do not want to use a timer or interval, do not check its box.

Before you begin, know if you want to specify any timers and intervals, and values that you want specified.

Steps

  1. Check the box for the timers or interval you want to use.
  2. Enter the interval or number of records for each one you have selected.

You have completed this panel if you have made desired changes to the timers and intervals.

Fields

Inactivity timer (INACTIVE)

Inactivity timer interval

Keepalive (FTPKEEPALIVE)

keepalive interval

Transfer timeout (DATATIMEOUT)

Transfer timeout interval

FIN wait timeout (DCONNTIME)

FIN wait timeout interval

Checkpoint interval (CHKPTINT)

Number of records

Push buttons
Click OK to complete the specification.
Click Cancel to negate any entries you have made on this page.
Click Help to understand more about this panel.



Inactivity timer (INACTIVE)

Use the inactivity timer to specify the number of seconds that an inactive connection remains open. Any client control connection that is inactive for longer then the specified time is closed by the server.

Check the box labeled "Use the inactivity timer" to activate this function and optionally you may modify the interval.



Inactivity timer interval

Syntax rules:



Keepalive (FTPKEEPALIVE)

Keepalive is used to send packets over the control connection to keep a session active. This keeps the firewall from timing out and terminating the connection. Use the keepalive interval to specify the number of seconds that the keepalive mechanism should wait before sending another packet over the connection.

Check the box labeled "Use keepalive" to activate this function and optionally you may modify the interval.



Keepalive interval

Syntax rules:



Transfer timeout (DATATIMEOUT)

The transfer timeout interval is used to set the maximum amount of time, in seconds, that the server keeps the data connection open. The timer starts as soon as the data connection is opened. If the transfer has not completed when the timer expires, the data connection is closed and an error is reported.

Check the box labeled "Use data timeout function" to activate this function and optionally you may modify the interval.



Transfer timeout interval

Syntax rules:



FIN wait timeout (DCONNTIME)

Use the FIN wait timeout interval to set the number of seconds the server waits to receive notification from the client that it is closing the data connection. The server waits for the finished flag(FIN) contained in the TCP packet header, if the FIN is not received before the time specified the connection is closed and an error is reported.

Check the box labeled "Use DCONNTIME function" to activate this function and optionally you may modify the interval.



FIN wait timeout interval

Syntax rules:



Checkpoint interval (CHKPTINT)

Use checkpoint interval to set the number of records that are sent before a restart marker is sent. Checkpoint markers are sent to clients who use EBCDIC block mode or EBCDIC compress mode during data set retrieval. If the FTP connection fails while using the checkpoint intervals, the transfer can be restarted at the last checkpoint by reconnecting to the FTP server and issuing the restart command.

Check the box labeled "Use checkpoint" to activate this function and optionally you may modify the number of records.

Note: If you plan to have clients that do not support the restart marker, do not set the checkpoint interval, but instead use the FTP SITE/LOCSITE command checkpoint interval for individual clients.



Number of records

Syntax rules: