SSH.COM is one of the most trusted brands in cyber security. We help enterprises and agencies solve the security challenges of digital transformation with innovative access management solutions.
SSH Tectia Server for IBM z/OS provides a FTP-SFTP conversion feature which captures plaintext FTP connections initiated by an FTP client and converts them to SFTP before the file transfer is started. All user names, passwords, and data are then transferred in encrypted format.
Existing FTP connections, including automated file transfers, can be transparently converted to SFTP without the need to modify the existing scripts or applications. Users can keep working with their familiar applications and use the existing IDs and authentication methods.
The FTP-SFTP conversion module allows easy and cost-effective replacement of plaintext file transfers in large enterprise environments. Existing FTP scripts and client applications need no modifications. Only the FTP server will be replaced with an SFTP server.
Any existing client with FTP functionality can be used as before:
Application hard-coded FTP
Script-based automated FTP
for example Windows Explorer FTP, web-browser-based FTP, command-line
ftp, or FTP GUI applications.
With SSH Tectia Server for IBM z/OS (client tools), the FTP-SFTP conversion feature can connect to SSH Tectia Server or any other Secure Shell server. When SSH Tectia is used as the server-side conterpart, it can run on any supported platform: on Linux, HP-UX, AIX, Solaris, Windows, or IBM mainframe.
SSH Tectia Server for IBM z/OS can be configured to extract the user name, password, and destination host name from the secured FTP application, and to use them for authentication and connection setup on the Secure Shell SFTP server. The configuration is made as a filter rule in the Connection Broker configuration file, and the same rule can be defined to cover all FTP traffic. In large FTP environments, this simple rule setting can save the effort of defining hundreds of connection profiles which would otherwise be needed separately for each destination.
The principle of FTP-SFTP conversion is shown in Figure 3.2. Before starting the conversion, the SSH Tectia SOCKS Proxy must be running and listening on the SOCKS port 1080 on the File Transfer Client host.
The following steps happen during the FTP-SFTP conversion:
An application, a script, or a user triggers a file transfer.
The original FTP client in the File Transfer Client host starts opening a file transfer connection to the original destination FTP server (in File Transfer Server).
The FTP client makes a SOCKS query. The SOCKS setting in the FTP client is set to point to the local host SSH Tectia SOCKS Proxy instead of a real firewall.
The filter rules that specify which connections to capture are defined in the SOCKS Proxy configuration. Connections can be captured based on the destination address and/or port.
The FTP-SFTP conversion module can extract the user name, password, and the destination host name from the secured FTP application, and use them for authentication and connection setup with the Secure Shell SFTP server.
The FTP-SFTP conversion module manages the FTP connection so that it remains unchanged from the original FTP client's point of view. FTP is converted to secure SFTP file transfer.
The SFTP connection is managed by the Connection Broker module.
The Secure Shell SFTP server in the File Transfer Server host is the end point of the file transfer.
The unsecured original FTP server program can be eliminated from the server host.