If authentication is used the instance identification is of particlar significance.
Instance identifications
The instance ID must be unique throughout the network irrespective of case.
Local instance identification
During installation, the name of the computer in the local network is defined by default as the instance ID. If it cannot be guaranteed that this name is unique in the network then you must change the instance ID. To do this, use the following command:
FTMODOPT, IDENTIFICATION=instance-id
Instance identification of partners
Store instance IDs of partner systems in the partner list using the IDENTIFICATION parameter of the FTADDPTN command, or FTMODPTN. With the aid of the partner systems’ instance IDs, openFT manages the resources assigned to those partners, such as request queues and cryptographic keys.
Creating and managing local RSA key pairs
RSA keys are used for authentication as well as for the negotiation of the AES key with which the request description data and file contents are encrypted.
You can use the following commands to generate and manage local RSA key.
FTCREKEY | creates an RSA key pair set for the local openFT instance |
FTSHWKEY | shows the attributes of all keys in the local system |
FTUPDKEY | updates the public keys |
FTDELKEY | deletes local RSA key pair sets |
FTMODKEY | modifies RSA key attributes |
FTIMPKEY | imports RSA keys |
Key pair attributes
Each RSA key pair consists of a private and a public ksey. There can exist up to three key pair sets each consisting of three key pairs with lengths of 768, 1024, 2048. The FTCREKEY command generates new key pairs for each of these lengths.
Private keys are internally administered by openFT. Public keys are stored on the configuration user ID of the openFT instance (standard: $SYSFJAM), under the following name:
<inst>.SYSPKF.R<key reference>.L<key length>
The key reference is a numeric designator for the version of the key pair.
The public key files are text files, which are created in the character code of the respective operating system, i.e. EBCDIC.DF04-1 for BS2000 and z/OS, ISO8859-1 for Unix systems and CP1252 for Windows systems.
Storing comments
In a SYSPKF.COMMENT file on the configuration user ID of the openFT instance, you can store comments, which are written in the first lines of the public key files when a key pair set is created. Comments could, for example, contain the contact data for the FT administrator on duty, the computer name, or similar information that is important for partners. The lines in the SYSPKF.COMMENT file may be a maximum of 78 characters in length. Using the FTUPDKEY command, you can import updated comments from this file into existing public key files at a later time.
Updating and replacing keys
If a public key file has been unintentionally deleted or otherwise manipulated, you can recreate the public key files of the existing key pair sets using FTUPDKEY.
If you want to replace a key pair set with a completely new one, you can create a new key pair set using FTCREKEY. You can identify the most current public keys by the highest value key reference in the file name. openFT supports a maximum of three key pair sets at a time. The existence of several keys should only be temporary, until you have made the most current public keys available to all the partner systems. Afterwards, you can delete the key pair sets no longer needed using FTDELKEY.
If the openFT administrator is not the same as the system administrator, it must be ensured that this administrator has access to the SYSPKF files and the <inst>.SYSKEY library on the OPENFT QUALIFIER of the openFT instance. This can be done, either by assigning operating system-specific access rights or by setting up corresponding FTAC admission profiles.
Importing keys
You can use the FTIMPKEY command to import the following keys:
Private keys that were generated with an external tool (i.e. not via openFT). When importing a private key, openFT generates the associated public key and stores it under the configuration user ID of the openFT instance, see “Key pair attributes”. This key can be used in the same way as a key generated with FTCREKEY and distributed to partner systems.
Public keys of partner instances. These keys must have the openFT key format (syspkf), i.e. they must have been generated by the partner's openFT instance. openFT stores the key in the SYSKEY library, see “Managing the keys of partner systems”.
Every imported key pair contains a unique reference number. RSA keys with the supported key lengths are imported (768, 1024 and 2048 bits).
openFT supports key files in the following formats:
PEM format (native PEM)
The PEM-coded files must be present in EBCDIC format.
PKCS#8 format encrypted without password phrase or after v1/v2 with password phrase (PEM-coded).
You must specify the password phrase used for encryption in the password parameter when you perform the import.
PKCS#12 v1 format in the form of a binary file. The file is searched for a private key and any non-supported elements (e.g. certificates, CRLs) are ignored during the import. If the certificate is protected by a signature or hash then openFT does not perform a validity check. The validity of the file must be verified using other means. The first private key that is found in the file is imported. Any others are ignored.
You must specify the password phrase used for encryption in the password parameter when you perform the import.
Managing the keys of partner systems
The public keys of the partner systems are to be stored in z/OS as members in the <inst>.SYSKEY library under the OPENFT QUALIFIER of the local openFT instance.
The partner name of the partner system as defined in the partner list must be selected as the element name.
You can import the public key of a partner system in the following ways:
You can specify the name of the key file in the FTIMPKEY command. When you perform the import, openFT checks whether there is a partner list entry with the instance ID that is stored in the key file. If there is then openFT stores the key under the partner's name in the SYSKEY library.
You can use the tools available in the operating system to copy the key file in the correct format to the SYSKEY library and save it there under the partner's name.
If an updated public key is made available by the partner instance, the old key must be overwritten by it.
You can use the command FTSHWKEY ...SELECT=*PAR(PARTNER-NAME=...) to display the keys of partner systems and filter on expiration date.
Modifying the keys of partner systems
You can use the FTMODKEY command to modify the keys of partner systems by specifying an expiration date or modifying the authentication level (1 or 2):
If you specify an expiration date then it is no longer possible to use the key once this date has expired.
If you set authentication level 2 then openFT also performs internal checks. Level 2 is supported for all openFT partners as of Version 11.0B. Level 1 authentication attempts to this partner are rejected.
You can make these settings for a specific partner or for all partners, as you require, and modify them subsequently if necessary.
Distributing the keys to partner systems
Distributing the public key files to your partner systems should take place by secure means, for example by
distribution by cryptographically secure e-mail
distribution on a CD (by courier or by registered mail)
distribution via a central openFT file server, the public keys of which are in the partners’ possession
If you transmit your public key files to partner systems using Unix or Windows operating system, you must ensure that these files are re-coded from EBCDIC.DF04-1 to
ISO 8859-1 or CP1252 (e.g. by transferring them as a text file via openFT).
The public key file of your local openFT instance is stored in the partner system in the following location:
For partners with openFT (BS2000), as a type D PLAM element in the SYSKEY library, the configuration user ID of the partner instance. The partner name allocated for your openFT instance in the remote network description file or in the remote partner list must be selected as the element name.
For partners with openFT (Unix systems), in the /var/openFT/<instance>/syskey directory. The instance ID of your local openFT instance must be selected as the file name. The file name must not contain any uppercase letters. If the instance ID contains uppercase letters, these must be converted to lowercase in the file name.
For partners with openFT (Windows), in the directory
<openFT installation directoy>\var\<Instance>\syskey, in newer Windows versions such as Windows 10 in
%ProgramData%\Fujitsu Technology Solutions\openFT\var\std\syskey. The instance ID of your local openFT instance must be selected as the file name.For partners with openFT (z/OS), as a PO element in the <inst>.SYSKEY library. The partner name allocated for your openFT instance in the remote network description file or partner list must be selected as the element name.