subject:"SFTP on z\/OS"

Re: SFTP on z/OS

2017-02-08 Thread Kirk Wolf

Starting with IBM Ported Tools OpenSSH 1.3, or z/OS OpenSSH 2.2, you need
to have ICSF running for /dev/random support.   A crypto card is not
required.  This is because later versions of OpenSSH wisely do not support
"ssh rand helper" any longer.

But all that use OpenSSH on z/OS should run ICSF with CPACF, since it will
save you a bunch of CPU cycles.

See on of the z/OS OpenSSH "Quick Install" Guides here (depending on your
version):
http://dovetail.com/docs/coz/coz_index.html


Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Mon, Feb 6, 2017 at 8:05 AM, John McKown 
wrote:

> On Sat, Feb 4, 2017 at 3:15 PM, scott Ford  wrote:
>
> > Guys:
> >
> > I have a SSH question, we dont have a ICSF , do i need one to do SSH ? We
> > want to do scp from Windows to
> > z/OS  . I want stepping thru the ICSF stc doc and read about 'head
> > 'dev/random' and its not working returning an error
> >
>
> I am running SSH on z/OS 1.12 without having ICSF running. It is a bit
> more CPU intensive. In this case, the "/dev/random" device does not work,
> but SSH basically doesn't use it in this case. At least, that has been my
> experience.
>
>
>
> >
> > Scott
> >
> >
>
> --
> Our calculus classes are an integral part of your education.
>
> Maranatha! <><
> John McKown
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-08 Thread Jack J. Woehr


venkat kulkarni wrote:

MBR of a physical file


And this is bin mode?

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: RES: SFTP on z/OS

2017-02-08 Thread John McKown

On Wed, Feb 8, 2017 at 12:35 PM, saurabh khandelwal <
sourabhkhandelwal...@gmail.com> wrote:

> But is there any way to resolve this issue without any third party product.
>

When I do a batch transfer using sftp, I make sure that the SSH
certificate used on the z/OS side does not have a "passphrase". I think
that is why it is complaining about /dev/tty not existing. My JCL looks
like:

//PS001   EXEC PGM=BPXBATCH,REGION=0M,
// PARM='SH echo "quit" | sftp -v rsid@${LINUX}'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDIN DD PATH='/dev/null',
// PATHOPTS=(ORDONLY)
//STDENV DD *
/*

Of course, this can be a very bad security gap. I avoid this by having the
id on the remote side be "special purpose" so that it can't do much of
anything. That is, it has a unique GID all of its own.



>
> On Jan 31, 2017 3:33 PM, "Carlos Bodra - Pessoal" 
> wrote:
>
> > Check MDI product at luminex.com for fast and secure SFTP or FTP
> >
> > Carlos Bodra
> > IBM System Certified System z
> > São Paulo - Brazil
> >
> > -Mensagem original-
> > De: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Em
> > nome de venkat kulkarni
> > Enviada em: domingo, 29 de janeiro de 2017 14:38
> > Para: IBM-MAIN@LISTSERV.UA.EDU
> > Assunto: SFTP on z/OS
> >
> > Hello Group,
> >
> >
> >
> > We tested SFTP on our test z/OS system to Test AIX box and we are able to
> > transfer data between these host. But now, I am trying in production
> system
> > with below detail.
> >
> >
> >
> > 1) Our aim is to convert all our FTP jobs into SFTP.
> >
> > 2) We are using $universe as scheduler for submitting these FTP jobs on
> > time to time.
> >
> > 3) We using user called "STCSYS" all these jobs.
> >
> > 4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are
> > using different user id password to login to target host and then start
> FTP
> > process.
> >
> > 5) But in SFTP, it create TSO env using IKJEFT01 program and then run
> SFTP
> > commands to transfer files between systems.
> >
> >
> >
> > Example of SFTP Job, we using
> >
> >
> >
> >
> >
> > //SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,
> >
> > //  NOTIFY=&SYSUID
> >
> > //STEP1   EXEC PGM=IKJEFT01,REGION=0M
> >
> > //SYSEXEC  DD   DISP=SHR,DSN=SYS1.SBPXEXEC
> >
> > //SYSTSIN   DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR
> >
> > //OUTPUT DD SYSOUT=*
> >
> > //SYSTSPRT DD SYSOUT=*
> >
> > /*
> >
> >
> >
> > EDIT   SFTPSFT.TEST.JCL(FTPTST1) - 01.02
> >
> > Command ===>
> >
> > ** * Top of Data 
> >
> > 000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
> >
> > 000900 OSHELL { echo 'lcd /u/stcsys' ; +
> >
> > 001000  echo 'ascii'; +
> >
> > 001100  echo 'cd /home/ftp4rpt/';  +
> >
> > 001200  echo 'mput test.txt'; } | +
> >
> > 001300sftp -v ftprpt@10.22.22.220
> >
> > 001400 /*
> >
> >
> >
> >
> >
> > So, now I have stcsys user id created on mainframe with all
> >
> >
> >
> > # cd .ssh
> >
> > # ls -al
> >
> > total 96
> >
> > drwx--   2 MEAS OMVSGRP 8192 Jan 24 08:23 .
> >
> > drwxr-xr-x   3 MEAS OMVSGRP 8192 Jan 24 08:22 ..
> >
> > -rw---   1 MEAS OMVSGRP  791 Jan 24 08:36 authorized_keys
> >
> > -rw---   1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa
> >
> > -rw-r--r--   1 MEAS OMVSGRP  396 Jan 24 08:25 id_rsa.pub
> >
> > -rw-r--r--   1 MEAS OMVSGRP  697 Jan 29 10:26 known_hosts
> >
> > # pwd
> >
> > /u/stcsys/.ssh
> >
> >
> >
> >
> > and in AIX1 side, I have ftprpt user defined and
> >
> >
> >
> > $ cd /home/ftprpt /.ssh
> >
> > $ ls -al
> >
> > total 48
> >
> > drwx--2 ftprpt staff   256 Jan 13 15:37 .
> >
> > drwxr-xr-x3 ftprpt staff  4096 Jan 15 12:15 ..
> >
> > -rw-r--r--1 ftprptstaff   791 Jan 15 12:12
> authorized_keys
> >
> > -rw-r--r--1 ftprpt staff   395 Jan 13 15:37
> > authorized_keys.old
> >
> > -rw---1 ftprpt staff  1675 Dec 11 14:25 id_rsa

Re: RES: SFTP on z/OS

2017-02-08 Thread saurabh khandelwal

But is there any way to resolve this issue without any third party product.

On Jan 31, 2017 3:33 PM, "Carlos Bodra - Pessoal" 
wrote:

