Hi Steve.
I've found the SSL trace information written into a USS file to be somewhat
easier to use. You can turn on GSK_TRACE flags and specify a trace file using
STDENV similar to the example below IF you specify the
PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV") (the _S is crucial or the DD * input
won't work):
//FTPS EXEC PGM=FTP,REGION=4M,
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.linuxsite.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
GSK_TRACE=0xFFFF
GSK_TRACE_FILE=/tmp/gskfile.trc
//*
//SYSFTPD DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING &KEYOWNR/&KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* TRACE
//* DEBUG SEC
//* You can also add other debugging or trace options to SYSFTPD
//OUTPUT DD SYSOUT=*
//INPUT DD *,SYMBOLS=(JCLONLY)
ftpuid
ftppwd
etc
QUIT
//*
The above step doesn't require AT-TLS changes or changes to your FTPDATA
datasets, but I don't think the changes you've alreayd made there will prevent
you from specifying the GSK options via STDENV.
With the GSK_TRACE flags set, the SSL information will be written to the file
you specify in GSK_TRACE_FILE. There is a USS utility named gsktrace that you
will need to read the trace file and interpret it into something you can read.
The format is gsktrace > gskfile.trc > gsk.out
The gsktrace output will be pretty detailed, but you can usually find an error
of some kind.
These manuals, especially the first one, will probably help:
SC14-7495-30 Cryptographic Services System Secure Sockets Layer Programming
SC27-3651-30 IP Configuration Reference
GC27-3652-30 IP Diagnosis Guide
Wendell
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
