Securing 3000 FTP: Clients yes, servers no
December 4, 2009
When long-time 3000 customer Eveready Insurance asked if Secure FTP (SFTP) is available for the server, the short answer was yes. And no.
A client version of the software to secure file transfers has been available for the 3000 for some time. What the 3000 lacks for now is a secure FTP server module. This means that the HP 3000 must initiate each secure file transfer process.
HP's response center engineer Cathlene McRae has pointed customers to a 2008 HP white paper on the subject of securing 3000 file transfers, a document which is honest about how far MPE goes to support the FTP industry standard. McRae admitted that MPE/iX doesn't provide a version of SFTP in addition to the 3000's regular FTP/iX. Once the invent3k public access development server accounts are restored for the community -- a project OpenMPE has been working on since September -- a true SFTP server module might proceed toward a release. A volunteer for that project would have to step up, too.
HP's white paper reports that it created a script called crypt that can secure 3000 transfers. The good news is that even though HP has closed down its Jazz server, crypt is still available to the community. Speedware is hosting crypt (a tarball that can be downloaded) as part of its collection of Jazz programs.
HP's paper says in part:
HP has designed a script which will allow FTP/iX users to transfer files securely from MPE/iX to remote systems running HP-UX, Linux, MPE/iX etc. The script provides an option to encrypt files prior to the transfer. Depending on this “encrypt” option and a few other considerations, the file will be encrypted using the POSIX CRYPT utility, before it is transferred via FTP/iX.
Brian Edminster of Applied Technologies has explained the differences between full SFTP support and the state of secure transfers using MPE/iX 7.5. In a report from earlier this year, Edminster said "while files can be put to or retrived from other systems, since only the SFTP client is available, the 3000 must originate the transaction. This can make for some process redesigns if your existing applications are used to your 3000 being the ‘server’."
That SFTP server module -- the element that prevents 3000 managers from saying the system supports SFTP -- is in a double limbo this month. A first pass at creating a port of OpenSSH for MPE/iX is included in the invent3k files of Ken Hirsch. But invent3k, like the Contributed Software Library and the Jazz programs, is still being set up by OpenMPE. Speedware and Client Systems haven't signed up to host invent3k. OpenMPE's mission remains keeping the 3000 up to date, once these porting projects become available to the community once again.