-
From: Mark Pace [mailto:pacemainl...@gmail.com]
Sent: May 12, 2014 14:42
Subject: Re: z/OS FTPS Client Linux FTP server
EZA1554I Connecting to: 10.6.0.10 port: 21.
[snip]
EDC8121I Connection reset. (errno2=0x77B17343)
EZA2897I Authentication negotiation failed
EZA1534I *** Control
Subject: Re: z/OS FTPS Client Linux FTP server
Sorry, confused, again.
We currently do userid/password authentication - without SSL.
On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave gib...@wsu.edu
wrote:
Well, if your are doing the SSL server stuff
or
vsftp :)
-Original Message-
From: IBM Mainframe Discussion List [mailto:
IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 1:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
WOAH, WOAH, WOAH
You need ApplicationControlled On as well as SecondaryMap On.
Issue this command to see your resultant config:
pasearch -p TCPIP tcpip.pagent.dat
--
Donald J.
dona...@4email.net
TTLSEnvironmentAdvancedParms
{
SecondaryMap On
--
http://www.fastmail.fm - The way
EZA1554I Connecting to: 10.6.0.10 port:
21.
220-Welcome to Mainline's FTP
Server.
220-
220-This FTP server is limited to use by Mainline employees,
customers
220-and authorized business
partners.
220-
220-NOTE: All files may be deleted after 30
days.
220
GU5349 ftpSetApplData:
entered
FC0254
A GSK trace is most likely needed.
Did you ever resolve the intermediate certificate issue I mentioned on
my May 8 message?
Your ftp.s390.mainline.com server certificate is issued by the GoDaddy
intermediate cert:
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
Donald -
I really don't understand this whole certificate thing. And only working
with them once every couple of years, I quickly forget what little bit I
learned. However I was able to follow your logic about the certificates,
root and intermediate. I added the intermediate cert and now I can
on Linux
or
vsftp :)
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 1:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
WOAH, WOAH, WOAH
:55 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace or ltrace on the server
side will give you some insight into what is going on. If you don't
want to go
down that road, i would say it's time
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace or ltrace on the
server
side will give you some insight into what is going on. If you don't
want to go
down that road, i would say it's time
-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Post
Sent: Wednesday, May 07, 2014 12:55 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace or ltrace on the
server
side will give you some
[mailto:
IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Post
Sent: Wednesday, May 07, 2014 12:55 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace or ltrace on the
server
side
Pace
Sent: Friday, May 09, 2014 5:47 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
I was able to get the Trace to work - after removing the -r TLS, that
generated an error.
*EZA2892I Secure port 21 does not allow the -a or -r start parameter *
And from
a working connection using
userid/password authentication.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 5:47 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
[mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 9:19 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Oh yes. We've been doing it that way for years.
Trying to add the ability to secure the log in process.
On Fri, May 9
@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
I was able to get the Trace to work - after removing the -r TLS,
that generated an error.
*EZA2892I Secure port 21 does not allow the -a or -r start parameter
*
And from that trace it appears, to me
for it.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 10:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Sorry, confused, again.
We currently do userid
, 2014 10:58 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Sorry, confused, again.
We currently do userid/password authentication - without SSL.
On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave gib...@wsu.edu wrote:
Well, if your are doing the SSL
Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Friday, May 09, 2014 1:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
WOAH, WOAH, WOAH, what the hell? I copied and pasted your FTP.DATA
file
into my FTP.DATA file
@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
WOAH, WOAH, WOAH, what the hell? I copied and pasted your FTP.DATA
file
into my FTP.DATA file and now it works.
Now I just have to determine what was different on yours than every
iteration
that I have been through
Kevin is right about the complete chain.
I issued this openssl command:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile gd-class2-root.crt
and got error:
Verify return code: 21 (unable to verify the first certificate)
I created a cacerts file with both the
Pace
Sent: Wednesday, May 07, 2014 1:01 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE
The root cert is all that should be needed on the z/OS side,
if linux side is set up correctly.
But as mentioned in my last email, it doesn't look like the
linux side cert file is complete. Your server cert is issued
by a GoDaddy intermediate cert, which is issued by a
GoDaddy root cert. I
Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?
I have a Linux server running vsftpd - I've been using it for years to send
SMF data. I've added TLS support to this server. I've verified that the
Secure connect works via a Filezilla client,
On Wed, 7 May 2014 08:25:47 -0400, Mark Pace wrote:
Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?
Is SFTP an option?
-- gil
--
For IBM-MAIN subscribe / signoff / archive
Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
commonly used than SSL_RC4_SHA.
Make sure the linus root certificate is in your z/OS client keyring.
--
Donald J.
--
http://www.fastmail.fm - A no graphics, no pop-ups email service
The cipher was one of my early problems. But I figured that one out.
vsftpd - ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA
I'm certain that this Keyring is (part of) my problem. Stumbling through
RACF I have found that the GoDaddy Root CA is already defined in z/OS, but
still trying to
racdcert id(userid) listring(ring.name)
racdcert id(userid) connect(ring(ring.name) LABEL('GoDaddy Root Label')
CERTAUTH usage(CERTAUTH) )
--
Donald J.
On Wed, May 7, 2014, at 06:34 AM, Mark Pace wrote:
The cipher was one of my early problems. But I figured that one out.
vsftpd -
).
