Mainframe SFTP – Overcome Inherent FTP Shortcomings

Interactive computing using the Time Sharing Option (TSO), Batch processing using the Job Entry System (JES) and controlling programs written in Job Control Language (JCL) and UNIX System Services (USS) – the POSIX compatible environment are the three operational environments of z/OS. Among them the first two environments are the core of z/OS and referred to as Multiple Virtual Storage (MVS). As the MVS file system is completely different from those in UNIX environment, z/OS has to deal with two file systems. To make these file systems compatible MVS datasets are presented to USS as discs or logical volumes. WebSphereAS and z/OS communication Server are both operational in MVS and UNIX world and provide FTP and TELNET for transferring data.

But FTP model is not suitable for big business because of some shortcomings:

• Data compression is not native to FTP protocol and is rarely available

• FTP transmissions are clear, in other words any eavesdropper can easily see user IDs, passwords and data files.

• FTP transfers require two connections to operate – one for the commands and the other for data. Because of this feature to overcome issues with active and passive FTP and to use FTP in firewall-secured network special effort is required.

• Data integrity verification at application level is not possible with FTP. So during data transfer it can be damaged or altered without the knowledge of the receiver.

For UNIX and other VT100 terminal dominated environments SSH File Transfer Protocol (SFTP) and SSH Copy (SCP) replaced insecure FTP and TELNET. SFTP and SCP are the cross-platform de facto standard for secure file transfer. However SFTP and SCP of OpenSSH are restricted to UNIX files on ZFS and HFS and it’s not possible to access MVS data sets through SFTP and SCP. But on a positive note some UNIX commands like cp, cat and mv of USS are extended to access MVS data sets. Even the TSO commands OGET, OPUT and OCOPY allow the file exchange between MVS and USS. For transferring a file for processing onto z/OS first the files are transferred via SFTP into HFS/ZFS file and then the commands, mentioned above, copies the Unix file into a MVS data set and then the batch processing can take place unmodified upon this new MVS dataset. Then in JCL decks the UNIX file can be specified in the DD statements for the Batch jobs.

The migration from FTP to SFTP has a deep impact to the batch jobs though. For both the server and the client sides the batch jobs must be modified and because of that the migration effort can be huge without some commercially available software to assist.

On the other hand FTPS is an easier way to improve security, but the risk of incompatibility increases. Whereas SFTP and SCP are de facto, common standard on dominating system platforms and often one product can be used on different operating systems. This in turn reduces the risk of incompatibility.