Tectia® SSH Server for z/OS

Tectia SSH Client/Server References Try Tectia

mainframe security software

Secure, automate & optimize mainframe communications

Tectia SSH Server for IBM z/OS is the most trusted remote access and secure FTP server software in the industry. It's easy to set up and combines enterprise-grade reliability with high performance and a light toll on cryptographic processing.

Fast-track mainframe security

For many vendors, data that needs to be moved between a mainframe and a distributed system has to be manually converted to a viable and actionable format — but it can be a convoluted process. It requires configuring thousands or even millions of files by hand. It also leads to data transformations that require further handling.

With Tectia SSH Server for IBM z/OS, you can avoid manual and complicated processes by utilizing Tectia's automation features. You can:

Enable seamless FTP-SFTP conversion to ramp up mainframe security without JCL modifications
Enable direct access to MVS formats and efficient automation tools, while avoiding preprocessing, staging, and manual actions

Direct access to data sets without staging

With Tectia for IBM z/OS, you can improve your productivity and operational efficiency:

Run batch jobs in parallel instead of in sequences. Tectia for z/OS is capable of operating with different dataset definitions and retains and writes the metadata for a wide variety of dataset types, such as PDS(e) load libraries.
Get direct access to datasets without having to write datasets to files.
Get notifications of successful or failed data transfers with retry/restart options.
Enjoy seamless character-set conversions from preexisting and customizable code pages, enabling clean transfers between mainframe, Windows, and Unix.

Multi-layer security that meets regulations, including GDPR, SOX, GLBA, PCI DSS, and HIPAA

Tectia Server for z/OS offers:

Enhanced security by reducing the risk of breaches and data loss
Compliance with regulation (e.g. PCI-DSS, SOX, HIPAA, FISMA)
Evolve with your needs into Post-Quantum Cryptography
zIIP cryptography off-loading

Ensure business continuity

Tectia Server for z/OS offers:

Increased efficiency and reduced admin costs through easy setup, CPU optimization, maintenance, and solution support
Ensured business continuity and full compatibility with SSH Tectia family
Uninterrupted operations with 24/7 support

Main features

Ease of use

ISPF application for installation and configuration
Configurable FTP fallback option for controlled and phased deployment
System-wide and user-specific file transfer profiles
Listing of MVS data sets as files and folders for easy interactive command line

User and server authentication

Authentication and access control through SAF calls to RACF, ACF2, and TSS
User authentication with passwords
User and server authentication with X.509 certificates
User and server authentication with public keys
Logging and auditing using SMF records and Syslogd facilities

Secure File Transfer Protocol (SFTP)

Transparent, automatic FTP-SFTP conversion
Transparent FTP tunneling
Multi-terabyte file size support
Strong encryption of data
Strong packet-by-packet file integrity checking
SFTP and SCP command-line tools for interactive and unattended use
Secure against the quantum threat, with Quantum-Safe Algorithms

Mainframe security

Automatic transparent encryption of data-in-transit, including user ID and password
Hardware acceleration of cryptographic operations
Support for U.S. NIST FIPS 140-2 Certified hardware acceleration
Configurable re-keying policies
Multi-channel support - multiple secure sessions are multiplexed to a single TCP/IP connection
Compliance with the IETF Secure Shell standards

Remote access

Secure tunneling for TN3270 connections
Transparent tunneling for TN3270

Zero Trust access control

Role-based access control (RBAC) - grant and revoke access for multiple mainframe systems at once
Support for temporary access
Full audit trail with SIEM integration support
No passwords - no stolen or leaked passwords, no password rotation
Optional browser client for TN3270

Tectia SFTP special facilities for z/OS data transfer

Many special facilities are provided in Tectia SFTP to work natively with z/OS data in a simple and productive way that will be familiar to mainframe professionals. They include:

Filetype JES

Supports the submission of batch jobs to the JES (Job Entry Subsystem) reader and access to JES spooled output.

This allows Tectia SFTP to interact with the batch environment, a core part of mainframe business processes, both to trigger batch jobs and to work with job output.

Filetype IDCAMS

Supports the execution of IDCAMS commands and viewing the resulting output. IDCAMS is a utility to define and manipulate datasets, types of files used in z/OS, with special organizations and features to support batch and online processing.

Access to IDCAMS allows Tectia SFTP to perform operations on datasets beyond the Unix file/directory view for which that protocol was originally conceived.

Filetype PDS

Supports operations on Partitioned Datasets, a particular variety of datasets (both PDS and PDSE (extended)), much used in z/OS environments to store "members" containing source code, JCL (Job Control Language) "decks", executables, etc.

While Tectia z/OS SFTP has always supported basic access to PDS members, this facility extends this to support operations on whole PDSes with all or a set of their members, including creating and transferring their associated metadata. This gives Tectia SFTP the ability to work with these datasets in the way a z/OS software product is expected to operate, natively and with full functionality.

Filetype IEBCOPY

Supports the execution of IEBCOPY commands and viewing the resulting output. IEBCOPY is a utility for manipulating PDSes and PDSEs, copying, reorganizing, unloading, reloading, etc.

This facility allows Tectia SFTP to make use of IEBCOPY when transferring this kind of dataset. In particular, IEBCOPY is required for correctly transferring PDSE "program object, type 2" members, which contain proprietary metadata structures not divulged by IBM.

