FTP-SFTP Conversion

SSH Tectia Server for IBM z/OS provides a FTP-SFTP conversion feature which captures plaintext FTP connections initiated by an FTP client and converts them to SFTP before the file transfer is started. All user names, passwords, and data are then transferred in encrypted format.

FTP-SFTP conversion works transparently

Existing FTP connections, including automated file transfers, can be transparently converted to SFTP without the need to modify the existing scripts or applications. Users can keep working with their familiar applications and use the existing IDs and authentication methods.

Easy and cost-effective conversion

The FTP-SFTP conversion module allows easy and cost-effective replacement of plaintext file transfers in large enterprise environments. Existing FTP scripts and client applications need no modifications. Only the FTP server will be replaced with an SFTP server.

Existing FTP clients can be used

Any existing client with FTP functionality can be used as before:

  • Application hard-coded FTP

  • Script-based automated FTP

  • Interactive passive FTP, for example Windows Explorer FTP, web-browser-based FTP, command-line ftp, or FTP GUI applications.

Any Secure Shell server as counterpart

With SSH Tectia Server for IBM z/OS (client tools), the FTP-SFTP conversion feature can connect to SSH Tectia Server or any other Secure Shell server. When SSH Tectia is used as the server-side conterpart, it can run on any supported platform: on Linux, HP-UX, AIX, Solaris, Windows, or IBM mainframe.

Easy filter rule configuration

SSH Tectia Server for IBM z/OS can be configured to extract the user name, password, and destination host name from the secured FTP application, and to use them for authentication and connection setup on the Secure Shell SFTP server. The configuration is made as a filter rule in the Connection Broker configuration file, and the same rule can be defined to cover all FTP traffic. In large FTP environments, this simple rule setting can save the effort of defining hundreds of connection profiles which would otherwise be needed separately for each destination.

The principle of FTP-SFTP conversion is shown in Figure 3.2. Before starting the conversion, the SSH Tectia SOCKS Proxy must be running and listening on the SOCKS port 1080 on the File Transfer Client host.

The architecture of FTP-SFTP conversion

Figure 3.2. The architecture of FTP-SFTP conversion

The following steps happen during the FTP-SFTP conversion:

  1. An application, a script, or a user triggers a file transfer.

  2. The original FTP client in the File Transfer Client host starts opening a file transfer connection to the original destination FTP server (in File Transfer Server).

  3. The FTP client makes a SOCKS query. The SOCKS setting in the FTP client is set to point to the local host SSH Tectia SOCKS Proxy instead of a real firewall.

  4. The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.

  5. The FTP-SFTP conversion module can extract the user name, password, and the destination host name from the secured FTP application, and use them for authentication and connection setup with the Secure Shell SFTP server.

  6. The FTP-SFTP conversion module manages the FTP connection so that it remains unchanged from the original FTP client's point of view. FTP is converted to secure SFTP file transfer.

  7. The SFTP connection is managed by the Connection Broker module.

  8. The Secure Shell SFTP server in the File Transfer Server host is the end point of the file transfer.

    The unsecured original FTP server program can be eliminated from the server host.