Replacing Plaintext FTP with FTP-SFTP Conversion

SSH Tectia Server for IBM z/OS offers an easy way to secure plaintext FTP connections with a feature called FTP-SFTP conversion.

When FTP-SFTP conversion is enabled on SSH Tectia Server for IBM z/OS client tools, it automatically captures all FTP connections initiated on the client side and converts the data to use the Secure File Transfer Protocol (SFTP), instead. The transferred files are sent to a Secure Shell SFTP server in encrypted format.

SSH Tectia Server for IBM z/OS should be installed on the same host with the FTP client, and a Secure Shell server must be installed on the same host with the original FTP server.

FTP-SFTP conversion can be configured to pick the user name, password, and destination host directly from the secured FTP client, and use them to open the secured communication channel. This removes the need for any additional configuration modifications or changes to the original FTP scripts or applications. In the Connection Broker configuration, this is done simply with one rule that can fit all FTP connections.

When the FTP-SFTP conversion is used, there is no need for a plaintext FTP server, as the connection is made to an SFTP server instead. This requires that any post-processing done by the FTP server must be redirected to be performed elsewhere.

SSH Tectia Server for IBM z/OS makes it easy to get started with the FTP replacement even in an environment where all FTP servers cannot be removed immediately. For example, there may be need to connect to a third-party FTP server every now and then, even though company-internal file transfers are handled in secure SFTP mode. SSH Tectia Server for IBM z/OS has an option to allow fallback to plaintext FTP in case the secure SFTP connection cannot be established. This way the SFTP format is used always when possible, but connections to the remaining FTP servers are still available.

Using FTP-SFTP conversion

Figure 5.1. Using FTP-SFTP conversion