Filetype ADRDSSU

Supports the execution of ADRDSSU commands and viewing the resulting output. ADRDSSU is a utility for working with collections of datasets, especially for dumping and restoring datasets to/from a transportable format.

For datasets with sensitive internal structures, this is the most effective way to transfer them without corrupting that structure and rendering them useless. This facility allows Tectia SFTP to perform such dataset transfers in an integrated operation, more productively than via a series of manual processes.

Filetype DFSORT

Supports the execution of DFSORT commands and viewing the resulting output. DFSORT is a utility that sorts datasets, but it also has many other abilities, such as selecting, reformatting, or converting the contents of datasets, including VSAM.

This facility gives Tectia SFTP access to the individual records and fields of a dataset, essentially allowing ETL (Extract, Translate, Load) operations via selective file transfers.

DSNtype PIPE

Supports file transfer to and from Unix named pipes.

This facility allows Tectia SFTP to interact with Unix pipelines on z/OS, making the Unix shell, utilities, and programs available to perform transformations on the data stream dynamically.

Subsys Batchpipes

Supports file transfer to and from the Batchpipes subsystem. Batchpipes is a z/OS subsystem that allows pipe-like access to datasets, used to improve parallelism in batch processes by eliminating temporary datasets.

This facility allows Tectia SFTP to participate in such batch processes, introducing or extracting data for transfer.

Filetype QSAM

Supports QSAM (Queued Sequential Access Method) dataset IO. QSAM provides a simple API for record-based IO to sequential datasets, without any of the transformations performed by the C-runtime API normally used by Tectia SFTP. In some cases, these transformations introduce limitations, such as, for example, the inability to handle zero-length variable records or to open a dataset and wait for input.

This facility allows Tectia SFTP to overcome these limitations when necessary for constructing solutions.

Tectia zOS vs OpenSSH comparison

Functionality	Purpose of Function	Tectia for z/OS	Open SSH
Socks Proxy	Allows users to use existing FTP JCLs with no or minimal changes to existing JCLs.	Yes, FTP-Tunnelling and FTP-SFTP conversion.	No
Post Quantum Cryptography	Post Quantum encryption for connections.	Yes	Not yet
Direct access to MVS datasets	Can access datasets without the need to manually move them from MVS to USS.	Yes	No, one needs to copy datasets to USS before sending them over.
Character set conversion	File transfers to non z/OS platforms require EBCDIC to ASCII conversion to retain data in correct form.	Yes	Yes, but only when using OpenSSH client programs from z/OS. Remote, non-z/OS platforms do not have this functionality. Further, z/OS OpenSSH may not include proper line ending when connecting to Windows hosts.
Certificates	Allows certificate authentication.	X.509 certificates supported, and it is possible to store them in SAF key rings.	OpenSSH certificates cannot be stored in SAF key rings.
User Key distribution	Distributing can be difficult when manually copied over to remote systems.	Can distribute user keys using ssh-keydist-g3 and ssh-broker-ctl key-upload tools.	Not possible, need to manually copy keys to remote servers.
BPXBATCH JCLs	Can use JCLs to run binaries.	Yes	Yes
FTADV strings	Allows users to define what should happen during a file transfer. Useful when allocating datasets during transfers.	File transfer advisory strings can be used with Tectia client programs and against the Tectia Server with remote clients.	No
Access to native z/OS utilities and subsystems	Improves workflows and productivity, reduces JCL steps needed to achieve same outcome	Tectia can utilize IEBCOPY, IDCAMS, DFSORT and ADRDSSU. Can access JES and BATCHPIPES subsystems.	No
Connection Monitoring	Allows one to monitor the connection stat, example, number of rekeys, cipher, KEXs, MACs used.	Tectia can view the socket AppData of incoming connections.	Not possible
WTO messaging	WTO (Write-to-operator) messages are useful for admins to view and monitor important information coming from applications.	Tectia server can issue WTO messages, relating to errors and warning. Further, can show successful and failed transfer messages.	No
File-transfer Retry	A failed file transfer is retried when part of the source file/dataset has been transferred to the target, and the transfer is required to be completed	Retry functionality works for both USS and MVS datasets. The retry will resume the transfer from where it failed and not append to the file. Retaining the transferred data.	OpenSSH has a similar feature using the reget/reput commands but is only limited to USS unix files. Further, OpenSSH reget/reput will append to the remote file, and not find the failure point. This may cause corruption of the transferred data.

Who is Tectia for?

Organizations that get the most out of Tectia SSH Server for IBM z/OS, generally:

Need to comply with regulations, such as PCI-DSS or FIPS. For example, US Federal agencies, large financial institutions, credit card companies, retailers, insurance companies, etc.
Require massive file transfers
Need mainframe security controls to mitigate risk from unauthorized use
Need seamless transition from FTP to SFTP
Anyone wishing to easily script file transfer flows for z/OS datasets in their native format without extensive pre and post-processing effort

Learn more about Tectia customers

Tectia is trusted by some of the world's leading enterprises.

Mainframe security resources

DATASHEET: Tectia SSH Server for IBM z/OS

Get the datasheet

BUYER'S GUIDE: Secure Data Communications for IBM z/OS Mainframe

Get the guide

BLOG POST: The Mainframe Isn't Going Anywhere - How Can We Secure It?

Read the blog post

BLOG POST: How to Make Mainframes Quantum-Safe