You need RemotePortRangeRef for port 21.
Port 21 is remote.
--
Donald J.
dona...@4email.net
On Fri, Mar 11, 2016, at 12:21 PM, Gibney, David Allen wrote:
> Actually, I do:
> TTLSRule ftp_client1
> {
> LocalPortRange 21
> Direction Outbound
> TTLSGroupActionRef ftp_grp_act
> TTLSEnvironmentActionRef ftp_client_env_act
> }
> TTLSGroupAction ftp_grp_act
> {
> TTLSEnabled On
> Trace 7
> GroupUserInstance 1
> }
> TTLSEnvironmentAction ftp_client_env_act
> {
> HandshakeRole Client
> TTLSKeyringParms
> {
> Keyring FTPClientRing
> }
> TTLSEnvironmentAdvancedParms
> {
> ApplicationControlled On
> SecondaryMap On
> }
> EnvironmentUserInstance 1
> }
>
> I'll have debug all in my next run.
>
> > -----Original Message-----
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Donald J.
> > Sent: Friday, March 11, 2016 10:13 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get
> > locked
> > out!
> >
> > He is using TLSMECHANISM ATTLS. Yours uses TLSMECHANISM FTP (non-
> > Pagent).
> > He is getting the error because he has no PAGENT TTLSRule for Outbound Port
> > 21.
> > Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging.
> >
> > It is working ok for me with TLSMECHANISM FTP.
> > I tried with ATTLS, but am getting a server error on the BINARY FTP
> > SUBCOMMAND.
> > Still looking in to that, but it is questionable if their FTPS server works
> > with
> > PAGENT ATTLS.
> > Can't imagine why they would install a server incompatible with PAGENT
> > though.
> >
> > >>> TYPE I
> > SC3261 getReply: entered
> > SC4327 getNextReply: entered with waitForData = TRUE
> > Connection with dispby-117.boulder.ibm.com terminated
> > SC4445 SETCEC code = 10
> > CZ1434 ftpClose: entered
> > SC4067 inSession: entered
> > SC4145 setLoggedIn: entered
> > CT0282 binary: getReply failed.
> > PC1047 logClientErrMsg: entered
> > PC0945 setClientRC: entered
> > SC4019 getLastReply: entered
> > PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006
> > SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006
> > SC4019 getLastReply: entered
> > CX0389 main: RC=-0001 cmd_in_progress=06
> > CX0392 main: last_reply= err=10
> > PC0945 setClientRC: entered
> > SC4019 getLastReply: entered
> > Std Return Code = 06000, Error Code = 00010
> > CZ1354 ftpQuit: entered
> > CZ1434 ftpClose: entered
> >
> > Their server also seems to require use of the CCC subcommand to clear the
> > command channel.
> > So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN
> > CLEAR,
> > it might cause a problem also. There is a client parameter setting
> > ftpccc="no"
> > to make the server
> > quit using CCC, but that seems to cause a problem also.
> >
> > Use of KEYRING *AUTH*/* should be sufficient for the FTPS portion of the
> > job.
> >
> > The server web site also uses root certificate "GeoTrust Global CA" which
> > has
> > its share of
> > issues also. See:
> > https://urldefense.proofpoint.com/v2/url?u=http-
> > 3A__security.stackexchange.com_questions_53231_google-2Dcertificates-
> > 2Dcorrect-2Dca_53271-
> > 2353271&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb-
> > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii-YrY-c2-
> > IzeE0M17VgSPbY&s=Txk6MDp8o81j54Ojmpo1aZbHaoJxUawo1NHCS1JgDO0&e
> > =
> > Openssl s_client reports the server cert chain to be:
> > Certificate chain
> > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES
> > CORPORATION/CN=deliverycb-bld.dhe.ibm.com
> > i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
> > 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
> > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> > 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> >
> > --
> > Donald J.
> > dona...@4email.net
> >
> > On Thu, Mar 10, 2016, at 06:45 AM, Jousma, David wrote:
> > > I had to come up with some alternate FTP client parms to make it work.
