By Robert MacAdams on Tuesday, 06 November 2018
Category: IBM i iSeries AS400 Software

SFTP FTPS - IBM i iSeries Secure FTP Methods

SFTP and FTPS are Secure File Transfer methods the IBM i (AS400 iSeries) supports natively for both client and server roles, and can safely transfer sensitive files to and from any other platform or cloud service. Secure FTP requirements may dictate which protocol (SFTP versus FTPS) for the Managed File Transfer (MFT) project, but is usually a user preference. Both SFTP and FTPS use encrypted connections for file transfer, SFTP uses SSH cryptographic protocol and FTPS can use TLS or SSL implicit security (always on) cryptographic protocol. FTPS explicit can also be used, but it is not recommended for secure file transfer requirements, and will not be discussed.
 
SFTP Secure File Transfer Protocol
The Secure File Transfer protocol, also called SFTP, Secure Shell FTP and SSH FTP, is a Linux and UNIX data transfer tool that is most common and supported on the IBM i platform. The SFTP protocol provides entire session encryption to and from the transfer target or host, and allows use of server-side public key authentication certificates, client-side authorization certificates and supports use of a User ID and password. SFTP is ideal for automating file transfers and commonly used by MFT Managed File Transfer solutions. The IBM i SFTP and FTPS MFT software is the only product that fully supports password-based SFTP in batch mode and is the only software that fully implements this authentication security measure on the IBM i according to the standard. Multiple firewall configurations commonly cause problems for FTPS sessions, which is why SFTP is often chosen. SFTP utilizes a single connection for authentication, sending commands, transferring files, and any other processes involved.
 
FTPS File Transfer Protocol
The FTPS protocol (with implicity security) utilizes standard FTP with the addition of a TLS or SSL encryption layer to verify a secure connection. FTPS was initially created for systems to communicate and run commands securely, not to transfer files. When implementing FTPS on IBM i, consider using a MFT solution that supports Clear Channel Command CCC for intelligent firewall negotiation and proxy server (port management) support. You will also want to be able to audit FTPS access to make sure that the sessions authenticates properly and comply with regulations. When using the FTPS protocol in explicit mode (also known as FTPES), the FTPS client may choose to use an encryption method for communication. The FTPS server will determine if it will grant the unsecure client access or refuse the connection. FTPS implicit mode does not allow negotiation, meaning the FTPS server will refuse any unsecure connection and usually uses port 990. If you decide to use FTPS protocol on your IBM i, be sure to use implicit SSL, and a MFT product that implements the RFC 2228 standard. FTPS on IBM i also integrates with the IBM i Digital Certificate Manager (DCM), IBM i security audit journal (QAUDJRN) and native OS400 security controls.
 
File and Data Format Specification Support
Compatibility of databases, files and data is an important consideration  any MFT or Secure File Transfer software package for your IBM i. It is likely you may also want to have the ability to convert or translate files and data on the fly as part of the file transfer process. Below are the standard file conversion and data translation capabilities provided by IBM i SFTP and FTPS MFT product:

ASCII/EBCDIC and EBCDIC/ASCII translation
XML/DB2 and DB2/XML translation
EDI ANSI X12 AS2 translation
ISO 8583/DB2 and DB2/ ISO 8583 translation
IBM OS400 translation
Custom data conversion and translation
IBM OS400 translation tables with template in product
 
Note: Data conversions types and formats supported by the product include: DB2, csv, txt, html, pdf, spoolfile, ASC (Fixed length ASCII) files, tab delimited, Relational Database file, IBM Queries, email (Final Form Text), internally Described Files (CVFormat), AS2 and almost any data type supported by the IBM, except Variable Length Character Data (VLCD) and Double Byte Character Set (DBCS).

Both the IBM i SFTP and FTPS MFT software is compatible with the following:

Banks: Bank of America, Wachovia, Wells Fargo, US Bank, State Street, ABN Amro, CitiGroup, JPMorgan Chase, BankOne, and many others.
Credit Card Payment Processors: Visa, American Express, ADS, Chase Merchant Services/Paymentech, First Data, ValueLink, and many others.
Healthcare: Blue Cross Blue Shield, State of California, State of Florida, Hewitt Associates, ZirMed, WebMD, and many others.
Service Providers: Merrill Lynch, Fidelity, ADP, Frick, TALX, eTRAFX, AllTel, Bell South, and many others.
EDI Networks: GXS, Inovis, Sterling, IBM Advantis (now GXS), Pantellos, and many others.

Encryption for data at rest requirements
Securing file transfers is one part of the equation. Once your sensitive data arrives at its destination, you will also want the contents to be encrypted. Data at rest encryption is as important as data in transit. Besides, SFTP and FTPS both help make life difficult for hackers, it only makes sense to protect the The most common practice for securing transferred data at rest is using commercial PGP encryption or Pretty Good Privacy. Both SFTPS and FTPS can incorporate PGP encryption to protect contents of transmissions. PGP encryption is supported on every platform and used in every industries including retail, financial services, health care and insurance. AES encryption is not a good idea to use for file transfers, as you will need to share your encryption key with your trading partner.

Commercial PGP Encryption offers several advanced security features important to corporations and compliance regulations. Commercial PGP supports using Additional Decryption Keys ADK, allowing encrypted files to be sent to multiple people without using the same key. You can also add your own decryption key, allowing recovery of data as part of the audit process, and prove what data was sent to a recipient.

Key servers and local PGP encrypted key stores are also supported on IBM i iSeries AS00 and z/OS mainframe. Self-Decrypting Archives (SDA) is supported on every platform. Commercial PGP is FIPS 140-2 certified.

Related Posts