Securing FTP/iX
HP has designed a script which will allow FTP/iX users to transfer files securely from MPE/iX to remote systems
running HP-UX, Linux, MPE/iX etc. The script provides an option to encrypt files prior to the transfer.
Depending on this “encrypt” option and a few other considerations, the file will be encrypted using the POSIX
CRYPT utility, before it is transferred via FTP/iX. If the remote system is also an MPE/iX system, a job will be
streamed, via the “site stream” FTP command, to automatically decrypt the file on the remote machine. If the
remote machine is UNIX based, the file will be encrypted on the local system and then transferred to the remote
system. This file can be decrypted using the crypt command available on the remote system but, the decryption
is not done automatically via FTP/iX. For this case there is a script provided on the Jazz webserver to simplify
the decryption process, -- see: http://jazz.external.hp.com/src/scripts/sftpput/
which also contains the secure FTP script. The CRYPT utility is available on Jazz at
http://jazz.external.hp.com/src
The following parameters and features are supported by this utility:
SFTPPUT fileset, remoteSystem, remoteUser, remoteDir, encrypt,
remoteSysType, remSysHasCrypt
where:
Ø
'fileset'
(required) a single file, a wildcarded fileset, or an indirect
file (^filename) which can be supplied in MPE or POSIX syntax. The
format for indirect files is one fully qualified file name per record with
MPE or POSIX style names supported. Eg. F@, ./f#, /ACCT/dir/f2, ^ftplist, ^/ftp/ftplist.
Ø
‘remoteSystem’ (required) the name or IP address of the system where the echo file is being
transferred. The remote system can be all flavors of Unix, Windows or MPE, as long as the remote
system can decrypt encrypted files via the POSIX crypt utility. The decryption is done automatically
for MPE systems; whereas, non-MPE systems will need to run the crypt utility using the key which is
transferred in its own file, "FileName.key". For a NETRC file to be used by FTP the machine name
must match the 'remotesystem' parm name.
Ø
’remoteUser’ - (sometimes optional) the user name which FTP will use to connect to the remote
system. The syntax is: "username[:password]" or "username[/password]". To suppress password
prompting the username should terminate with a ":" or "/", meaning a null password, eg. 'foo:'.
For MPE remote systems the username field consists of "user.account". If passwords are embedded
in MPE user names the format is: "user/upass.acct/apass" or "user.acct:upass,apass". If all
passwords are omitted the user may be prompted for the passwords. The expected user response
for MPE passwords is: "userpass,acctpass".
Note: if a comma is used then the entire name needs to be quoted so that it is treated as a single
token.
Note: this parameter is optional if a NETRC file is present since NETRC provides automatic FTP
logins without the need to specify user names and passwords. However, if the remote system is
MPE and the file is encrypted, a job will be streamed, named JDECRYPT, to auto-matically decrypt
the FTP'd file. This job needs to be able to logon to the remote MPE system and thus may need user
and/or account pass-
words. This SFTPPUT script has no access to passwords contained in a NETRC
file. Therefore, in order for the JDECRYPT job to logon, either :JOBSECURITY must be set to allow
the desired users to logon without passwords, or the passwords must be provided to this script.
Ø
‘remoteDir’
- (
optional) the name of the directory (or group.account) on the remote system where
the file will be sent. Syntax: "/dir", "./dir" "../dir", "~user", "group.acct", or "group". If omitted
the remote user's home directory is assumed. If can be useful to specify 'remotedir' even when the
logon is done via NETRC. This allows the files to be transferred to a location other than the remote
Page
23
of
28
Secure FTP on MPE/iX
7/18/2008
http://jazz.external.hp.com/papers/Securing
-
FTP
-
Whitepaper.html