Or don't transfer files and shift toward "in place" computing, APIs,
microservices, database interfaces, MQ messages, and so forth -- "online"
computing, broadly speaking. You might currently be using FTP, FTPS, SFTP,
and/or NFS to lash together two or more information processing systems, but
maybe that choice was never the best option for the mission.
If you don't like FTPS or SFTP, if you like (or at least genuinely need)
FTP, and if you need to get that in-flight data encrypted, then you can use
the IBM Encryption Facility for z/OS together with any OpenPGP-compliant
communicating system. Indeed, in many ways the Encryption Facility for z/OS
is a better, more secure option -- even if you have implemented/in
conjunction with FTPS and/or SFTP -- because you can encrypt different
files with different keys and keep them encrypted through the entire
transport loop, even if it's multi-hop. You can even have a .zip (or
comparable) archive file containing multiple files, each encrypted with
Encryption Facility for z/OS, each encrypted with a separate key.
Another transport-level encryption option (only) is unencrypted FTP (or
NFS) over an encrypted IPSec tunnel. IPSec works best if you have a
permanent or semi-permanent, reasonably finite set of communicating
systems. z/OS IPSec is a substantially zIIP-eligible workload.
Yet another option is TLS/SSL encrypted SMTP (e-mail) transmission. You can
do that straight from CICS Transaction Server using IBM SupportPac CA1Y,
available at no additional charge:
http://www.ibm.com/support/docview.wss?uid=swg24033197
SupportPac CA1Y is, at least in principle, bi-directional. That is, CICS
Transaction Server can both send mail (SMTP) and retrieve mail (IMAP or
POP3). The latter is not something IBM has tested in this particular
environment, but there are no known issues. CA1Y is using JavaMail, a
common codebase. Thus SupportPac CA1Y is substantially zIIP-eligible
workload.
z/OS CSSMTP is another option, and it can send mail unidirectionally
outbound, from z/OS to a SMTP server. It too supports TLS/SSL encrypted
connections, at least via z/OS AT-TLS.
There are LOTS of options to improve your security posture...and you should
have made those improvements long ago, but better late than never.
--------------------------------------------------------------------------------------------------------
Timothy Sipples
IT Architect Executive, Industry Solutions, IBM Z and LinuxONE, AP/GCG/MEA
E-Mail: ***@sg.ibm.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to ***@listserv.ua.edu with the message: INFO IBM-MAIN