> Check MDI product at luminex.com for fast and secure SFTP or FTP
>
> Carlos Bodra
> IBM System Certified System z
> São Paulo - Brazil
>
> -Mensagem original-
> De: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Em
> nome de venkat kulkarni
> Enviada em: domingo, 29 de janeiro de 2017 14:38
> Para: IBM-MAIN@LISTSERV.UA.EDU
> Assunto: SFTP on z/OS
>
> Hello Group,
>
>
>
> We tested SFTP on our test z/OS system to Test AIX box and we are able to
> transfer data between these host. But now, I am trying in production system
> with below detail.
>
>
>
> 1) Our aim is to convert all our FTP jobs into SFTP.
>
> 2) We are using $universe as scheduler for submitting these FTP jobs on
> time to time.
>
> 3) We using user called "STCSYS" all these jobs.
>
> 4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are
> using different user id password to login to target host and then start FTP
> process.
>
> 5) But in SFTP, it create TSO env using IKJEFT01 program and then run SFTP
> commands to transfer files between systems.
>
>
>
> Example of SFTP Job, we using
>
>
>
>
>
> //SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,
>
> //  NOTIFY=&SYSUID
>
> //STEP1   EXEC PGM=IKJEFT01,REGION=0M
>
> //SYSEXEC  DD   DISP=SHR,DSN=SYS1.SBPXEXEC
>
> //SYSTSIN   DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR
>
> //OUTPUT DD SYSOUT=*
>
> //SYSTSPRT DD SYSOUT=*
>
> /*
>
>
>
> EDIT   SFTPSFT.TEST.JCL(FTPTST1) - 01.02
>
> Command ===>
>
> ** * Top of Data 
>
> 000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>
> 000900 OSHELL { echo 'lcd /u/stcsys' ; +
>
> 001000  echo 'ascii'; +
>
> 001100  echo 'cd /home/ftp4rpt/';  +
>
> 001200  echo 'mput test.txt'; } | +
>
> 001300sftp -v ftprpt@10.22.22.220
>
> 001400 /*
>
>
>
>
>
> So, now I have stcsys user id created on mainframe with all
>
>
>
> # cd .ssh
>
> # ls -al
>
> total 96
>
> drwx--   2 MEAS OMVSGRP 8192 Jan 24 08:23 .
>
> drwxr-xr-x   3 MEAS OMVSGRP 8192 Jan 24 08:22 ..
>
> -rw---   1 MEAS OMVSGRP  791 Jan 24 08:36 authorized_keys
>
> -rw---   1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa
>
> -rw-r--r--   1 MEAS OMVSGRP  396 Jan 24 08:25 id_rsa.pub
>
> -rw-r--r--   1 MEAS OMVSGRP  697 Jan 29 10:26 known_hosts
>
> # pwd
>
> /u/stcsys/.ssh
>
>
>
>
> and in AIX1 side, I have ftprpt user defined and
>
>
>
> $ cd /home/ftprpt /.ssh
>
> $ ls -al
>
> total 48
>
> drwx--2 ftprpt staff   256 Jan 13 15:37 .
>
> drwxr-xr-x3 ftprpt staff  4096 Jan 15 12:15 ..
>
> -rw-r--r--1 ftprptstaff   791 Jan 15 12:12 authorized_keys
>
> -rw-r--r--1 ftprpt staff   395 Jan 13 15:37
> authorized_keys.old
>
> -rw---1 ftprpt staff  1675 Dec 11 14:25 id_rsa
>
> -rw-r--r--1 ftprpt staff   394 Dec 11 14:25 id_rsa.pub
>
> -rw-r--r--1 ftprpt staff   352 Jan 15 10:31 known_hosts
>
> $
>
>
>
>
>
>
>
> and we exchanged rsa.pub key in authorized_keys file and exchanged
> ECDSA.pub key in  known_hosts file but while running Job, I am getting
> below issue.
>
>
>
> OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
>
>
> debug1: Reading configuration data /etc/ssh/ssh_config
>
>
> debug1: Reading configuration data /etc/ssh/zos_ssh_config
>
>
> debug1: zsshSmfSetConnSmfStatus: SMF status is 0
>
>
> debug1: Connecting to 10.22.22.220 Ý10.22.22.220¨ port 22.
>
>
> debug1: Connection established.
>
>
> debug1: cipher_init: none from source OpenSSL
>
>
> debug1: cipher_init: none from source OpenSSL
>
>
> debug1: permanently_set_uid: 0/1000
>
>
> debug1: identity file /u/stcsys/.ssh/id_rsa type 1
>
>
> debug1: identity file /u/stcsys/.ssh/id_rsa-cert type -1
>
>
> debug1: Enabling compatibility mode for protocol 2.0
>
>
> debug1: Local version string SSH-2.0-OpenSSH_6.4
>
>
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
>
>
> debug1: match: OpenSSH_6.0 pat OpenSSH*
>
>
> FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
> lzdHAyNTYAAAB
>
>  failed
>
>
> debug1: SSH2

Re: SFTP on z/OS

2017-02-08 Thread venkat kulkarni

MBR of a physical file

On Feb 8, 2017 8:27 PM, "Jack J. Woehr"  wrote:

> venkat kulkarni wrote:
>
>> But when I try to sftp file from as400 to mainframe , data file
>> getting trauncated . T
>>
>
> What kind of a file is it? a MBR of a Physical File? a text file from the
> IFS?
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-08 Thread Jack J. Woehr


venkat kulkarni wrote:

But when I try to sftp file from as400 to mainframe , data file
getting trauncated . T


What kind of a file is it? a MBR of a Physical File? a text file from the IFS?

--
Jack J. Woehr # Science is more than a body of knowledge. It's a way of
www.well.com/~jax # thinking, a way of skeptically interrogating the universe
www.softwoehr.com # with a fine understanding of human fallibility. - Carl Sagan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-08 Thread Allan Staller

Most likely transfer options. You have "proved" sftp works, so this issue is 
probably unique to the specific transfer.


Almost all issue are resolved for transferring file using sftp but now we have 
got requirement to get receive file from as400 to mainframe using sftp. But 
when I try to sftp file from as400 to mainframe , data file getting trauncated 
. To isolate this issue I even tried checking file in omvs before coming to 
dataset level but in omvs also file is truncated.
Please suggest.



::DISCLAIMER::


The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only.
E-mail transmission is not guaranteed to be secure or error-free as information 
could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or may contain viruses in 
transmission. The e mail and its contents
(with or without referred errors) shall therefore not attach any liability on 
the originator or HCL or its affiliates.
Views or opinions, if any, presented in this email are solely those of the 
author and may not necessarily reflect the
views or opinions of HCL or its affiliates. Any form of reproduction, 
dissemination, copying, disclosure, modification,
distribution and / or publication of this message without the prior written 
consent of authorized representative of
HCL is strictly prohibited. If you have received this email in error please 
delete it and notify the sender immediately.
Before opening any email and/or attachments, please check them for viruses and 
other defects.




--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-07 Thread venkat kulkarni

Almost all issue are resolved for transferring file using sftp but now we
have got requirement to get receive file from as400 to mainframe using
sftp. But when I try to sftp file from as400 to mainframe , data file
getting trauncated . To isolate this issue I even tried checking file in
omvs before coming to dataset level but in omvs also file is truncated.
Please suggest.

Thanks for all help so far.

On Feb 8, 2017 02:44, "David Crayford"  wrote:

> On 8/02/2017 5:35 AM, Ed Jaffe wrote:
>
>> On 1/30/2017 7:29 AM, David Crayford wrote:
>>
>>> On 30/01/2017 10:57 PM, Nims,Alva John (Al) wrote:
>>>
 I take exception to David's comment, because my shop is an exception.

>>>
>>> Fair enough. But I would suggest you contact dovetail and see what kind
>>> of deal they can spin you. It may be turn out to be much cheaper then
>>> trying to cobble together your own solution!
>>>
>>
>> Deal? Co:Z is available free of charge.
>>
>>
> True, but if you want to put it into production then you will likely want
> to pay for support.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-07 Thread David Crayford


On 8/02/2017 5:35 AM, Ed Jaffe wrote:

On 1/30/2017 7:29 AM, David Crayford wrote:

On 30/01/2017 10:57 PM, Nims,Alva John (Al) wrote:

I take exception to David's comment, because my shop is an exception.


Fair enough. But I would suggest you contact dovetail and see what 
kind of deal they can spin you. It may be turn out to be much cheaper 
then trying to cobble together your own solution!


Deal? Co:Z is available free of charge.



True, but if you want to put it into production then you will likely 
want to pay for support.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-07 Thread Ed Jaffe


On 1/30/2017 7:29 AM, David Crayford wrote:

On 30/01/2017 10:57 PM, Nims,Alva John (Al) wrote:

I take exception to David's comment, because my shop is an exception.


Fair enough. But I would suggest you contact dovetail and see what 
kind of deal they can spin you. It may be turn out to be much cheaper 
then trying to cobble together your own solution!


Deal? Co:Z is available free of charge.