-jc-
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
The cipher was one of my early problems. But I
FTPS Client Linux FTP server
The cipher was one of my early problems. But I figured that one out.
vsftpd - ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA
I'm certain that this Keyring is (part of) my problem. Stumbling
through
RACF I have found that the GoDaddy Root CA
: Re: z/OS FTPS Client Linux FTP server
The cipher was one of my early problems. But I figured that one out.
vsftpd - ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA
I'm certain that this Keyring is (part of) my problem. Stumbling
through
RACF I have found that the GoDaddy
(default is NOTRUST).
-jc-
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
The cipher
: z/OS FTPS Client Linux FTP server
The cipher was one of my early problems. But I figured that one out.
vsftpd - ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA
I'm certain that this Keyring is (part of) my problem. Stumbling
through
RACF I have found that the GoDaddy
).
-jc-
-Original Message-
From: IBM Mainframe Discussion List [mailto:
IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
The cipher
On Wed, 7 May 2014 11:06:32 -0400, Mark Pace wrote:
First - thank you for the manual number so that I can look these up.
I've no idea what AT-TLS environment means.
By rote memorization: Application Transparent Transport Layer Security.
Transparent would seem to imply that the Application (in
The DEFAULT YES would be used for a client certificate,
not for a CERTAUTH entry.
--
Donald J.
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE DEFAULT
Crap - I've gotten myself so confused.
That was a client certificate I put in many years ago when we did SSL on
our TN3270 connections. I think I still need to add the Go Daddy root
certificate, which what I thought that one was. How I hate this stuff.
On Wed, May 7, 2014 at 11:43 AM, Donald
jo.skip.robin...@sce.com
From: Donald J. dona...@4email.net
To: IBM-MAIN@LISTSERV.UA.EDU,
Date: 05/07/2014 08:43 AM
Subject:Re: z/OS FTPS Client Linux FTP server
Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU
The DEFAULT YES would be used for a client
Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
626-302-7535 Office
323-715-0595 Mobile
jo.skip.robin...@sce.com
From: Donald J. dona...@4email.net
To: IBM-MAIN@LISTSERV.UA.EDU,
Date: 05/07/2014 08:43 AM
Subject:Re: z/OS FTPS Client Linux FTP server
Sent
It is definitely TLS and not ATTLS.
GSKSRVR trace is your friend.
Biggest issues that i have had
-Self signed certs are not allowed courtesy of TLS 1.0
-RFC level is very important!!!
-Firewalls and extended pasv are not supported by many clients
Rob
On May 7, 2014 11:51 AM, Mark Pace
These are not self signed certs. It was issued by Go Daddy. Why I was
trying to add the Root authority certificate, and failed.
Still researching what FC level vsftpd uses for TLS
No firewalls involved, at least for this test. This a hipersocket
connection between z/OS and a Linux for System
cert you're interested in has TRUST status
(default is NOTRUST).
-jc-
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux
is NOTRUST).
-jc-
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
The cipher was one of my early
@LISTSERV.UA.EDU
Subject: z/OS FTPS Client Linux FTP server
Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?
I have a Linux server running vsftpd - I've been using it for years to send
SMF
data. I've added TLS support to this server. I've verified
.
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 5:26 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: z/OS FTPS Client Linux FTP server
Has anyone successfully sent data to a Linux FTP
-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
And for giggles I setup another Linux FTP server - this one pure-ftpd - again
You did do a:
SETROPTS RACLIST(DIGTCERT) REFRESH
after last changing the keyring?
What does the LISTRING show now?
Does the userid submitting the batch job have any ICH408I
errors in the log?
--
Donald J.
--
http://www.fastmail.fm - Send your email first class
On 5/7/2014 at 08:25 AM, Mark Pace pacemainl...@gmail.com wrote:
I'm beginning to think I am doing something fundamentally wrong instead of
it being a matter of wrong parameters.
//FTP EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
//SYSPRINT DD SYSOUT=*
//SYSFTPD DD
Hi, Mark -
That is contained in the ftp.data file DD name SYSFTPD. In this case the
DSN is
MARPACE.JCL.CNTL(FTPSDATA)
which contains
SECURE_CTRLCONN CLEAR
SECURE_DATACONN PRIVATE
SECURE_FTP REQUIRED
SECURE_HOSTNAME OPTIONAL
SECURE_MECHANISM TLS
KEYRING IBMUSER/FtpSecur
TLSPORT
is commented out.
-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 5:26 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: z/OS FTPS Client Linux FTP server
Has anyone successfully sent data to a Linux FTP
Mark,
This may be yet another case where running strace or ltrace on the server side
will give you some insight into what is going on. If you don't want to go down
that road, i would say it's time to open up a PMR with IBM.
Mark Post
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE DEFAULT
---
GeoTrust Global CA CERTAUTH
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Post
Sent: Wednesday, May 07, 2014 12:55 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace
Subject: Re: z/OS FTPS Client Linux FTP server
Mark,
This may be yet another case where running strace or ltrace on the server
side will give you some insight into what is going on. If you don't
want to go
down that road, i would say it's time to open up a PMR with IBM.
Mark Post
You need to change that to DEFAULT NO.
--
Donald J.
dona...@4email.net
On Wed, May 7, 2014, at 01:01 PM, Mark Pace wrote:
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE
Of Mark Pace
Sent: Wednesday, May 07, 2014 1:01 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client Linux FTP server
Yes, I did the digtcert refresh
Digital ring information for user IBMUSER:
Ring:
FtpSecur
Certificate Label Name Cert Owner USAGE
56 matches
Mail list logo
