Set your trace to 255 in the policy, refresh PAGENT and check the Syslog. I suspect a ciphersuite issue.
On Wed, May 25, 2022 at 8:46 AM Bob <[email protected]> wrote: > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and > I don’t know why. I’m sure I am > > missing something very simple, but I have spent a lot of time over the last > few weeks trying to figure it out > > and I cannot. Note that ftp without encryption does work and I have > nothing else using PAGENT or AT-TLS. > > > > I originally started with a configuration created by z/OSMF Network > Configuration Assistant, but after > > numerous attempts to get it working I have pared it down to the very > minimum configuration below. > > > > I’m not even sure what info to share. > > > > When I try to connect using WinSCP I just get this: > > > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2 > testmvs > > Searching for host... > > Network error: Connection to "testmvs" refused. > > The server rejected SFTP connection, but it listens for FTP connections. > > Did you want to use FTP protocol instead of SFTP? Prefer using encryption. > > winscp> > > > > And the WinSCP log doesn’t show much more: > > > > Looking up host "testmvs" for SSH connection > > Connecting to 10.80.63.94 port 22 > > Failed to connect to 10.80.63.94: Network error: Connection refused > > > > And here are the related configuration files. > > > > Here’s the pagent.conf: > > > > LogLevel 511 > > TcpImage TCPIP FLUSH > > TTLSConfig /etc/TTLSConfig.conf FLUSH > > > > And here is the TTLSConfig.conf: > > > > TTLSGroupAction ftp_server_group > > { > > TTLSEnabled On > > Trace 30 > > } > > TTLSEnvironmentAction ftp_server_env > > { > > HandshakeRole Server > > TTLSCipherParmsRef ftp_server_ciphers > > TTLSKeyringParms > > { > > Keyring mtskeyring > > } > > TTLSEnvironmentAdvancedParms > > { > > ApplicationControlled On > > SecondaryMap On > > TLSv1.2 On > > TLSv1.3 On > > } > > } > > TTLSCipherParms ftp_server_ciphers > > { > > V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA > > V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA > > V3CipherSuites TLS_RSA_WITH_NULL_SHA > > } > > TTLSRule ftp_server_rule > > { > > LocalPortRange 21-22 > > Direction Inbound > > TTLSGroupActionRef ftp_server_group > > TTLSEnvironmentActionRef ftp_server_env > > } > > > > Here is a ‘netstat ttls group’ command: > > > > MVS TCP/IP NETSTAT CS V2R5 TCPIP Name: TCPIP 13:14:46 > > TTLSGrpAction Group ID Conns > > ---------------------------------------- ----------------- ----- > > ftp_server_group 00000003 0 > > > > Does that Conns=0 mean anything? > > > > Let me know if there is some other info that might help. > > > > Thank you VERY MUCH for any suggestions you can offer. > > > > Bob Lamerand > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