--
Edward E Jaffe
Phoenix Software International, Inc
831 Parkview Drive North
El Segundo, CA 90245
http://www.phoenixsoftware.com/

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-06 Thread John McKown

On Sat, Feb 4, 2017 at 3:15 PM, scott Ford  wrote:

> Guys:
>
> I have a SSH question, we dont have a ICSF , do i need one to do SSH ? We
> want to do scp from Windows to
> z/OS  . I want stepping thru the ICSF stc doc and read about 'head
> 'dev/random' and its not working returning an error
>

I am running SSH on z/OS 1.12 without having ICSF running. It is a bit
more CPU intensive. In this case, the "/dev/random" device does not work,
but SSH basically doesn't use it in this case. At least, that has been my
experience.

>
> Scott
>
>

-- 
Our calculus classes are an integral part of your education.

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-06 Thread Jantje.

On Fri, 3 Feb 2017 07:58:24 -0600, Kirk Wolf  wrote:

>Standard SSH/SFTP doesn't support X.509 certificate's for authentication,

Doesn't it? I didn't know that...

>(z/OS OpenSSH does allow you to put SSH public and private keys in a Key
>Ring Certificate, but only the keys are used; the certificate and its
>signature are irrelevant.)

OK, so then I need a trustworthy channel to get me the public key. Still an 
issue of trust, but a different one, I expect.

Cheers,

Jantje.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-04 Thread Paul Gilmartin

On Sun, 5 Feb 2017 09:26:53 +0300, venkat kulkarni wrote:

>Hello All,
>Problem has been resolved. The issue with target host authorize key and
>permission but all now all looks good.
>
>But one issue, I am still facing is when I try to save RSA public key in
>omvs authorized_keys file is the space . I try to enter key but after 255
>character, I am not able to move my curser to rishte side to move but my
>key is approx 490 character.
>
>How do I resolve the issue.
> 
Use a friendlier viewer/editor.

What editor are you using on z/OS?

What editor are you using on Linux?

What OS is on your desktop?  What editor can you use there?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-04 Thread venkat kulkarni

Hello All,
Problem has been resolved. The issue with target host authorize key and
permission but all now all looks good.

But one issue, I am still facing is when I try to save RSA public key in
omvs authorized_keys file is the space . I try to enter key but after 255
character, I am not able to move my curser to rishte side to move but my
key is approx 490 character.

How do I resolve the issue.

Regards
Venkat

On Feb 1, 2017 16:52, "Kirk Wolf"  wrote:

> On Tue, Jan 31, 2017 at 9:01 PM, Paul Gilmartin <
> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>
> > ...
> >
> > >You can also have ssh display the "ascii art" fingerprint of public
> key(s)
> > >for visual verification:
> > >
> > Transmitted independently and securely.  Courier pouch?
> >
> > Remember that although the integrity of public keys needs to be guarded,
> their privacy does not.
> So it is common to use other secure communications, like publishing the
> public key on a https: web page.
> See Github and Amazon web services for some examples.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-04 Thread Carmen Vitullo

W;ere going thru the same process right now with Sftp, we found out we needed 
ICSF up, we don';t have any crypto express hardware, but do have CPAF enabled 


- Original Message -

From: "Mark Jacobs - Listserv"  
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Saturday, February 4, 2017 3:21:16 PM 
Subject: Re: SFTP on z/OS 

If you don't have CryptoExpress processors, but do have CPAF enabled on 
your processor/LPAR, you still might need ICSF active. I don't know off 
hand if ssh will directly use the CPAF facilities without ICSF being 
available. 

Mark Jacobs 

> scott Ford <mailto:idfli...@gmail.com> 
> February 4, 2017 at 4:15 PM 
> Guys: 
> 
> I have a SSH question, we dont have a ICSF , do i need one to do SSH ? We 
> want to do scp from Windows to 
> z/OS . I want stepping thru the ICSF stc doc and read about 'head 
> 'dev/random' and its not working returning an error 
> 
> Scott 
> 
> 
> -- 
> For IBM-MAIN subscribe / signoff / archive access instructions, 
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 
> 
> 
> Please be alert for any emails that may ask you for login information 
> or directs you to login via a link. If you believe this message is a 
> phish or aren't sure whether this message is trustworthy, please send 
> the original message as an attachment to 'phish...@timeinc.com'. 
> 
> Kirk Wolf <mailto:k...@dovetail.com> 
> February 3, 2017 at 8:58 AM 
> Standard SSH/SFTP doesn't support X.509 certificate's for authentication, 
> so I don't understand your reference to a CA. 
> 
> (z/OS OpenSSH does allow you to put SSH public and private keys in a Key 
> Ring Certificate, but only the keys are used; the certificate and its 
> signature are irrelevant.) 
> 
> Kirk Wolf 
> Dovetailed Technologies 
> http://dovetail.com 
> 
> 
> -- 
> For IBM-MAIN subscribe / signoff / archive access instructions, 
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 
> 
> 
> Please be alert for any emails that may ask you for login information 
> or directs you to login via a link. If you believe this message is a 
> phish or aren't sure whether this message is trustworthy, please send 
> the original message as an attachment to 'phish...@timeinc.com'. 
> 
> Jantje. <mailto:jan.moeyers...@gfi.be> 
> February 3, 2017 at 6:48 AM 
> 
> The issue I have with that is one of trust: In the end, I just have to 
> trust whatever the Root Certification Authority is. Or actually, I 
> have to trust Microsoft to have correctly verified the identity of 
> that RCA and the integrity of the certificate they present, because it 
> is MS that installed that certificate in my browser. (s/MS/Google/g 
> for Chrome...) 
> 
> Cheers, 
> 
> Jantje. 
> 
> -- 
> For IBM-MAIN subscribe / signoff / archive access instructions, 
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 
> 
> 
> Please be alert for any emails that may ask you for login information 
> or directs you to login via a link. If you believe this message is a 
> phish or aren't sure whether this message is trustworthy, please send 
> the original message as an attachment to 'phish...@timeinc.com'. 
> 

-- 

Mark Jacobs 
Time Customer Service 
Global Technology Services 

The standard you walk past is the standard you accept. 
Lt. Gen. David Morrison 


-- 
For IBM-MAIN subscribe / signoff / archive access instructions, 
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-04 Thread Mark Jacobs - Listserv

If you don't have CryptoExpress processors, but do have CPAF enabled on 
your processor/LPAR, you still might need ICSF active. I don't know off 
hand if ssh will directly use the CPAF facilities without ICSF being 
available.


Mark Jacobs


scott Ford 
February 4, 2017 at 4:15 PM
Guys:

I have a SSH question, we dont have a ICSF , do i need one to do SSH ? We
want to do scp from Windows to
z/OS . I want stepping thru the ICSF stc doc and read about 'head
'dev/random' and its not working returning an error

Scott


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


Kirk Wolf 
February 3, 2017 at 8:58 AM
Standard SSH/SFTP doesn't support X.509 certificate's for authentication,
so I don't understand your reference to a CA.

(z/OS OpenSSH does allow you to put SSH public and private keys in a Key
Ring Certificate, but only the keys are used; the certificate and its
signature are irrelevant.)

Kirk Wolf
Dovetailed Technologies
http://dovetail.com


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.


Jantje. 
February 3, 2017 at 6:48 AM

The issue I have with that is one of trust: In the end, I just have to 
trust whatever the Root Certification Authority is. Or actually, I 
have to trust Microsoft to have correctly verified the identity of 
that RCA and the integrity of the certificate they present, because it 
is MS that installed that certificate in my browser. (s/MS/Google/g 
for Chrome...)


Cheers,

Jantje.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Please be alert for any emails that may ask you for login information 
or directs you to login via a link. If you believe this message is a 
phish or aren't sure whether this message is trustworthy, please send 
the original message as an attachment to 'phish...@timeinc.com'.




