Request demo
mainframe security software

Secure, automate & optimize mainframe communications

Tectia SSH Server for IBM z/OS is the most trusted remote access and secure FTP server software in the industry. It's easy to set up and combines enterprise-grade reliability with high performance and a light toll on cryptographic processing.

Request pricing Get free trial

mainframes

Fast-track mainframe security

For many vendors, data that needs to be moved between a mainframe and a distributed system has to be manually converted to a viable and actionable format — but it can be a convoluted process. It requires configuring thousands or even millions of files by hand. It also leads to data transformations that require further handling.

With Tectia SSH Server for IBM z/OS, you can avoid manual and complicated processes by utilizing Tectia's automation features. You can:

  • Enable seamless FTP-SFTP conversion to ramp up mainframe security without JCL modifications

  • Enable direct access to MVS formats and efficient automation tools, while avoiding preprocessing, staging, and manual actions

batchjobs

Direct access to data sets without staging

With Tectia for IBM z/OS, you can improve your productivity and operational efficiency:

  • Run batch jobs in parallel instead of in sequences. Tectia for z/OS is capable of operating with different dataset definitions and retains and writes the metadata for a wide variety of dataset types, such as PDS(e) load libraries.

  • Get direct access to datasets without having to write datasets to files.

  • Get notifications of successful or failed data transfers with retry/restart options.

  • Enjoy seamless character-set conversions from preexisting and customizable code pages, enabling clean transfers between mainframe, Windows, and Unix.

regulations

Multi-layer security that meets regulations, including GDPR, SOX, GLBA, PCI DSS, and HIPAA

Tectia Server for z/OS offers:

  • Enhanced security by reducing the risk of breaches and data loss

  • Compliance with regulation (e.g. PCI-DSS, SOX, HIPAA, FISMA) 

  • Evolve with your needs into Post-Quantum Cryptography

  • zIIP cryptography off-loading

tunnel

Ensure business continuity

Tectia Server for z/OS offers: 

  • Increased efficiency and reduced admin costs through easy setup, CPU optimization, maintenance, and solution support

  • Ensured business continuity and full compatibility with SSH Tectia family

  • Uninterrupted operations with 24/7 support

Main features

Request demo

 

Ease of use

  • ISPF application for installation and configuration
  • Configurable FTP fallback option for controlled and phased deployment
  • System-wide and user-specific file transfer profiles
  • Listing of MVS data sets as files and folders for easy interactive command line

User and server authentication

  • Authentication and access control through SAF calls to RACF, ACF2, and TSS
  • User authentication with passwords
  • User and server authentication with X.509 certificates
  • User and server authentication with public keys
  • Logging and auditing using SMF records and Syslogd facilities

Secure File Transfer Protocol (SFTP)

  • Transparent, automatic FTP-SFTP conversion
  • Transparent FTP tunneling
  • Multi-terabyte file size support
  • Strong encryption of data
  • Strong packet-by-packet file integrity checking
  • SFTP and SCP command-line tools for interactive and unattended use
  • Secure against the quantum threat, with Quantum-Safe Algorithms

Mainframe security

  • Automatic transparent encryption of data-in-transit, including user ID and password
  • Hardware acceleration of cryptographic operations
  • Support for U.S. NIST FIPS 140-2 Certified hardware acceleration
  • Configurable re-keying policies
  • Multi-channel support - multiple secure sessions are multiplexed to a single TCP/IP connection
  • Compliance with the IETF Secure Shell standards

Remote access

  • Secure tunneling for TN3270 connections
  • Transparent tunneling for TN3270

Zero Trust access control

  • Role-based access control (RBAC) - grant and revoke access for multiple mainframe systems at once
  • Support for temporary access
  • Full audit trail with SIEM integration support
  • No passwords - no stolen or leaked passwords, no password rotation
  • Optional browser client for TN3270

Tectia SFTP special facilities for z/OS data transfer

Many special facilities are provided in Tectia SFTP to work natively with z/OS data in a simple and productive way that will be familiar to mainframe professionals. They include:

Filetype JES

Supports the submission of batch jobs to the JES (Job Entry Subsystem) reader and access to JES spooled output.

This allows Tectia SFTP to interact with the batch environment, a core part of mainframe business processes, both to trigger batch jobs and to work with job output.

Filetype IDCAMS

Supports the execution of IDCAMS commands and viewing the resulting output. IDCAMS is a utility to define and manipulate datasets, types of files used in z/OS, with special organizations and features to support batch and online processing.

Access to IDCAMS allows Tectia SFTP to perform operations on datasets beyond the Unix file/directory view for which that protocol was originally conceived.

Filetype PDS

Supports operations on Partitioned Datasets, a particular variety of datasets (both PDS and PDSE (extended)), much used in z/OS environments to store "members" containing source code, JCL (Job Control Language) "decks", executables, etc.

While Tectia z/OS SFTP has always supported basic access to PDS members, this facility extends this to support operations on whole PDSes with all or a set of their members, including creating and transferring their associated metadata. This gives Tectia SFTP the ability to work with these datasets in the way a z/OS software product is expected to operate, natively and with full functionality.

Filetype IEBCOPY

Supports the execution of IEBCOPY commands and viewing the resulting output. IEBCOPY is a utility for manipulating PDSes and PDSEs, copying, reorganizing, unloading, reloading, etc.

