subject:"\[EXTERNAL\] z\/OS 2.4 and FTP server with FTP ATTLS verifying client certificates"

Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client certificates

2020-10-28 Thread PINION, RICHARD W.

What I have may not be the best.  This is my first attempt at this.  
And, I'm no expert in this area.  If you see things that I shouldn't
be using, please let me know.  This is what I cobbled together
from the zOSMF Network thing, and Googling.  So, please be
kind in your criticism.

TTLSRule  FTPRule
{
   LocalPortRange 0
   Direction  Both
   TTLSGroupActionRef FTPGroup
   TTLSEnvironmentActionRef   FTPEnvironment
   TTLSConnectionActionRefFTPConnectAct
}
TTLSGroupAction   FTPGroup
{
   TTLSEnabledOn
   Trace  254
}
TTLSEnvironmentAction FTPEnvironment
{
   HandshakeRole  ServerWithClientAuth
   TTLSKeyRingParms
   {
  Keyring /usr/local/certificates/BCI.kdb
  KeyringStashFile/usr/local/certificates/BCI.sth
   }
}
TTLSConnectionAction  FTPConnectAct
{
   TTLSConnectionAdvancedParmsRef FTPAdvPrm
   Trace  254
}
TTLSConnectionAdvancedParms   FTPAdvPrm
{
  SecondaryMapOn
  ApplicationControlled   On
  TLSv1   On
  TLSv1.1 On
  TLSv1.2 On
  }

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
Marshall Stone
Sent: Wednesday, October 28, 2020 11:09 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client 
certificates

[External Email. Exercise caution when clicking links or opening attachments.]

Reply with your PAGENT rules for FTPS - you need a client and a server rule

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
PINION, RICHARD W.
Sent: Wednesday, October 28, 2020 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifing client 
certificates

I've been working with z/OS 2.4's FTP server using AT-TLS with certificates for 
the last few days.  PAGENT is setup, and it seems to be functioning correctly.  
I've finally gotten to the point of the client sending in a certificate and 
logging on without having to specify a password, which is what I wanted.
I'm using Core FTP LE as my ftp client.

I'm almost through the door, so to speak, but when I get to the point of 
getting a directory listing on Core FTP, on the z/OS side I get this error.

protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error. 
(errno2=0x77B70291)

At this point the TLS negotiation fails, and the data connection is closed.  
Below the EDC8148I message text are my FTP Server options.  One more piece of 
information, z/OS 2.4 is running under VM.

Looking up EDC8184I,

EDC8148I   Protocol error.
Explanation

A protocol error occurred. This error is device-specific, but is usually not 
caused by a hardware failure.

System action

The request fails. The application continues to run.

Programmer response

Proceed with cleanup of the application resources, and then close the socket. 
When the socket has been freed, the application may begin the process again.


My z/OS FTP server options are,

TLSMECHANISM  ATTLS

EXTENSIONSAUTH_TLS  ; Enable TLS authentication
; Default is disabled.

SECURE_FTPALLOWED   ; Authentication indicator
; ALLOWED(D)
; REQUIRED

SECURE_LOGIN  VERIFY_USER   ; Authorization level indicator
; for TLS
; NO_CLIENT_AUTH (D)
; REQUIRED
; VERIFY_USER

SECURE_PASSWORD   OPTIONAL  ; REQUIRED (D) - User must enter
  password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
SECURE_CTRLCONN   PRIVATE   ; Minimum level of security for
; the control connection
; CLEAR  (D)
; SAFE
; PRIVATE

SECURE_DATACONN   PRIVATE   ; Minimum level of security for
; the data connection
; NEVER
; CLEAR  (D)
; SAFE
; PRIVATE

SECURE_PBSZ   16384 ; Kerberos maximum size of the

Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client certificates

2020-10-28 Thread Marshall Stone

Reply with your PAGENT rules for FTPS - you need a client and a server rule

-Original Message-
From: IBM Mainframe Discussion List  On Behalf Of 
PINION, RICHARD W.
Sent: Wednesday, October 28, 2020 10:43 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifing client 
certificates

I've been working with z/OS 2.4's FTP server using AT-TLS with certificates for 
the last few days.  PAGENT is setup, and it seems to be functioning correctly.  
I've finally gotten to the point of the client sending in a certificate and 
logging on without having to specify a password, which is what I wanted.
I'm using Core FTP LE as my ftp client.

I'm almost through the door, so to speak, but when I get to the point of 
getting a directory listing on Core FTP, on the z/OS side I get this error.

protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error. 
(errno2=0x77B70291)

At this point the TLS negotiation fails, and the data connection is closed.  
Below the EDC8148I message text are my FTP Server options.  One more piece of 
information, z/OS 2.4 is running under VM.

Looking up EDC8184I,

EDC8148I   Protocol error.
Explanation

A protocol error occurred. This error is device-specific, but is usually not 
caused by a hardware failure.

System action

The request fails. The application continues to run.

Programmer response

Proceed with cleanup of the application resources, and then close the socket. 
When the socket has been freed, the application may begin the process again.

My z/OS FTP server options are,

TLSMECHANISM  ATTLS

EXTENSIONSAUTH_TLS  ; Enable TLS authentication
; Default is disabled.

SECURE_FTPALLOWED   ; Authentication indicator
; ALLOWED(D)
; REQUIRED

SECURE_LOGIN  VERIFY_USER   ; Authorization level indicator
; for TLS
; NO_CLIENT_AUTH (D)
; REQUIRED
; VERIFY_USER

SECURE_PASSWORD   OPTIONAL  ; REQUIRED (D) - User must enter
  password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
SECURE_CTRLCONN   PRIVATE   ; Minimum level of security for
; the control connection
; CLEAR  (D)
; SAFE
; PRIVATE

SECURE_DATACONN   PRIVATE   ; Minimum level of security for
; the data connection
; NEVER
; CLEAR  (D)
; SAFE
; PRIVATE

SECURE_PBSZ   16384 ; Kerberos maximum size of the
; encoded data blocks
; Default value is 16384
; Valid range is 512 through 32768

SECURE_SESSION_REUSE  REQUIRED  ; Specify whether session reuse is
; required when SSL/TLS is being
; used to protect the connections
; ALLOWED(D)
  password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
 CIPHERSUITE   SSL_NULL_MD5  ; 01
 CIPHERSUITE   SSL_NULL_SHA  ; 02
 CIPHERSUITE   SSL_RC4_MD5_EX; 03
 CIPHERSUITE   SSL_RC4_MD5   ; 04
 CIPHERSUITE   SSL_RC4_SHA   ; 05
 CIPHERSUITE   SSL_RC2_MD5_EX; 06
 CIPHERSUITE   SSL_DES_SHA   ; 09
 CIPHERSUITE   SSL_3DES_SHA  ; 0A
 CIPHERSUITE   SSL_AES_128_SHA   ; 2F
 CIPHERSUITE   SSL_AES_256_SHA   ; 35

KEYRING /usr/local/certificates/BCI.kdb ; Name of the keyring for TLS
; It can be the name of an HFS x
; file (name starts with /) or
; a resource name in the security
; product (e.g., RACF)
TLSTIMEOUT100   ; Maximum time limit between full

Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client certificates

Re: [EXTERNAL] z/OS 2.4 and FTP server with FTP ATTLS verifying client certificates

2 matches

Site Navigation

Mail list logo

Footer information