--

Mark Jacobs
Time Customer Service
Global Technology Services

The standard you walk past is the standard you accept.
Lt. Gen. David Morrison


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-04 Thread scott Ford

Guys:

I have a SSH question, we dont have a ICSF , do i need one to do SSH ? We
want to do scp from Windows to
z/OS  . I want stepping thru the ICSF stc doc and read about 'head
'dev/random' and its not working returning an error

Scott

On Fri, Feb 3, 2017 at 8:58 AM, Kirk Wolf  wrote:

> Standard SSH/SFTP doesn't support X.509 certificate's for authentication,
> so I don't understand your reference to a CA.
>
> (z/OS OpenSSH does allow you to put SSH public and private keys in a Key
> Ring Certificate, but only the keys are used; the certificate and its
> signature are irrelevant.)
>
> Kirk Wolf
> Dovetailed Technologies
> http://dovetail.com
>
> On Fri, Feb 3, 2017 at 5:48 AM, Jantje.  wrote:
>
> > On Wed, 1 Feb 2017 07:51:23 -0600, Kirk Wolf  wrote:
> >
> > >> Remember that although the integrity of public keys needs to be
> guarded,
> > >their privacy does not.
> > >So it is common to use other secure communications, like publishing the
> > >public key on a https: web page.
> >
> > The issue I have with that is one of trust: In the end, I just have to
> > trust whatever the Root Certification Authority is. Or actually, I have
> to
> > trust Microsoft to have correctly verified the identity of that RCA and
> the
> > integrity of the certificate they present, because it is MS that
> installed
> > that certificate in my browser. (s/MS/Google/g for Chrome...)
> >
> > Cheers,
> >
> > Jantje.
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-03 Thread Kirk Wolf

Standard SSH/SFTP doesn't support X.509 certificate's for authentication,
so I don't understand your reference to a CA.

(z/OS OpenSSH does allow you to put SSH public and private keys in a Key
Ring Certificate, but only the keys are used; the certificate and its
signature are irrelevant.)

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Fri, Feb 3, 2017 at 5:48 AM, Jantje.  wrote:

> On Wed, 1 Feb 2017 07:51:23 -0600, Kirk Wolf  wrote:
>
> >> Remember that although the integrity of public keys needs to be guarded,
> >their privacy does not.
> >So it is common to use other secure communications, like publishing the
> >public key on a https: web page.
>
> The issue I have with that is one of trust: In the end, I just have to
> trust whatever the Root Certification Authority is. Or actually, I have to
> trust Microsoft to have correctly verified the identity of that RCA and the
> integrity of the certificate they present, because it is MS that installed
> that certificate in my browser. (s/MS/Google/g for Chrome...)
>
> Cheers,
>
> Jantje.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-03 Thread Jantje.

On Wed, 1 Feb 2017 07:51:23 -0600, Kirk Wolf  wrote:

>> Remember that although the integrity of public keys needs to be guarded,
>their privacy does not.
>So it is common to use other secure communications, like publishing the
>public key on a https: web page.

The issue I have with that is one of trust: In the end, I just have to trust 
whatever the Root Certification Authority is. Or actually, I have to trust 
Microsoft to have correctly verified the identity of that RCA and the integrity 
of the certificate they present, because it is MS that installed that 
certificate in my browser. (s/MS/Google/g for Chrome...)

Cheers,

Jantje.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-02-01 Thread Kirk Wolf

On Tue, Jan 31, 2017 at 9:01 PM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> ...
>
> >You can also have ssh display the "ascii art" fingerprint of public key(s)
> >for visual verification:
> >
> Transmitted independently and securely.  Courier pouch?
>
> Remember that although the integrity of public keys needs to be guarded,
their privacy does not.
So it is common to use other secure communications, like publishing the
public key on a https: web page.
See Github and Amazon web services for some examples.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-31 Thread Paul Gilmartin

On Mon, 30 Jan 2017 09:55:29 -0600, Kirk Wolf wrote:

>With SSH host authentication, the ssh server has the private key and you
>need to get the matching public key into your known_hosts or
>/etc/ssh/ssh_known_hosts
>
>The ssh-keyscan returns the public key(s).
>This public key should be obtained or verified independently on untrusted
>networks.   Once you have it, a Man-In-The-Middle attack would be detected.
>
A Google search:
https://www.google.com/search?q=known_hosts+mitm

Finds this, which concurs and which seems reasonable to me and you affirm:
https://serverfault.com/questions/132970/can-i-automatically-add-a-new-host-to-known-hosts/316100
@Mnebuerquo: If you were worried about security then you wouldn't have 
anything at all to do
with this question. You'd have the correct host key in front of you, 
gathered from the console
of the system you wanted to connect to, and you would manually verify it 
upon first connecting.
You certainly wouldn't do anything "automatically". – Ignacio 
Vazquez-Abrams Jun 15 '16 at 17:31

>You can also have ssh display the "ascii art" fingerprint of public key(s)
>for visual verification:
>
Transmitted independently and securely.  Courier pouch?

>ssh-keygen -lv -f ~/.ssh/known_hosts
>...
>2048 3b:87:95:6d:74:84:4f:d4:8e:bd:63:65:b1:5b:8e:74 [localhost]:6622 (RSA)
>+--[ RSA 2048]+
>| oo. |
>|.|
>|.o.+o|
>|   + .+.E|
>|S o o. ==|
>| + .  .=.|
>|+ .   . .|
>| o   |
>| |
>+-+

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

RES: SFTP on z/OS

2017-01-31 Thread Carlos Bodra - Pessoal

Check MDI product at luminex.com for fast and secure SFTP or FTP

Carlos Bodra
IBM System Certified System z
São Paulo - Brazil

-Mensagem original-
De: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Em nome de 
venkat kulkarni
Enviada em: domingo, 29 de janeiro de 2017 14:38
Para: IBM-MAIN@LISTSERV.UA.EDU
Assunto: SFTP on z/OS

Hello Group,



We tested SFTP on our test z/OS system to Test AIX box and we are able to 
transfer data between these host. But now, I am trying in production system 
with below detail.



1) Our aim is to convert all our FTP jobs into SFTP.

2) We are using $universe as scheduler for submitting these FTP jobs on time to 
time.

3) We using user called "STCSYS" all these jobs.

4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are using 
different user id password to login to target host and then start FTP process.

5) But in SFTP, it create TSO env using IKJEFT01 program and then run SFTP 
commands to transfer files between systems.



Example of SFTP Job, we using





//SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,

//  NOTIFY=&SYSUID

//STEP1   EXEC PGM=IKJEFT01,REGION=0M

//SYSEXEC  DD   DISP=SHR,DSN=SYS1.SBPXEXEC

//SYSTSIN   DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR

//OUTPUT DD SYSOUT=*

//SYSTSPRT DD SYSOUT=*

/*



EDIT   SFTPSFT.TEST.JCL(FTPTST1) - 01.02

Command ===>

** * Top of Data 

000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'

000900 OSHELL { echo 'lcd /u/stcsys' ; +

001000  echo 'ascii'; +

001100  echo 'cd /home/ftp4rpt/';  +

001200  echo 'mput test.txt'; } | +

001300sftp -v ftprpt@10.22.22.220

001400 /*





So, now I have stcsys user id created on mainframe with all



# cd .ssh

# ls -al

total 96

drwx--   2 MEAS OMVSGRP 8192 Jan 24 08:23 .

drwxr-xr-x   3 MEAS OMVSGRP 8192 Jan 24 08:22 ..

-rw---   1 MEAS OMVSGRP  791 Jan 24 08:36 authorized_keys

-rw---   1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa

-rw-r--r--   1 MEAS OMVSGRP  396 Jan 24 08:25 id_rsa.pub

-rw-r--r--   1 MEAS OMVSGRP  697 Jan 29 10:26 known_hosts

# pwd

/u/stcsys/.ssh




and in AIX1 side, I have ftprpt user defined and



$ cd /home/ftprpt /.ssh

$ ls -al

total 48

drwx--2 ftprpt staff   256 Jan 13 15:37 .

drwxr-xr-x3 ftprpt staff  4096 Jan 15 12:15 ..

-rw-r--r--1 ftprptstaff   791 Jan 15 12:12 authorized_keys

-rw-r--r--1 ftprpt staff   395 Jan 13 15:37
authorized_keys.old

-rw---1 ftprpt staff  1675 Dec 11 14:25 id_rsa

-rw-r--r--1 ftprpt staff   394 Dec 11 14:25 id_rsa.pub

-rw-r--r--1 ftprpt staff   352 Jan 15 10:31 known_hosts

$







and we exchanged rsa.pub key in authorized_keys file and exchanged ECDSA.pub 
key in  known_hosts file but while running Job, I am getting below issue.



OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012


debug1: Reading configuration data /etc/ssh/ssh_config


debug1: Reading configuration data /etc/ssh/zos_ssh_config


debug1: zsshSmfSetConnSmfStatus: SMF status is 0


debug1: Connecting to 10.22.22.220 Ý10.22.22.220¨ port 22.


debug1: Connection established.


debug1: cipher_init: none from source OpenSSL


debug1: cipher_init: none from source OpenSSL


debug1: permanently_set_uid: 0/1000


debug1: identity file /u/stcsys/.ssh/id_rsa type 1


debug1: identity file /u/stcsys/.ssh/id_rsa-cert type -1


debug1: Enabling compatibility mode for protocol 2.0


debug1: Local version string SSH-2.0-OpenSSH_6.4


debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0


debug1: match: OpenSSH_6.0 pat OpenSSH*


FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
lzdHAyNTYAAAB

 failed


debug1: SSH2_MSG_KEXINIT sent


debug1: SSH2_MSG_KEXINIT received


debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL


debug1: kex: server->client aes128-ctr hmac-sha1 none


debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL


debug1: kex: client->server aes128-ctr hmac-sha1 none


debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent


debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP


debug1: SSH2_MSG_KEX_DH_GEX_INIT sent


debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY


debug1: Server host key: RSA ce:14:d1:2f:b2:d1:7c:83:12:9a:16:1e:31:9d:b6:b7


FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
lzdHAyNTYAAAB

 failed


debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device.
(errno2=0

FOTS1370 Host key verification failed.


debug1: zsshSmfSetConnSmfStatus: SMF status is 0


FOTS0841 Connection closed





Can you please help, if I am not following correct way on this new setup or I 
should be using same userid on both mainframe and aix s

Re: SFTP on z/OS

2017-01-30 Thread Edward Gould

> On Jan 30, 2017, at 6:29 AM, David Crayford  wrote:
> 
> On 30/01/2017 4:31 PM, Rob Schramm wrote:
>> Coz toolkit for z/OS makes setting up batch SFTP easy.  Even if you choose
>> not to use Coz toolkit in production.
> 
> IMO, any site serious about running SFTP in production should seriously 
> consider the Co:Z toolkit. You will almost certainly get better support and 
> the feature boost is a no-brainer. I have my doubts that Venkat is actually 
> serious about running SFTP in production.
> 
>> Rob Schramm

Rob:
Only if you pay for support.
Ed
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread David Crayford


On 30/01/2017 10:57 PM, Nims,Alva John (Al) wrote:

I take exception to David's comment, because my shop is an exception.


Fair enough. But I would suggest you contact dovetail and see what kind 
of deal they can spin you. It may be turn out to be much cheaper then 
trying to cobble together your own solution!




#1. UFL is "Getting Off" the mainframe sometime in the next few years.
#2. I have had a request to use SFTP from the mainframe for production, the 
request to use SFTP was from the security group, who does not take #1 into 
account.
#3. Because of #1, GUESS WHO CAN'T SPEND ANY 's on anything new!
#4. So I am following this discussion in the hopes to expand my limited 
knowledge of SFTP to satisfy #2.

Sorry if I sounding HARSH there, but not all shops can throw 's at a 
problem!

Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of David Crayford
Sent: Monday, January 30, 2017 7:30 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SFTP on z/OS

On 30/01/2017 4:31 PM, Rob Schramm wrote:

Coz toolkit for z/OS makes setting up batch SFTP easy.  Even if you
choose not to use Coz toolkit in production.

IMO, any site serious about running SFTP in production should seriously 
consider the Co:Z toolkit. You will almost certainly get better support and the 
feature boost is a no-brainer. I have my doubts that Venkat is actually serious 
about running SFTP in production.


Rob Schramm

On Mon, Jan 30, 2017, 2:45 AM venkat kulkarni

wrote:


Thanks for reply. Basucally i feel the issue is known host file. Can
anybody explain me how can we generate keys for known host file to
establish the connection .

The only way I know is using sftp login interactively using omvs. But
is there any other method to do this .

On Jan 30, 2017 06:18, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:


On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:

And see that "mput" is not a valid sftp subcommand.


There's some motivation here for testing your process interactively
before you try to batch it.

And I've had considerable success with such as:

  ( cd /u/stcsys' && pax -w . ) |
  ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"

z/OS pax has useful facilities for code page conversion ("ascii")
and for renaming members with sed-like patterns.

-- gil


-- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN


-
- For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO
IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Kirk Wolf

With SSH host authentication, the ssh server has the private key and you
need to get the matching public key into your known_hosts or
/etc/ssh/ssh_known_hosts

The ssh-keyscan returns the public key(s).
This public key should be obtained or verified independently on untrusted
networks.   Once you have it, a Man-In-The-Middle attack would be detected.

You can also have ssh display the "ascii art" fingerprint of public key(s)
for visual verification:

ssh-keygen -lv -f ~/.ssh/known_hosts
...
2048 3b:87:95:6d:74:84:4f:d4:8e:bd:63:65:b1:5b:8e:74 [localhost]:6622 (RSA)
+--[ RSA 2048]+
| oo. |
|.|
|.o.+o|
|   + .+.E|
|S o o. ==|
| + .  .=.|
|+ .   . .|
| o   |
| |
+-+

Some sites will have administrators maintain a master list of their server
public keys and then distribute these to all nodes in the network.
OpenSSH also has support for putting the public key in "SSHFP" records, but
this requires DNSSEC, and the necessary support is not yet in IBM z/OS
OpenSSH.

Finally, OpenSSH on z/OS supports Kerberos (Windows Active Directory)
authentication, which with supporting partners will handle both user and
host authentication and eliminates both SSH host and user keys.
https://dovetail.com/docs/ssh/kerberos_sso.pdf

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Mon, Jan 30, 2017 at 9:16 AM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mon, 30 Jan 2017 09:01:03 -0600, Kirk Wolf wrote:
>
> >Host keys, user keys, and authentication is done by IBM OpenSSH.
> >
> >The ssh-keyscan command (part of OpenSSH) can be used to get public keys
> >from one or more hosts
> >
> >For example, since it appears that Venkat's are corrupted:
> >
> >cd ~/.ssh
> >mv known_hosts known_hosts_corrupted
> >ssh-keyscan  host1.com host2.com host3.com  > known_hosts
> >
> Is that asking those hosts to provide, without authentication, the
> keys to be used in the future for authentication?
>
> I suppose that somtimes ya gotta just trust somebody.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread John McKown

On Mon, Jan 30, 2017 at 8:57 AM, Nims,Alva John (Al)  wrote:

> I take exception to David's comment, because my shop is an exception.
>
> #1. UFL is "Getting Off" the mainframe sometime in the next few years.
> #2. I have had a request to use SFTP from the mainframe for production,
> the request to use SFTP was from the security group, who does not take #1
> into account.
> #3. Because of #1, GUESS WHO CAN'T SPEND ANY 's on anything new!
> #4. So I am following this discussion in the hopes to expand my limited
> knowledge of SFTP to satisfy #2.
>
> Sorry if I sounding HARSH there, but not all shops can throw 's at a
> problem!
>

Co:Z is __FREE__ to download & use. Money is only required if you want a
support contract. I've used Co:Z at our company (similar to yours - almost
off the z) for years with no support and __NO__ problems.

I don't use sftp, personally. But that is simply because I use Co:Z
(remember it is _free_ to use) and it's utilities: fromfile (z/OS UNIX file
to stdout), tofile (stdin to z/OS UNIX file), fromdsn (z/OS data set to
stdout) and todsn (stdin to z/OS data set) instead. The fromdsn can also be
used to read job output from the JES SPOOL. The todsn can be used to write
a report to the JES SPOOL or to submit JCL to run.

