Vanguard Integrity Professionals - External - Public What Michael is trying to tell you is that your confusing "sFTP" and "FTPs", these are two very different protocols which have nothing to do with each other (think beta vs vhs).
sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22. Getting that functional is a conversation covered in the USS books, check out the SSH section. FTPs is "plain old ftp, wrapped with digital certificates to make it secure" (think http vs https) and this is done via PAGENT. Depending on how its configured (e.g. insecure, implicit, explicit, passive) this can run on the following ports; TCP20,TCP21,TCP990 and a range of user-specified ports. FYI, this complexity is why PAGENT has the "ApplicationControlled" parm. z/OS supports both sFTP and FTPs. Though, in z/OS, there are feature differences between them... Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on windows. I would suggest picking one to work with (either sFTP or FTPs) and then ensure that z/OS and WinSCP to use the one you selected. If your unclear on the differences you probably want FTPs due to it's greater functionality (on z/OS). Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS) you must turn up trace and read the logs. There really is no other (practical) way to troubleshoot ATTLS issues. External - Public Classified by [email protected] on 2022.05.25 08:30:10 -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Michael Babcock Sent: Wednesday, 2022 May-25 08:19 To: [email protected] Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working WARNING: This email originated outside of Vanguard. DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe. I don’t think you can use PAGENT for port 22 (not 100% sure on that). If using port 22 configure SSHD. Did you set the trace parm in PAGENT to 255? You will get much more info in SYSLOG by doing that. On Wed, May 25, 2022 at 10:05 AM Bob <[email protected]> wrote: > That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21 > &22. The config I started with had 21 in it, but the WinSCP references 22 > so I have been trying both ... without success. I changed it back to 21 > now. Still fails. > > I just added an ftp configuration parameter of FTPLOGGING TRUE and received > this message: > > EZYFS51I ID=FTPD100000 CONN fails Reason=3 Text=getpeername failed > > Now I'm trying to figure out what that is telling me. > > On Wed, May 25, 2022 at 8:46 AM Michael Babcock <[email protected]> > wrote: > > > I can SSH into z/OS USS but I don’t use pagent for port 22. You should > > configure SSHD for that. Remove port 22 from PAGENT. > > > > On Wed, May 25, 2022 at 8:46 AM Bob <[email protected]> wrote: > > > > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system > > and > > > I don’t know why. I’m sure I am > > > > > > missing something very simple, but I have spent a lot of time over the > > last > > > few weeks trying to figure it out > > > > > > and I cannot. Note that ftp without encryption does work and I have > > > nothing else using PAGENT or AT-TLS. > > > > > > > > > > > > I originally started with a configuration created by z/OSMF Network > > > Configuration Assistant, but after > > > > > > numerous attempts to get it working I have pared it down to the very > > > minimum configuration below. > > > > > > > > > > > > I’m not even sure what info to share. > > > > > > > > > > > > When I try to connect using WinSCP I just get this: > > > > > > > > > > > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log > /loglevel=2 > > > testmvs > > > > > > Searching for host... > > > > > > Network error: Connection to "testmvs" refused. > > > > > > The server rejected SFTP connection, but it listens for FTP > connections. > > > > > > Did you want to use FTP protocol instead of SFTP? Prefer using > > encryption. > > > > > > winscp> > > > > > > > > > > > > And the WinSCP log doesn’t show much more: > > > > > > > > > > > > Looking up host "testmvs" for SSH connection > > > > > > Connecting to 10.80.63.94 port 22 > > > > > > Failed to connect to 10.80.63.94: Network error: Connection refused > > > > > > > > > > > > And here are the related configuration files. > > > > > > > > > > > > Here’s the pagent.conf: > > > > > > > > > > > > LogLevel 511 > > > > > > TcpImage TCPIP FLUSH > > > > > > TTLSConfig /etc/TTLSConfig.conf FLUSH > > > > > > > > > > > > And here is the TTLSConfig.conf: > > > > > > > > > > > > TTLSGroupAction ftp_server_group > > > > > > { > > > > > > TTLSEnabled On > > > > > > Trace 30 > > > > > > } > > > > > > TTLSEnvironmentAction ftp_server_env > > > > > > { > > > > > > HandshakeRole Server > > > > > > TTLSCipherParmsRef ftp_server_ciphers > > > > > > TTLSKeyringParms > > > > > > { > > > > > > Keyring mtskeyring > > > > > > } > > > > > > TTLSEnvironmentAdvancedParms > > > > > > { > > > > > > ApplicationControlled On > > > > > > SecondaryMap On > > > > > > TLSv1.2 On > > > > > > TLSv1.3 On > > > > > > } > > > > > > } > > > > > > TTLSCipherParms ftp_server_ciphers > > > > > > { > > > > > > V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA > > > > > > V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA > > > > > > V3CipherSuites TLS_RSA_WITH_NULL_SHA > > > > > > } > > > > > > TTLSRule ftp_server_rule > > > > > > { > > > > > > LocalPortRange 21-22 > > > > > > Direction Inbound > > > > > > TTLSGroupActionRef ftp_server_group > > > > > > TTLSEnvironmentActionRef ftp_server_env > > > > > > } > > > > > > > > > > > > Here is a ‘netstat ttls group’ command: > > > > > > > > > > > > MVS TCP/IP NETSTAT CS V2R5 TCPIP Name: TCPIP 13:14:46 > > > > > > TTLSGrpAction Group ID Conns > > > > > > ---------------------------------------- ----------------- ----- > > > > > > ftp_server_group 00000003 0 > > > > > > > > > > > > Does that Conns=0 mean anything? > > > > > > > > > > > > Let me know if there is some other info that might help. > > > > > > > > > > > > Thank you VERY MUCH for any suggestions you can offer. > > > > > > > > > > > > Bob Lamerand > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > -- > > Michael Babcock > > OneMain Financial > > z/OS Systems Programmer, Lead > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Michael Babcock OneMain Financial z/OS Systems Programmer, Lead ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
