I had to come up with some alternate FTP client parms to make it work.
Possibly the one you are getting stuck on is this. Change FtpSecur to your
keyring name. this member happens to live in our SYS1.TCPPARMS dataset, but
the member can be anywhere, just gotta point to wherever it lives in your
RECEIVE ORDER job.
//CLIENT DD *
<CLIENT
javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes">
<FTPOPTIONS>
-v -f "//'SYS1.TCPPARMS(FTPSECUR)'"
</FTPOPTIONS>
</CLIENT>
/*
EDIT SYS1.TCPPARMS(FTPSECUR) - 01.01 Columns
00001 00080 .
Command ===> Scroll
===> CSR .
000642 ;CIPHERSUITE SSL_AES_256_SHA ; 35
.
000643
.
000644 KEYRING FtpSecur ; Name of the keyring for TLS
.
000645 ; It can be the name of an HFS
.
000646 ; file (name starts with /) or
.
000647 ; a resource name in the security
.
000648 ; product (e.g., RACF)
.
_________________________________________________________________
Dave Jousma
Assistant Vice President, Mainframe Engineering
[email protected]
1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H
p 616.653.8429
f 616.653.2717
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Gibney, David Allen
Sent: Wednesday, March 09, 2016 7:47 PM
To: [email protected]
Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get locked
out!
Repeating the earlier msg.
Ok, so I am trying to use ATTLS for FTPS.. My RECEIVEORDER log goes:
> /bin/ftp -e deliverycb-bld.dhe.ibm.com
Using 'GIBNEY.FTP.DATA' for local site configuration parameters.
Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the control con
nection.
Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the data connec
tion.
IBM FTP CS V1R13
FTP: using TCPIP
FTP: EXIT has been set.
Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
220-IBM's internal systems must only be used for conducting IBM's
220-business or for purposes authorized by IBM management.
220-
220-Use is subject to audit at any time by IBM management.
220-
220 dhebpcb01 secure FTP server ready.
15:19:59(000005BD.4) FC0255 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, s
FTP=A, sCC=C, sDC=P
15:19:59(000005BD.4) FC2704 ftpAuthAttls: No AT-TLS policy matched connection
Authentication negotiation failed
NAME (deliverycb-bld.dhe.ibm.com:GIBNEY):
> S042242j
>>> USER S042242j
The Geotrust cert is in my keyring:
RACDCERT ID(GIBNEY) listRING(FTPClientRing)
Digital ring information for user GIBNEY:
Ring:
>FTPClientRing<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
GeoTrust Global CA CERTAUTH CERTAUTH NO
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of Jesse 1 Robinson
> Sent: Wednesday, March 09, 2016 4:38 PM
> To: [email protected]
> Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't
> get locked out!
>
>
>
> .
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler
> SHARE MVS Program Co-Manager
> 323-715-0595 Mobile
> 626-302-7535 Office
> [email protected]
>
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of Gibney, David Allen
> Sent: Wednesday, March 09, 2016 2:46 PM
> To: [email protected]
> Subject: (External):Re: IBM secure z/OS software delivery: Don't get locked
> out!
>
> AS noted in my reply a day or so ago, I am successfully submitting the
> RECIEVEORDER securely (at least I think I am, it fails when the
> certificate
> expires:)) But, then when it fires up FTPS to retrieve the package,
> the TLS (or AT-
> TLS) handshake fails.
>
> > -----Original Message-----
> > From: IBM Mainframe Discussion List
> > [mailto:[email protected]] On Behalf Of Kurt Quackenbush
> > Sent: Wednesday, March 09, 2016 2:38 PM
> > To: [email protected]
> > Subject: Re: IBM secure z/OS software delivery: Don't get locked out!
> >
> > > ... I'm only mildly concerned about the keyring name, as we use a
> > > totally different name associated with SMP/E, not with Java. That
> > > keyring works fine today.
> >
> > If you're already downloading securely, then you can continue to use
> > your same keyring. My example in the article was simply that, an
> > example, which uses the default Java truststore instead of a
> > security manager
> (RACF) keyring:
> >
> > <CLIENT
> > downloadmethod=”https”
> > downloadkeyring=”javatruststore”
> > javahome="/usr/lpp/java/J6.0"
> > >
> > </CLIENT>
> >
> > I call this the "Fast Path" because for someone that is not already
> > downloading securely, then using HTTPS with the Java truststore is
> > the quickest and simplest choice because you don't need to mess
> > around with keyrings or a security manager product at all.
> >
> > If anyone is interested, more details can be found here:
> > https://urldefense.proofpoint.com/v2/url?u=http-
> > 3A__www.ibm.com_support_knowledgecenter_SSLTBW-
> >
> 5F2.2.0_com.ibm.zos.v2r1.gim3000_dsetups.htm&d=CwIDaQ&c=C3yme8gMkx
> > g_ihJNXS06ZyWk4EJm8LdrrvxQb-
> >
> Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=vkv4CpLe_hygd7rNmto_QCrcBflG_Y
> > A6s0g2dvojUTE&s=K3EXMlACn-O47e9WLTyXIE2I_lbl-1mZlh3MS3oFSGo&e=
> >
> > Kurt Quackenbush -- IBM, SMP/E Development
> >
> > --------------------------------------------------------------------
> > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO
> > IBM-MAIN
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO IBM-MAIN
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO IBM-MAIN
This e-mail transmission contains information that is confidential and may be
privileged. It is intended only for the addressee(s) named above. If you
receive this e-mail in error, please do not read, copy or disseminate it in any
manner. If you are not the intended recipient, any disclosure, copying,
distribution or use of the contents of this information is prohibited. Please
reply to the message immediately by informing the sender that the message was
misdirected. After replying, please erase it from your computer system. Your
assistance in correcting this error is appreciated.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