Since I need unattended transfers, I have a RACF id which is quite
restricted but which has an SSH cert without a passphrase. This means that
I can use this id to do unattended transfers successfully; no prompts for
passwords or passphrases. This should work with the "normal" (read
primitive) IBM sftp as well as the enhanced sftp from Dovetailed
Technologies. I do understand that, even if free, some management won't
allow implementation of "unsupported" software. A catch-22 - can't afford
to buy software in order to be supported, also can't use free & unsupported
software (regardless of the quality & praise of others), but still required
to "just get the damn job done".

>
> Al Nims
> Systems Admin/Programmer 3
> UFIT
> University of Florida
> (352) 273-1298
>
>

-- 
There’s no obfuscated Perl contest because it’s pointless.

—Jeff Polk

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Paul Gilmartin

On Mon, 30 Jan 2017 09:01:03 -0600, Kirk Wolf wrote:

>Host keys, user keys, and authentication is done by IBM OpenSSH.
>
>The ssh-keyscan command (part of OpenSSH) can be used to get public keys
>from one or more hosts
>
>For example, since it appears that Venkat's are corrupted:
>
>cd ~/.ssh
>mv known_hosts known_hosts_corrupted
>ssh-keyscan  host1.com host2.com host3.com  > known_hosts
>
Is that asking those hosts to provide, without authentication, the
keys to be used in the future for authentication?

I suppose that somtimes ya gotta just trust somebody.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Kirk Wolf

Host keys, user keys, and authentication is done by IBM OpenSSH.

The ssh-keyscan command (part of OpenSSH) can be used to get public keys
from one or more hosts

For example, since it appears that Venkat's are corrupted:

cd ~/.ssh
mv known_hosts known_hosts_corrupted
ssh-keyscan  host1.com host2.com host3.com  > known_hosts



Kirk Wolf
Dovetailed Technologies
http://dovetail.com

On Mon, Jan 30, 2017 at 8:52 AM, Paul Gilmartin <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Mon, 30 Jan 2017 10:45:28 +0300, venkat kulkarni wrote:
>
> >Thanks for reply. Basucally i feel the issue is known host file. Can
> >anybody explain me how can we generate keys for known host file to
> >establish the connection .
> >
> >The only way I know is using sftp login interactively using omvs. But is
> >there any other method to do this .
> >
> You know a way that works.  Why do you want another?
>
> If necessary, can you have an administrator generate a host key and
> copy or email it to users who need it?
>
> How does Co:Z do this?
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Nims,Alva John (Al)

Can't you get the certificates via the command?:

openssl s_client -starttls ftp -connect remote.ftp.server.host:port -showcerts

I have not made it to the point where I can try the above in my network yet.  
This command was given to me by a previous Sysprog that was kind of looking 
into this before me.

Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Paul Gilmartin
Sent: Monday, January 30, 2017 9:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SFTP on z/OS

On Mon, 30 Jan 2017 10:45:28 +0300, venkat kulkarni wrote:

>Thanks for reply. Basucally i feel the issue is known host file. Can 
>anybody explain me how can we generate keys for known host file to 
>establish the connection .
>
>The only way I know is using sftp login interactively using omvs. But 
>is there any other method to do this .
> 
You know a way that works.  Why do you want another?

If necessary, can you have an administrator generate a host key and copy or 
email it to users who need it?

How does Co:Z do this?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Nims,Alva John (Al)

I take exception to David's comment, because my shop is an exception.

#1. UFL is "Getting Off" the mainframe sometime in the next few years.
#2. I have had a request to use SFTP from the mainframe for production, the 
request to use SFTP was from the security group, who does not take #1 into 
account.
#3. Because of #1, GUESS WHO CAN'T SPEND ANY 's on anything new!
#4. So I am following this discussion in the hopes to expand my limited 
knowledge of SFTP to satisfy #2.

Sorry if I sounding HARSH there, but not all shops can throw 's at a 
problem!

Al Nims
Systems Admin/Programmer 3
UFIT
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of David Crayford
Sent: Monday, January 30, 2017 7:30 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: SFTP on z/OS

On 30/01/2017 4:31 PM, Rob Schramm wrote:
> Coz toolkit for z/OS makes setting up batch SFTP easy.  Even if you 
> choose not to use Coz toolkit in production.

IMO, any site serious about running SFTP in production should seriously 
consider the Co:Z toolkit. You will almost certainly get better support and the 
feature boost is a no-brainer. I have my doubts that Venkat is actually serious 
about running SFTP in production.

> Rob Schramm
>
> On Mon, Jan 30, 2017, 2:45 AM venkat kulkarni 
> 
> wrote:
>
>> Thanks for reply. Basucally i feel the issue is known host file. Can 
>> anybody explain me how can we generate keys for known host file to 
>> establish the connection .
>>
>> The only way I know is using sftp login interactively using omvs. But 
>> is there any other method to do this .
>>
>> On Jan 30, 2017 06:18, "Paul Gilmartin" < 
>> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>>
>>> On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:
>>>> And see that "mput" is not a valid sftp subcommand.
>>>>
>>> There's some motivation here for testing your process interactively 
>>> before you try to batch it.
>>>
>>> And I've had considerable success with such as:
>>>
>>>  ( cd /u/stcsys' && pax -w . ) |
>>>  ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"
>>>
>>> z/OS pax has useful facilities for code page conversion ("ascii") 
>>> and for renaming members with sed-like patterns.
>>>
>>> -- gil
>>>
>>> 
>>> -- For IBM-MAIN subscribe / signoff / archive access instructions, 
>>> send email to lists...@listserv.ua.edu with the message: INFO 
>>> IBM-MAIN
>>>
>> -
>> - For IBM-MAIN subscribe / signoff / archive access instructions, 
>> send email to lists...@listserv.ua.edu with the message: INFO 
>> IBM-MAIN
>>

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Paul Gilmartin

On Mon, 30 Jan 2017 10:45:28 +0300, venkat kulkarni wrote:

>Thanks for reply. Basucally i feel the issue is known host file. Can
>anybody explain me how can we generate keys for known host file to
>establish the connection .
>
>The only way I know is using sftp login interactively using omvs. But is
>there any other method to do this .
> 
You know a way that works.  Why do you want another?

If necessary, can you have an administrator generate a host key and
copy or email it to users who need it?

How does Co:Z do this?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread David Crayford


On 30/01/2017 4:31 PM, Rob Schramm wrote:

Coz toolkit for z/OS makes setting up batch SFTP easy.  Even if you choose
not to use Coz toolkit in production.


IMO, any site serious about running SFTP in production should seriously 
consider the Co:Z toolkit. You will almost certainly get better support 
and the feature boost is a no-brainer. I have my doubts that Venkat is 
actually serious about running SFTP in production.



Rob Schramm

On Mon, Jan 30, 2017, 2:45 AM venkat kulkarni 
wrote:


Thanks for reply. Basucally i feel the issue is known host file. Can
anybody explain me how can we generate keys for known host file to
establish the connection .

The only way I know is using sftp login interactively using omvs. But is
there any other method to do this .

On Jan 30, 2017 06:18, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:


On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:

And see that "mput" is not a valid sftp subcommand.


There's some motivation here for testing your process interactively
before you try to batch it.

And I've had considerable success with such as:

 ( cd /u/stcsys' && pax -w . ) |
 ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"

z/OS pax has useful facilities for code page conversion ("ascii")
and for renaming members with sed-like patterns.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-30 Thread Rob Schramm

Coz toolkit for z/OS makes setting up batch SFTP easy.  Even if you choose
not to use Coz toolkit in production.

