SFTP Protocol for IBM i
IBM i SFTP, also known as Secure FTP, SSH FTP and Secure Shell FTP. SFTP encrypts the entire transfer session, and allows either server-side public key authentication certificates and client-side authorization certificates. SFTP is commonly used in Managed File Transfer MFT products for automating file transfers. The IBM i SFTP and FTPS MFT software fully supports password-based SFTP in batch mode and is the only software that fully implements this IBM i authentication safe guard according to the standard. SFTP uses a single encrypted connection for authentication, sending commands and transferring files, which provides some advantages over FTPS. Secure File Transfers passing through multiple firewalls can take some time to figure out if using FTPS sessions, especially for and IBM i department. SFTP was originally a Linux and UNIX data transfer tool, but is now natively supported by OS400 using IBM i OpenSSH application.
FTPS Protocol for IBM i
The FTPS protocol uses standard FTP protocol and adds a SSL or TLS encryption layer. FTPS was created for systems to securely communicate and run commands, not for secure transfers. FTPS implicit is the only recommended mode for sending sensitive data, as does not allow negotiation. FTPS implicit mode typically uses port 990 and will refuse unsecure connections. FTPES or FTPS explicit mode is never recommended for sending sensitive data, because the FTPS client can choose not to use encryption for communication. However, the FTPS server is able determine if it will allow access to the unsecure client or reject the connection. When implementing FTPS on IBM i, consider using a MFT solution that supports CCC “Clear Channel Command”, which provides intelligent firewall negotiation. Also want to be able to audit FTPS access to make sure that the sessions authenticate properly and comply with regulations.
Encrypting Data At Rest
After sending your data securely from one system to another, it’s a good practice to encrypt the as well. Especially if you have no control of the data once it is at its resting place. Most companies use commercial PGP encryption, since its widely supported on every platform and has a tried and true standard that is FIPS 140-2 certified. The IBM i SFTPS and FTPS protocols can both incorporate PGP file encryption. Since you will be required to share your encryption key with your trading partners, AES encryption is not recommended.
Commercial PGP Encryption provides many advanced security features which most companies with compliance regulations need to use, including using ADK Additional Decryption Keys which lets companies send encrypted files to multiple trading partners without using the same key. It also allows companies to add their own decryption keys, enabling separation of duties, recovery of data as part of the audit process, and to ensure which recipients receive specific data. Both IBM i and IBM z Mainframe systems support key servers and local PGP encrypted key stores. Self-Decrypting Archives (SDA) is supported on every platform.
The IBM i SFTP and FTPS MFT software uses SSH or implicit SSL for encryption, and is the only IBM i product that implements the RFC 2228 standard. It also integrates with the IBM i DCM Digital Certificate Manager, creates detail audit trail in the IBM i security audit journal and uses native OS400 security controls. The IBM i SFTP and FTPS MFT software is compatible with the following:
Banks: Wells Fargo, CitiGroup, JPMorgan Chase, Bank of America, Wachovia, US Bank, State Street, ABN Amro, BankOne, and many others.
Credit Card Payment Processors: Visa, American Express, Chase Merchant Services/Paymentech, First Data, ValueLink, ADS and many others.
Healthcare: Blue Cross Blue Shield BCBS, State of California, State of Florida, Hewitt Associates, ZirMed, WebMD, and many others.
Service Providers: Merrill Lynch, Fidelity, ADP, Frick, TALX, eTRAFX, AllTel, Bell South, and many others.
EDI Networks: GXS, Inovis, Sterling, IBM Advantis (now GXS), Pantellos, and many others.