Re: Batch SFTP without client keys or USS files?
I guess I misspoke. I'm trying to connect to a server supporting SFTP on port . FTP and FTPS on other ports. Sorry. The Windows SFTP command works fine. I just can't see the difference in my job between yours and Ed's. Thanks, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
On 10/16/2020 5:10 PM, Wendell Lovewell wrote: Is this a typo? Just a reminder: I'm going from a z/OS sftp client to a non-z/os ftp server where I can't store user keys. Do you really mean you are connecting to a non-z/OS *FTP* server? Or do you mean an *sftp* server? 'Cuz if the former, then that's the problem. Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
I'm sorry Rajesh. I meant to say that the job will run on other z/OS systems. I can't require CO:Z to be present. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
I think "COZBATCH" is part of free COZ SFTP product download. Regards, Rajesh -Original Message- From: IBM Mainframe Discussion List On Behalf Of Wendell Lovewell Sent: Friday, October 16, 2020 8:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Batch SFTP without client keys or USS files? Thank you Rajesh, but the job will be running on z/OS systems. I cannot require any additional software like COZBATCH to be installed. Best Regards, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this e-mail, and any attachment, is confidential and is intended solely for the use of the intended recipient. Access, copying or re-use of the e-mail or any attachment, or any information contained therein, by any other person is not authorized. If you are not the intended recipient please return the e-mail to the sender and delete it from your computer. Although we attempt to sweep e-mail and attachments for viruses, we do not guarantee that either are virus-free and accept no liability for any damage sustained as a result of viruses. Please refer to https://disclaimer.bnymellon.com/eu.htm for certain disclosures relating to European legal entities. We take our data protection and privacy responsibilities seriously and our privacy notice explains how we collect, use and share personal information in the course of our business activities. It can be accessed at the privacy section of www.bnymellon.com. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Thanks for asking, but no special characters. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Do you have any special characters in your password that might not be surviving code-page translate? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Wendell Lovewell Sent: Friday, October 16, 2020 8:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Batch SFTP without client keys or USS files? Caution! This message was sent from outside your organization. Thank you Rajesh, but the job will be running on z/OS systems. I cannot require any additional software like COZBATCH to be installed. Best Regards, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Thank you Rajesh, but the job will be running on z/OS systems. I cannot require any additional software like COZBATCH to be installed. Best Regards, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Dovetail work well for me. A sample below: //add jobcard //SFTPPUT EXEC PROC=SFTPPROC //SFTPIN DD * host=sftp.ecurep.ibm.com pwdsn="&SYSUID.SFTP.JCL(IBMPASS)" user="" . $script_dir/sftp_connect.sh < On Behalf Of Wendell Lovewell Sent: Friday, October 16, 2020 5:10 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Batch SFTP without client keys or USS files? Thanks Kurt! I did see Ed's presentation, but at the time it was a solution for which I didn't have a problem, so it stayed in the bit bucket. Unfortunately, even with your and Ed's expert help, I'm still stumped. I just don't seem to be able to get the "SSH_ASKPASS" to work, even after reading what literally seems to be everything on the Internet about it. (My 2 hour job's gone 2 days now...) Just a reminder: I'm going from a z/OS sftp client to a non-z/os ftp server where I can't store user keys. StrictHostKeyChecking=no is saving the non-z/OS server's keys in ~/.ssh/known_hosts, but I need to specify a userid/pwd to access the server. What I have is: // EXPORT SYMLIST=(*) // SET FROM=USER.DFDSS.XMI // SET TO=CUS12345.ESTFILE //* //SFTP EXEC PGM=BPXBATCH //STDENV DD * SSH_ASKPASS=/tmp/sftp.pw.sh DISPLAY=DISPLAY //* //STDPARM DD *,SYMBOLS=JCLONLY SH cd /tmp; echo cp -Bv "//'&FROM'" /tmp/&TO; cp -Bv "//'&FROM'" /tmp/&TO; echo "echo 'ftppwd'" > sftp.pw.sh; chmod 700 sftp.pw.sh; echo "cd /FTPDir"> sftp.cmds; echo "put /tmp/&TO &TO" >> sftp.cmds; echo "quit" >> sftp.cmds; chmod 600 sftp.cmds; echo ''; echo '-sftp.cmds contents:'; cat sftp.cmds; echo ''; echo '-sftp.pw.sh contents:'; cat sftp.pw.sh; echo ''; /bin/sftp -b sftp.cmds -oBatchMode=no -oPort= -oPasswordAuthentication=yes -oPreferredAuthentications=password -oStrictHostKeyChecking=no -oHostbasedAuthentication=no -oCheckHostIP=no -oPubkeyAuthentication=no -oLogLevel=DEBUG2 -oUser=ftpuser ftp.ftpserver.com; rm sftp.pw.sh; rm sftp.cmds; rm &TO; //* //STDOUT DD SYSOUT=M //STDERR DD SYSOUT=M //* Maybe my STDENV isn't getting read, but I can't prove it. I'm getting: FOTS1373 ftpu...@ftp.ftpserver.com: Permission denied (publickey,keyboard-interactive,password). Here's the tail of my output w/DEBUG1: debug1: Host '[ftp.ftpserver.com]:' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:2 debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: No more authentication methods to try. FOTS1373 ftpu...@ftp.ftpserver.com: Permission denied (publickey,keyboard-interactive,password). debug1: zsshSmfSetConnSmfStatus: SMF status is 0 Connection closed. FOTS0841 Connection closed Here's the head, showing the contents of my sftp.pw.sh and sftp.cmds files: cp -Bv //'USER.DFDSS.XMI' /tmp/CUS12345.ESTFILE USER.DFDSS.XMI -> /tmp/CUS12345.ESTFILE: binary -sftp.cmds contents: cd /FTPDir put /tmp/CUS12345.ESTFILE CUS12345.ESTFILE quit -sftp.pw.sh contents: echo 'ftppwd' FSUM1012 The initial working directory was not specified. FSUM1006 A shell was not specified. Processing continues using the default shell name. stty: !FSUMB045 failed to get termios attributes: EDC5134I Function not implemented. debug1: Reading configuration data /etc/ssh/ssh_config debug1: zsshSmfSetConnSmfStatus: SMF status is 0 debug2: resolving "ftp.ftpserver.com" port debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to ftp.ftpserver.com [192.208.58.102] port . debug1: Connection established. ... My /etc/ssh/ssh_config only has an entry for Ciphers and MACS - I think that's what IBM ships. I don't have my own ~/.ssh/ssh_config. Anyone have any ideas? Thanks again, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information contained in this e-mail, and any attachm
Re: Batch SFTP without client keys or USS files?
Thanks Kurt! I did see Ed's presentation, but at the time it was a solution for which I didn't have a problem, so it stayed in the bit bucket. Unfortunately, even with your and Ed's expert help, I'm still stumped. I just don't seem to be able to get the "SSH_ASKPASS" to work, even after reading what literally seems to be everything on the Internet about it. (My 2 hour job's gone 2 days now...) Just a reminder: I'm going from a z/OS sftp client to a non-z/os ftp server where I can't store user keys. StrictHostKeyChecking=no is saving the non-z/OS server's keys in ~/.ssh/known_hosts, but I need to specify a userid/pwd to access the server. What I have is: // EXPORT SYMLIST=(*) // SET FROM=USER.DFDSS.XMI // SET TO=CUS12345.ESTFILE //* //SFTP EXEC PGM=BPXBATCH //STDENV DD * SSH_ASKPASS=/tmp/sftp.pw.sh DISPLAY=DISPLAY //* //STDPARM DD *,SYMBOLS=JCLONLY SH cd /tmp; echo cp -Bv "//'&FROM'" /tmp/&TO; cp -Bv "//'&FROM'" /tmp/&TO; echo "echo 'ftppwd'" > sftp.pw.sh; chmod 700 sftp.pw.sh; echo "cd /FTPDir"> sftp.cmds; echo "put /tmp/&TO &TO" >> sftp.cmds; echo "quit" >> sftp.cmds; chmod 600 sftp.cmds; echo ''; echo '-sftp.cmds contents:'; cat sftp.cmds; echo ''; echo '-sftp.pw.sh contents:'; cat sftp.pw.sh; echo ''; /bin/sftp -b sftp.cmds -oBatchMode=no -oPort= -oPasswordAuthentication=yes -oPreferredAuthentications=password -oStrictHostKeyChecking=no -oHostbasedAuthentication=no -oCheckHostIP=no -oPubkeyAuthentication=no -oLogLevel=DEBUG2 -oUser=ftpuser ftp.ftpserver.com; rm sftp.pw.sh; rm sftp.cmds; rm &TO; //* //STDOUT DD SYSOUT=M //STDERR DD SYSOUT=M //* Maybe my STDENV isn't getting read, but I can't prove it. I'm getting: FOTS1373 ftpu...@ftp.ftpserver.com: Permission denied (publickey,keyboard-interactive,password). Here's the tail of my output w/DEBUG1: debug1: Host '[ftp.ftpserver.com]:' is known and matches the RSA host key. debug1: Found key in /.ssh/known_hosts:2 debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: cipher_init: aes128-ctr from source CPACF, used in non-FIPS mode debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive,password debug1: No more authentication methods to try. FOTS1373 ftpu...