Ways to make SFTP serve to a 3000 system
July 30, 2018
Earlier this month a seasoned veteran of 3000 development asked how he could get SFTP service supported for his system. He's been managing a 3000 that's been ordered to employ file transfers that are more secure than FTP.
Secure FTP works well enough outbound, thanks to the OpenSSL software ported to the 3000 in WebWise. But incoming SFTP is tougher. Some say it's not possible, but that answer doesn't include any potential for a proxy server. Or a virtualized 3000.
Versions of OpenSSL that were ported to run on native MPE probably won’t satisfy an audit, nor do they have some of the current crypto capabilities that would satisfy things like PCI requirements. There are no developers signed up to continue the OpenSSL port project.
That leaves the proxy solution.
See if you can negotiate with the auditors for an encrypted link instead of an encrypted protocol (tell them that the protocols on the 3000 itself can’t do what they are asking and suggest the alternative). Tell them that the SSL on the 3000 is older than 1.0.x and still won’t pass audit, even if you could make SFTP work.These days, everything less than TLS1.1 is unacceptable. The OpenSSL on the 3K can’t support that. I’m afraid you might get the SFTP requirement resolved only to then fail on the lack of TLS or the newer ciphers.
It would be easier to leave the existing processes in place (they work) rather than exchange them for something that is unknown and then wrap that with accepted encryption.