This facility allows Tectia SFTP to make use of IEBCOPY when transferring this kind of dataset. In particular, IEBCOPY is required for correctly transferring PDSE "program object, type 2" members, which contain proprietary metadata structures not divulged by IBM.

Filetype ADRDSSU

Supports the execution of ADRDSSU commands and viewing the resulting output. ADRDSSU is a utility for working with collections of datasets, especially for dumping and restoring datasets to/from a transportable format.

For datasets with sensitive internal structures, this is the most effective way to transfer them without corrupting that structure and rendering them useless. This facility allows Tectia SFTP to perform such dataset transfers in an integrated operation, more productively than via a series of manual processes.

Filetype DFSORT

Supports the execution of DFSORT commands and viewing the resulting output. DFSORT is a utility that sorts datasets, but it also has many other abilities, such as selecting, reformatting, or converting the contents of datasets, including VSAM.

This facility gives Tectia SFTP access to the individual records and fields of a dataset, essentially allowing ETL (Extract, Translate, Load) operations via selective file transfers.

DSNtype PIPE

Supports file transfer to and from Unix named pipes.

This facility allows Tectia SFTP to interact with Unix pipelines on z/OS, making the Unix shell, utilities, and programs available to perform transformations on the data stream dynamically.

Subsys Batchpipes

Supports file transfer to and from the Batchpipes subsystem. Batchpipes is a z/OS subsystem that allows pipe-like access to datasets, used to improve parallelism in batch processes by eliminating temporary datasets.

This facility allows Tectia SFTP to participate in such batch processes, introducing or extracting data for transfer.

Filetype QSAM

Supports QSAM (Queued Sequential Access Method) dataset IO. QSAM provides a simple API for record-based IO to sequential datasets, without any of the transformations performed by the C-runtime API normally used by Tectia SFTP. In some cases, these transformations introduce limitations, such as, for example, the inability to handle zero-length variable records or to open a dataset and wait for input.

This facility allows Tectia SFTP to overcome these limitations when necessary for constructing solutions.

Tectia zOS vs OpenSSH comparison 

 

Functionality Purpose of Function Tectia for z/OS Open SSH
Socks Proxy  Allows users to use existing FTP JCLs with no or minimal changes to existing JCLs.  Yes, FTP-Tunnelling and FTP-SFTP conversion.  No
Post Quantum Cryptography  Post Quantum encryption for connections.  Yes Not yet
Direct access to MVS datasets  Can access datasets without the need to manually move them from MVS to USS.  Yes  No, one needs to copy datasets to USS before sending them over. 
Character set conversion  File transfers to non z/OS platforms require EBCDIC to ASCII conversion to retain data in correct form.  Yes Yes, but only when using OpenSSH client programs from z/OS. Remote, non-z/OS platforms do not have this functionality. Further, z/OS OpenSSH may not include proper line ending when connecting to Windows hosts. 
Certificates   Allows certificate authentication.  X.509 certificates supported, and it is possible to store them in SAF key rings.  OpenSSH certificates cannot be stored in SAF key rings. 
User Key distribution  Distributing can be difficult when manually copied over to remote systems.   Can distribute user keys using ssh-keydist-g3 and ssh-broker-ctl key-upload tools.  Not possible, need to manually copy keys to remote servers.
BPXBATCH JCLs  Can use JCLs to run binaries.  Yes Yes
FTADV strings  Allows users to define what should happen during a file transfer. Useful when allocating datasets during transfers.  File transfer advisory strings can be used with Tectia client programs and against the Tectia Server with remote clients.  No
Access to native z/OS utilities and subsystems  Improves workflows and productivity, reduces JCL steps needed to achieve same outcome Tectia can utilize IEBCOPY, IDCAMS, DFSORT and ADRDSSU. Can access JES and BATCHPIPES subsystems.  No
Connection Monitoring  Allows one to monitor the connection stat, example, number of rekeys, cipher, KEXs, MACs used.  Tectia can view the socket AppData of incoming connections.   Not possible
WTO messaging  WTO (Write-to-operator) messages are useful for admins to view and monitor important information coming from applications.  Tectia server can issue WTO messages, relating to errors and warning. Further, can show successful and failed transfer messages. No
File-transfer Retry  A failed file transfer is retried when part of the source file/dataset has 
been transferred to the target, and the transfer is required to be completed 
Retry functionality works for both USS and MVS datasets. The retry will resume the transfer from where it failed and not append to the file. Retaining the transferred data.  OpenSSH has a similar feature using the reget/reput commands but is only limited to USS unix files. Further, OpenSSH reget/reput will append to the remote file, and not find the failure point. This may cause corruption of the transferred data. 

 

Tectia_zOS_background_square_06-01

Who is Tectia for?

 

Organizations that get the most out of Tectia SSH Server for IBM z/OS, generally:

  • Need to comply with regulations, such as PCI-DSS or FIPS. For example, US Federal agencies, large financial institutions, credit card companies, retailers, insurance companies, etc.
  • Require massive file transfers 
  • Need mainframe security controls to mitigate risk from unauthorized use
  • Need seamless transition from FTP to SFTP
  • Anyone wishing to easily script file transfer flows for z/OS datasets in their native format without extensive pre and post-processing effort

Learn more about Tectia customers

Tectia is trusted by some of the world's leading enterprises.

Tectia references

Try Tectia SSH Server for z/OS for free!

Download the trial to get started on your Tectia journey. Try it for free for 60 days!

Start Tectia z/OS trial!