> > Possibly the one you are getting stuck on is this. Change FtpSecur to
> > your
> > keyring name. this member happens to live in our SYS1.TCPPARMS dataset,
> > but
> > the member can be anywhere, just gotta point to wherever it lives in your
> > RECEIVE ORDER job.
> > > //CLIENT DD *
> > > <CLIENT
> > > javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes">
> > > <FTPOPTIONS>
> > > -v -f "//'SYS1.TCPPARMS(FTPSECUR)'"
> > > </FTPOPTIONS>
> > > </CLIENT>
> > > /*
> > >
> > > EDIT SYS1.TCPPARMS(FTPSECUR) - 01.01
> > > Columns 00001
> > 00080 .
> > > Command ===>
> > > Scroll ===> CSR .
> > > 000642 ;CIPHERSUITE SSL_AES_256_SHA ; 35
> > > .
> > > 000643
> > > .
> > > 000644 KEYRING FtpSecur ; Name of the keyring for TLS
> > > .
> > > 000645 ; It can be the name of an
> > > HFS .
> > > 000646 ; file (name starts with /)
> > > or .
> > > 000647 ; a resource name in the
> > > security .
> > > 000648 ; product (e.g., RACF)
> > > .
> > >
> > >
> > _________________________________________________________________
> > > Dave Jousma
> > > Assistant Vice President, Mainframe Engineering david.jou...@53.com
> > > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f
> > > 616.653.2717
> > >
> > > -----Original Message-----
> > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > > On Behalf Of Gibney, David Allen
> > > Sent: Wednesday, March 09, 2016 7:47 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get
> > > locked
> > out!
> > >
> > > Repeating the earlier msg.
> > > Ok, so I am trying to use ATTLS for FTPS.. My RECEIVEORDER log goes:
> > > > /bin/ftp -e deliverycb-bld.dhe.ibm.com
> > >
> > > Using 'GIBNEY.FTP.DATA' for local site configuration parameters.
> > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the
> > > control
> > con
> > > nection.
> > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the data
> > connec
> > > tion.
> > > IBM FTP CS V1R13
> > > FTP: using TCPIP
> > > FTP: EXIT has been set.
> > > Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages.
> > > Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21.
> > > 220-IBM's internal systems must only be used for conducting IBM's
> > > 220-business or for purposes authorized by IBM management.
> > > 220-
> > > 220-Use is subject to audit at any time by IBM management.
> > > 220-
> > > 220 dhebpcb01 secure FTP server ready.
> > > 15:19:59(000005BD.4) FC0255 ftpAuth: security values: mech=TLS,
> > tlsmech=ATTLS, s
> > > FTP=A, sCC=C, sDC=P
> > > 15:19:59(000005BD.4) FC2704 ftpAuthAttls: No AT-TLS policy matched
> > connection
> > > Authentication negotiation failed
> > > NAME (deliverycb-bld.dhe.ibm.com:GIBNEY):
> > >
> > > > S042242j
> > > >>> USER S042242j
> > >
> > > The Geotrust cert is in my keyring:
> > > RACDCERT ID(GIBNEY) listRING(FTPClientRing)
> > >
> > > Digital ring information for user GIBNEY:
> > >
> > > Ring:
> > > >FTPClientRing<
> > > Certificate Label Name Cert Owner USAGE DEFAULT
> > > -------------------------------- ------------ -------- -------
> > >
> > > GeoTrust Global CA CERTAUTH CERTAUTH NO
> > >
> > > > -----Original Message-----
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Jesse 1 Robinson
> > > > Sent: Wednesday, March 09, 2016 4:38 PM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't
> > > > get locked out!
> > > >
> > > >
> > > >
> > > > .
> > > > .
> > > > .
> > > > J.O.Skip Robinson
> > > > Southern California Edison Company
> > > > Electric Dragon Team Paddler
> > > > SHARE MVS Program Co-Manager
> > > > 323-715-0595 Mobile
> > > > 626-302-7535 Office
> > > > robin...@sce.com
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Gibney, David Allen
> > > > Sent: Wednesday, March 09, 2016 2:46 PM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: (External):Re: IBM secure z/OS software delivery: Don't get
> > > > locked
> > out!