Rob Schramm

On Mon, Jan 30, 2017, 2:45 AM venkat kulkarni 
wrote:

> Thanks for reply. Basucally i feel the issue is known host file. Can
> anybody explain me how can we generate keys for known host file to
> establish the connection .
>
> The only way I know is using sftp login interactively using omvs. But is
> there any other method to do this .
>
> On Jan 30, 2017 06:18, "Paul Gilmartin" <
> 000433f07816-dmarc-requ...@listserv.ua.edu> wrote:
>
> > On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:
> > >
> > >And see that "mput" is not a valid sftp subcommand.
> > >
> > There's some motivation here for testing your process interactively
> > before you try to batch it.
> >
> > And I've had considerable success with such as:
> >
> > ( cd /u/stcsys' && pax -w . ) |
> > ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"
> >
> > z/OS pax has useful facilities for code page conversion ("ascii")
> > and for renaming members with sed-like patterns.
> >
> > -- gil
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
-- 

Rob Schramm

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-29 Thread venkat kulkarni

Thanks for reply. Basucally i feel the issue is known host file. Can
anybody explain me how can we generate keys for known host file to
establish the connection .

The only way I know is using sftp login interactively using omvs. But is
there any other method to do this .

On Jan 30, 2017 06:18, "Paul Gilmartin" <
000433f07816-dmarc-requ...@listserv.ua.edu> wrote:

> On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:
> >
> >And see that "mput" is not a valid sftp subcommand.
> >
> There's some motivation here for testing your process interactively
> before you try to batch it.
>
> And I've had considerable success with such as:
>
> ( cd /u/stcsys' && pax -w . ) |
> ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"
>
> z/OS pax has useful facilities for code page conversion ("ascii")
> and for renaming members with sed-like patterns.
>
> -- gil
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-29 Thread Paul Gilmartin

On Sun, 29 Jan 2017 15:20:59 -0600, Kirk Wolf wrote:
>
>And see that "mput" is not a valid sftp subcommand.
> 
There's some motivation here for testing your process interactively
before you try to batch it.

And I've had considerable success with such as:

( cd /u/stcsys' && pax -w . ) |
ssh ftprpt@10.22.22.220 "cd /home/ftp4rpt/ && pax -rv"

z/OS pax has useful facilities for code page conversion ("ascii")
and for renaming members with sed-like patterns.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-29 Thread Kirk Wolf

Hi Venkat,

Besides dealing with issues regarding using IBM tools to run shell scripts
in batch, the following message means that your $HOME/.ssh/known_hosts or
/etc/ssh/ssh_known_hosts file is corrupted (-vvv would help to pin it down
if you can't find the problem):

FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
lzdHAyNTYAAAB

As I recall from this list, you were also working on this project in
November.  I would suggest that you should look at the IBM OpenSSH User's
Guide (Chapter 9, "sftp command")
http://www-03.ibm.com/systems/resources/fot4os03.pdf

And see that "mput" is not a valid sftp subcommand.

Kirk Wolf
Dovetailed Technologies
http://dovetail.com

PS> If you are going to be at SHARE in March, check out our session:


   - *Join us at SHARE in San Jose*

   Thursday, March 09, 10:00 AM - 11:00 AM, Finding the Needle in a
   Haystack - Diagnosing Common OpenSSH Problems


PS>

On Sun, Jan 29, 2017 at 10:37 AM, venkat kulkarni <
venkatkulkarn...@gmail.com> wrote:

> Hello Group,
>
>
>
> We tested SFTP on our test z/OS system to Test AIX box and we are able to
> transfer data between these host. But now, I am trying in production system
> with below detail.
>
>
>
> 1) Our aim is to convert all our FTP jobs into SFTP.
>
> 2) We are using $universe as scheduler for submitting these FTP jobs on
> time to time.
>
> 3) We using user called "STCSYS" all these jobs.
>
> 4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are
> using different user id password to login to target host and then start FTP
> process.
>
> 5) But in SFTP, it create TSO env using IKJEFT01 program and then run SFTP
> commands to transfer files between systems.
>
>
>
> Example of SFTP Job, we using
>
>
>
>
>
> //SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,
>
> //  NOTIFY=&SYSUID
>
> //STEP1   EXEC PGM=IKJEFT01,REGION=0M
>
> //SYSEXEC  DD   DISP=SHR,DSN=SYS1.SBPXEXEC
>
> //SYSTSIN   DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR
>
> //OUTPUT DD SYSOUT=*
>
> //SYSTSPRT DD SYSOUT=*
>
> /*
>
>
>
> EDIT   SFTPSFT.TEST.JCL(FTPTST1) - 01.02
>
> Command ===>
>
> ** * Top of Data 
>
> 000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>
> 000900 OSHELL { echo 'lcd /u/stcsys' ; +
>
> 001000  echo 'ascii'; +
>
> 001100  echo 'cd /home/ftp4rpt/';  +
>
> 001200  echo 'mput test.txt'; } | +
>
> 001300sftp -v ftprpt@10.22.22.220
>
> 001400 /*
>
>
>
>
>
> So, now I have stcsys user id created on mainframe with all
>
>
>
> # cd .ssh
>
> # ls -al
>
> total 96
>
> drwx--   2 MEAS OMVSGRP 8192 Jan 24 08:23 .
>
> drwxr-xr-x   3 MEAS OMVSGRP 8192 Jan 24 08:22 ..
>
> -rw---   1 MEAS OMVSGRP  791 Jan 24 08:36 authorized_keys
>
> -rw---   1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa
>
> -rw-r--r--   1 MEAS OMVSGRP  396 Jan 24 08:25 id_rsa.pub
>
> -rw-r--r--   1 MEAS OMVSGRP  697 Jan 29 10:26 known_hosts
>
> # pwd
>
> /u/stcsys/.ssh
>
>
>
>
> and in AIX1 side, I have ftprpt user defined and
>
>
>
> $ cd /home/ftprpt /.ssh
>
> $ ls -al
>
> total 48
>
> drwx--2 ftprpt staff   256 Jan 13 15:37 .
>
> drwxr-xr-x3 ftprpt staff  4096 Jan 15 12:15 ..
>
> -rw-r--r--1 ftprptstaff   791 Jan 15 12:12 authorized_keys
>
> -rw-r--r--1 ftprpt staff   395 Jan 13 15:37
> authorized_keys.old
>
> -rw---1 ftprpt staff  1675 Dec 11 14:25 id_rsa
>
> -rw-r--r--1 ftprpt staff   394 Dec 11 14:25 id_rsa.pub
>
> -rw-r--r--1 ftprpt staff   352 Jan 15 10:31 known_hosts
>
> $
>
>
>
>
>
>
>
> and we exchanged rsa.pub key in authorized_keys file and exchanged
> ECDSA.pub
> key in  known_hosts file but while running Job, I am getting below issue.
>
>
>
> OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
>
>
> debug1: Reading configuration data /etc/ssh/ssh_config
>
>
> debug1: Reading configuration data /etc/ssh/zos_ssh_config
>
>
> debug1: zsshSmfSetConnSmfStatus: SMF status is 0
>
>
> debug1: Connecting to 10.22.22.220 Ý10.22.22.220¨ port 22.
>
>
> debug1: Connection established.
>
>
> debug1: cipher_init: none from source OpenSSL
>
>
> debug1: cipher_init: none from source OpenSSL
>
>
> debug1: permanently_set_uid: 0/1000
>
>
> debug1: identity file /u/stcsys/.ssh/id_rsa type 1
>
>
> debug1: identity file /u/stcsys/.ssh/id_rsa-cert type -1
>
>
> debug1: Enabling compatibility mode for protocol 2.0
>
>
> debug1: Local version string SSH-2.0-OpenSSH_6.4
>
>
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
>
>
> debug1: match: OpenSSH_6.0 pat OpenSSH*
>
>
> FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
> lzdHAyNTYAAAB
>
>  failed
>
>
> debug1: SSH2_MSG_KEXINIT sent
>
>
> debug1: SSH2_MSG_KEXINIT received
>
>
> debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL
>
>
> debug1: kex: server->client aes128-ctr hmac-sha1 none
>
>
> debug1: mac_setup_by_alg: hmac-sha1

Re: SFTP on z/OS

2017-01-29 Thread Paul Gilmartin

On Sun, 29 Jan 2017 19:37:41 +0300, venkat kulkarni wrote:
>
>We tested SFTP on our test z/OS system to Test AIX box and we are able to
>transfer data between these host. But now, I am trying in production system
>with below detail.
>...
>** * Top of Data 
>000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>000900 OSHELL { echo 'lcd /u/stcsys' ; +
>001000  echo 'ascii'; +
>001100  echo 'cd /home/ftp4rpt/';  +
>001200  echo 'mput test.txt'; } | +
>001300sftp -v ftprpt@10.22.22.220
>001400 /*
>
I'd be inclined to add commands to do some probing:

>** * Top of Data 
>000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>000900 OSHELL {
>001000set -x; id; echo ~; ls -al ~/.ssh; +
>001000{ echo 'lcd /u/stcsys' ; +
>001000  echo 'ascii'; +
>001100  echo 'cd /home/ftp4rpt/';  +
>001200  echo 'mput test.txt'; } | +
>001300sftp -v ftprpt@10.22.22.220
>001400 /*
>
(What's the maximum length of a TSO command?)

