Re: z/OS FTPS Client & Linux FTP server

Wed, 07 May 2014 10:19:57 -0700

I saw this same message before. We had a guy here that ran a tcp trace during the connection process, moved it to a linux workstation and used TCPDUMP? on it. What he determined was the windows server we were trying to connect to had a checkpoint firewall and it actually was re-writting the first two byes of the cert. There was a setting that had to change. I know you said no firewalls BUT is it possible that something else is doing this on the linux server? A setting in VSFTP maybe? He left doc somewhere and if you're interested I'll dig it up. 

On 5/7/2014 10:38 AM, Mark Pace wrote:

Trying to turn on some DEBUG information
DEBUG FLO

FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
format is incorrect)

So not to try to figure out where to find this error message.


On Wed, May 7, 2014 at 10:19 AM, Mark Pace <pacemainl...@gmail.com> wrote:


I remember setting up something very similar to connect to IBM.   So I
added the GoDady cert to the same keyring.

sr cla(digtring)
IBMUSER.smpemaint
*IBMUSER.FtpSecur *
IBMUSER.IBMRing
IBMUSER.SecureFTPKeyRing
IBMUSER.SMPEMAINT
TN3270.TNRING
***



racdcert id(ibmuser) listring(*FtpSecur*)
Digital ring information for user IBMUSER:

   Ring:
        >FtpSecur<
   Certificate Label Name             Cert Owner     USAGE      DEFAULT
   --------------------------------   ------------   --------   -------
   GeoTrust Global CA                 CERTAUTH       CERTAUTH     NO
  * Go Daddy Class 2                   CERTAUTH       CERTAUTH     YES*


So I added to my ftp.data
KEYRING          IBMUSER/FtpSecur

But that still isn't the final answer

EZA2897I Authentication negotiation failed
EZA2898I Unable to successfully negotiate required authentication
EZA1735I Std Return Code = 10000, Error Code = 00017



On Wed, May 7, 2014 at 9:44 AM, Chase, John <jch...@ussco.com> wrote:


If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
defined key rings (format is userid.ringname), then RACDCERT ID(userid)
LISTRING(ringname or *) to see the ring(s) contents.

Also ensure that the root cert you're interested in has TRUST status
(default is NOTRUST).

   -jc-


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]

On Behalf Of Mark Pace

Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client & Linux FTP server

The cipher was one of my early problems.  But I figured that one out.
vsftpd -  ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA

I'm certain that this Keyring  is (part of) my problem.   Stumbling

through

RACF I have found that the GoDaddy Root CA is already defined in z/OS,

but still trying to determine

if it is part of a keyring.



On Wed, May 7, 2014 at 8:57 AM, Donald J. <dona...@4email.net> wrote:


Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
than SSL_RC4_SHA.

Make sure the linus root certificate is in your z/OS client keyring.

--
   Donald J.




--
http://www.fastmail.fm - A no graphics, no pop-ups email service

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
The postings on this site are my own and don’t necessarily represent

Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send

email to lists...@listserv.ua.edu

with the message: INFO IBM-MAIN

**********************************************************************
Information contained in this e-mail message and in any attachments
thereto is confidential. If you are not the intended recipient, please
destroy this message, delete any copies held on your systems, notify the
sender immediately, and refrain from using or disclosing all or any part of
its content to any other person.


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems








--
Brian W. France
Systems Administrator (Mainframe)
Pennsylvania State University
Administrative Information Services - Infrastructure/SYSARC
Rm 25 Shields Bldg., University Park, Pa. 16802
814-863-4739
b...@psu.edu

"To make an apple pie from scratch, you must first invent the universe."

Carl Sagan

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to