> > > >
> > > > AS noted in my reply a day or so ago, I am successfully submitting
> > > > the RECIEVEORDER securely (at least I think I am, it fails when the
> > > > certificate
> > > > expires:)) But, then when it fires up FTPS to retrieve the package,
> > > > the TLS (or AT-
> > > > TLS) handshake fails.
> > > >
> > > > > -----Original Message-----
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Kurt Quackenbush
> > > > > Sent: Wednesday, March 09, 2016 2:38 PM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: IBM secure z/OS software delivery: Don't get locked out!
> > > > >
> > > > > > ... I'm only mildly concerned about the keyring name, as we use
> > > > > > a totally different name associated with SMP/E, not with Java.
> > > > > > That keyring works fine today.
> > > > >
> > > > > If you're already downloading securely, then you can continue to
> > > > > use your same keyring. My example in the article was simply that,
> > > > > an example, which uses the default Java truststore instead of a
> > > > > security manager
> > > > (RACF) keyring:
> > > > >
> > > > > <CLIENT
> > > > > downloadmethod=”https”
> > > > > downloadkeyring=”javatruststore”
> > > > > javahome="/usr/lpp/java/J6.0"
> > > > > >
> > > > > </CLIENT>
> > > > >
> > > > > I call this the "Fast Path" because for someone that is not
> > > > > already downloading securely, then using HTTPS with the Java
> > > > > truststore is the quickest and simplest choice because you don't
> > > > > need to mess around with keyrings or a security manager product at
> > > > > all.
> > > > >
> > > > > If anyone is interested, more details can be found here:
> > > > > https://urldefense.proofpoint.com/v2/url?u=http-
> > > > > 3A__www.ibm.com_support_knowledgecenter_SSLTBW-
> > > > >
> > > >
> > 5F2.2.0_com.ibm.zos.v2r1.gim3000_dsetups.htm&d=CwIDaQ&c=C3yme8gMkx
> > > > > g_ihJNXS06ZyWk4EJm8LdrrvxQb-
> > > > >
> > > >
> > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=vkv4CpLe_hygd7rNmto_QCrcBflG_Y
> > > > > A6s0g2dvojUTE&s=K3EXMlACn-O47e9WLTyXIE2I_lbl-
> > 1mZlh3MS3oFSGo&e=
> > > > >
> > > > > Kurt Quackenbush -- IBM, SMP/E Development
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > --
> > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > > send email to lists...@listserv.ua.edu with the message: INFO
> > > > > IBM-MAIN
> > > >
> > > > --------------------------------------------------------------------
> > > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > send email to lists...@listserv.ua.edu with the message: INFO
> > > > IBM-MAIN
> > > >
> > > > --------------------------------------------------------------------
> > > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > send email to lists...@listserv.ua.edu with the message: INFO
> > > > IBM-MAIN
> > >
> > > ----------------------------------------------------------------------
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > > This e-mail transmission contains information that is confidential and
> > > may be
> > privileged. It is intended only for the addressee(s) named above. If you
> > receive
> > this e-mail in error, please do not read, copy or disseminate it in any
> > manner. If
> > you are not the intended recipient, any disclosure, copying, distribution
> > or use of
> > the contents of this information is prohibited. Please reply to the message
> > immediately by informing the sender that the message was misdirected. After
> > replying, please erase it from your computer system. Your assistance in
> > correcting this error is appreciated.
> > >
> > >
> > > ----------------------------------------------------------------------
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > https://urldefense.proofpoint.com/v2/url?u=http-
> > 3A__www.fastmail.com&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ld
> > rrvxQb-Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii-YrY-
> > c2-IzeE0M17VgSPbY&s=xI6HFtbdhRVBZtt689xiCPVc6KzFJ0kpq0tP9k5SOrY&e= -
> > Access all of your messages and folders
> > wherever you are
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions, send email
> > to
> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
http://www.fastmail.com - A no graphics, no pop-ups email service
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
