FTP-SFTP conversion is implemented using the Tectia SOCKS Proxy component. Tectia SOCKS Proxy acts as a SOCKS proxy for the FTP client application on the Tectia Server for IBM z/OS host and captures FTP connections based on filter rules. FTP connections are converted to SFTP, transparently to the user and the FTP application. The only change needed in the FTP application is to change the SOCKS proxy setting to point to a localhost listener.
The SOCKS Proxy uses the hostname, username, and password information provided by the FTP client application to open an authenticated and encrypted SFTP connection to a Secure Shell SFTP server.
The Secure Shell SFTP server can also be defined in the filter rules. This way, the client's request for the FTP server destination can be overridden.
The principle of FTP-SFTP conversion is shown in Figure 8.2. Before starting the conversion, the Tectia SOCKS Proxy must be running and listening on the SOCKS port 1080 on the File Transfer Client host.
The following steps happen during the FTP-SFTP conversion:
An application, a script, or a user triggers a file transfer.
The original FTP client in the File Transfer Client host starts opening a file transfer connection to the original destination FTP server (in File Transfer Server).
The FTP client makes a SOCKS query. The SOCKS setting in the FTP client is set to point to the localhost Tectia SOCKS Proxy instead of a real firewall.
The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.
The FTP-SFTP conversion module can extract the username, password, and the destination host name from the secured FTP application, and use them for authentication and connection setup with the Secure Shell SFTP server.
The FTP-SFTP conversion module manages the FTP connection so that it remains unchanged from the original FTP client's point of view. FTP is converted to secure SFTP file transfer.
The SFTP connection is managed by the Connection Broker module.
The Secure Shell SFTP server in the File Transfer Server host is the end point of the file transfer.
The unsecured original FTP server program can be eliminated from the server host.