Oops!  I just RTFM and notice that by default stderr is discarded.  So, the
probe command becomes:
>001000set -x; exec 2>&1; id; echo ~; ls -al ~/.ssh; +

You might do better to CALL *(BPXBATCH) directly since OSHELL FREEs STDERR.

(Why are these "utilities" so inappropriate!?)

I'd use BPXWUNIX instead, allocating stdout and stderr in SYSOUT
in JCL DD statements.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: SFTP on z/OS

2017-01-29 Thread Paul Gilmartin

On Sun, 29 Jan 2017 19:37:41 +0300, venkat kulkarni wrote:
>
>We tested SFTP on our test z/OS system to Test AIX box and we are able to
>transfer data between these host. But now, I am trying in production system
>with below detail.
>...
>** * Top of Data 
>000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>000900 OSHELL { echo 'lcd /u/stcsys' ; +
>001000  echo 'ascii'; +
>001100  echo 'cd /home/ftp4rpt/';  +
>001200  echo 'mput test.txt'; } | +
>001300sftp -v ftprpt@10.22.22.220
>001400 /*
>
I'd be inclined to add commands to do some probing:

>** * Top of Data 
>000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'
>000900 OSHELL {
>001000set -x; id; echo ~; ls -al ~/.ssh; +
>001000{ echo 'lcd /u/stcsys' ; +
>001000  echo 'ascii'; +
>001100  echo 'cd /home/ftp4rpt/';  +
>001200  echo 'mput test.txt'; } | +
>001300sftp -v ftprpt@10.22.22.220
>001400 /*
>
(What's the maximum length of a TSO command?)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

SFTP on z/OS

2017-01-29 Thread venkat kulkarni

Hello Group,



We tested SFTP on our test z/OS system to Test AIX box and we are able to
transfer data between these host. But now, I am trying in production system
with below detail.



1) Our aim is to convert all our FTP jobs into SFTP.

2) We are using $universe as scheduler for submitting these FTP jobs on
time to time.

3) We using user called "STCSYS" all these jobs.

4) But in FTP jobs, for every other host ( Ex AIX1, AIX2,AIX3 etc) we are
using different user id password to login to target host and then start FTP
process.

5) But in SFTP, it create TSO env using IKJEFT01 program and then run SFTP
commands to transfer files between systems.



Example of SFTP Job, we using





//SFTPSFT JOB (7330),MSGCLASS=X,MSGLEVEL=(1,1),CLASS=P,

//  NOTIFY=&SYSUID

//STEP1   EXEC PGM=IKJEFT01,REGION=0M

//SYSEXEC  DD   DISP=SHR,DSN=SYS1.SBPXEXEC

//SYSTSIN   DD DSN=SFTPSFT.TEST.JCL(FTPTST1),DISP=SHR

//OUTPUT DD SYSOUT=*

//SYSTSPRT DD SYSOUT=*

/*



EDIT   SFTPSFT.TEST.JCL(FTPTST1) - 01.02

Command ===>

** * Top of Data 

000800 OPUT 'SFTPSFT.SFTP.TEST(SFTP1)'  '/u/SFTPSFT/vp12'

000900 OSHELL { echo 'lcd /u/stcsys' ; +

001000  echo 'ascii'; +

001100  echo 'cd /home/ftp4rpt/';  +

001200  echo 'mput test.txt'; } | +

001300sftp -v ftprpt@10.22.22.220

001400 /*





So, now I have stcsys user id created on mainframe with all



# cd .ssh

# ls -al

total 96

drwx--   2 MEAS OMVSGRP 8192 Jan 24 08:23 .

drwxr-xr-x   3 MEAS OMVSGRP 8192 Jan 24 08:22 ..

-rw---   1 MEAS OMVSGRP  791 Jan 24 08:36 authorized_keys

-rw---   1 MEAS OMVSGRP 1675 Jan 24 08:23 id_rsa

-rw-r--r--   1 MEAS OMVSGRP  396 Jan 24 08:25 id_rsa.pub

-rw-r--r--   1 MEAS OMVSGRP  697 Jan 29 10:26 known_hosts

# pwd

/u/stcsys/.ssh




and in AIX1 side, I have ftprpt user defined and



$ cd /home/ftprpt /.ssh

$ ls -al

total 48

drwx--2 ftprpt staff   256 Jan 13 15:37 .

drwxr-xr-x3 ftprpt staff  4096 Jan 15 12:15 ..

-rw-r--r--1 ftprptstaff   791 Jan 15 12:12 authorized_keys

-rw-r--r--1 ftprpt staff   395 Jan 13 15:37
authorized_keys.old

-rw---1 ftprpt staff  1675 Dec 11 14:25 id_rsa

-rw-r--r--1 ftprpt staff   394 Dec 11 14:25 id_rsa.pub

-rw-r--r--1 ftprpt staff   352 Jan 15 10:31 known_hosts

$







and we exchanged rsa.pub key in authorized_keys file and exchanged ECDSA.pub
key in  known_hosts file but while running Job, I am getting below issue.



OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012


debug1: Reading configuration data /etc/ssh/ssh_config


debug1: Reading configuration data /etc/ssh/zos_ssh_config


debug1: zsshSmfSetConnSmfStatus: SMF status is 0


debug1: Connecting to 10.22.22.220 Ý10.22.22.220¨ port 22.


debug1: Connection established.


debug1: cipher_init: none from source OpenSSL


debug1: cipher_init: none from source OpenSSL


debug1: permanently_set_uid: 0/1000


debug1: identity file /u/stcsys/.ssh/id_rsa type 1


debug1: identity file /u/stcsys/.ssh/id_rsa-cert type -1


debug1: Enabling compatibility mode for protocol 2.0


debug1: Local version string SSH-2.0-OpenSSH_6.4


debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0


debug1: match: OpenSSH_6.0 pat OpenSSH*


FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
lzdHAyNTYAAAB

 failed


debug1: SSH2_MSG_KEXINIT sent


debug1: SSH2_MSG_KEXINIT received


debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL


debug1: kex: server->client aes128-ctr hmac-sha1 none


debug1: mac_setup_by_alg: hmac-sha1 from source OpenSSL


debug1: kex: client->server aes128-ctr hmac-sha1 none


debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent


debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP


debug1: SSH2_MSG_KEX_DH_GEX_INIT sent


debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY


debug1: Server host key: RSA ce:14:d1:2f:b2:d1:7c:83:12:9a:16:1e:31:9d:b6:b7


FOTS1061 key_read: uudecode E2VjZHNhLXNoYTItbmlzdHAyNTYIbm
lzdHAyNTYAAAB

 failed


debug1: read_passphrase: can't open /dev/tty: EDC5128I No such device.
(errno2=0

FOTS1370 Host key verification failed.


debug1: zsshSmfSetConnSmfStatus: SMF status is 0


FOTS0841 Connection closed





Can you please help, if I am not following correct way on this new setup or
I should be using same userid on both mainframe and aix side for exchanging
keys with password less.



Thanks in advance.



Thanks & Regards

Venkat

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

39 matches

Mail list logo