Worst Practices: Shouldn't Happen to a Dog
Charon carries Boeing in new 3000 orbit

Ways to make SFTP serve to a 3000 system

Waiter-serviceEarlier this month a seasoned veteran of 3000 development asked how he could get SFTP service supported for his system. He's been managing a 3000 that's been ordered to employ file transfers that are more secure than FTP.

Secure FTP works well enough outbound, thanks to the OpenSSL software ported to the 3000 in WebWise. But incoming SFTP is tougher. Some say it's not possible, but that answer doesn't include any potential for a proxy server. Or a virtualized 3000.

Versions of OpenSSL that were ported to run on native MPE probably won’t satisfy an audit, nor do they have some of the current crypto capabilities that would satisfy things like PCI requirements. There are no developers signed up to continue the OpenSSL port project.

That leaves the proxy solution.

In this solution, a manager would set up a Linux SFTP server with two NICs. NIC 1 goes to the outside world. NIC 2 is a crossover to the HP 3000. From the HP 3000, SFTP to the Linux server via NIC 2.
 
In another scenario, you can FTP between the HP 3000 and a Linux virtual machine. One developer said that on the Linux VM "we have a small application that talks to the HP 3000 via FTP and forwards to and from other machines via SFTP or SSH." He added that the app on the Linux system is written in Java.
 
Migration often includes this kind of expertise. Charles Finley, a veteran of HP 3000 matters since the 1980s, recently raised his hand to offer notes on using an SSH tunnel. "It does not involve coding, the use of libraries and—although you can do it with Linux—does not necessarily involve Linux." He drew a link to an example employing a Windows host, adding that "we use Linux or Windows for this type of thing. Here's a description of how connect to an FTP/SFTP server which can be accessed via another server only, using PuTTY, "something we make use of a lot," Finley said.
 
There's also a simple way to use SFTP by employing Stromasys Charon. Other servers can SFTP to a Linux partition. Charon is hosted under Linux as it emulates the 3000 hardware. This hosted MPE server can then pick the files up internally.
Mark Klein, who bootstrapped the original GNU library for the 3000 that made all of its open source tools possible, says a requirement for the security of encryption could be satisfied with a secure link, rather than secure protocol.
See if you can negotiate with the auditors for an encrypted link instead of an encrypted protocol (tell them that the protocols on the 3000 itself can’t do what they are asking and suggest the alternative). Tell them that the SSL on the 3000 is older than 1.0.x and still won’t pass audit, even if you could make SFTP work.
 
These days, everything less than TLS1.1 is unacceptable.  The OpenSSL on the 3K can’t support that. I’m afraid you might get the SFTP requirement resolved only to then fail on the lack of TLS or the newer ciphers.  

It would be easier to leave the existing processes in place (they work) rather than exchange them for something that is unknown and then wrap that with accepted encryption. 

Comments