@ftp.ftpserver.com: Permission denied (publickey,keyboard-interactive,password). debug1: zsshSmfSetConnSmfStatus: SMF status is 0 Connection closed. FOTS0841 Connection closed Here's the head, showing the contents of my sftp.pw.sh and sftp.cmds files: cp -Bv //'USER.DFDSS.XMI' /tmp/CUS12345.ESTFILE USER.DFDSS.XMI -> /tmp/CUS12345.ESTFILE: binary -sftp.cmds contents: cd /FTPDir put /tmp/CUS12345.ESTFILE CUS12345.ESTFILE quit -sftp.pw.sh contents: echo 'ftppwd' FSUM1012 The initial working directory was not specified. FSUM1006 A shell was not specified. Processing continues using the default shell name. stty: !FSUMB045 failed to get termios attributes: EDC5134I Function not implemented. debug1: Reading configuration data /etc/ssh/ssh_config debug1: zsshSmfSetConnSmfStatus: SMF status is 0 debug2: resolving "ftp.ftpserver.com" port debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to ftp.ftpserver.com [192.208.58.102] port . debug1: Connection established. ... My /etc/ssh/ssh_config only has an entry for Ciphers and MACS - I think that's what IBM ships. I don't have my own ~/.ssh/ssh_config. Anyone have any ideas? Thanks again, Wendell -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
On Fri, 16 Oct 2020 09:27:07 -0400, Kurt Quackenbush wrote: > >> On 10/15/2020 8:36 PM, Wendell Lovewell wrote: >>> Is it possible to code a proc that would invoke SFTP to transfer a >>> file to or from a non-z/OS ftp server using only that server's public >>> key and a userid/password combination like you would use for FTP or FTPS? >> >> Yes it is possible. Check out the SSH_ASKPASS and DISPLAY environment >> variables. Here's a job snippet that should get you going in the right >> direction. > In almost any case there's the administrative requirement of configuring the server to recognize the client's user's credentials: password, certificate, public key, ... The exception is for unrestricted access, as with anonymous FTP. Is there anonymous SFTP? Publish the private key or password? >//* >//* Create the ssh_askpass script. When called, this script echoes//* >the password to the caller. It is used for obtaining the password >//* "interactively" when running sftp in the UNIX >shell//* >//ASKPASS EXEC PGM=IEBGENER >//SYSPRINT DD SYSOUT=* >//SYSIN DD DUMMY >//SYSUT2DD PATHOPTS=(OWRONLY,OCREAT,OTRUNC), >// PATHMODE=SIRWXU,FILEDATA=TEXT, >// PATH='/tgtWorkDir/Tttt/sftp.pw.sh' >//SYSUT1DD * echo 'password' >/* Stashing a password in a JCL member? But with proper access rules this is comparable to a suitably protected ~userID/.ssh/. Does SFTP require that each directory in the path from "/" be suitably protected? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
On 10/16/2020 9:16 AM, Kurt Quackenbush wrote: On 10/15/2020 8:36 PM, Wendell Lovewell wrote: Is it possible to code a proc that would invoke SFTP to transfer a file to or from a non-z/OS ftp server using only that server's public key and a userid/password combination like you would use for FTP or FTPS? Yes it is possible. Check out the SSH_ASKPASS and DISPLAY environment variables. Here's a job snippet that should get you going in the right direction. Argh! Sorry about the wrap. Let me try again: //* //* Create the ssh_askpass script. When called, this script echoes//* the password to the caller. It is used for obtaining the password //* "interactively" when running sftp in the UNIX shell//* //ASKPASS EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT2DD PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=SIRWXU,FILEDATA=TEXT, // PATH='/tgtWorkDir/Tttt/sftp.pw.sh' //SYSUT1DD * echo 'password' /* //* //* Execute sftp in the UNIX shell. //* //* Environment variables: //* SSH_ASKPASS -- identifies a script or program that returns the //* password. //* DISPLAY -- identifies the X11 server. Any non-null value //* enables the SSH_ASKPASS program to read the password. //* //* sftp options: //* -oBatchMode=no -- batch mode is disabled, thus allowing the //* password to be obtained "interactively". //* -b filename -- identifies the file containing the sftp commands. //* -oStrictHostKeyChecking=no -- allows connection to servers that //* are not identified in the client ~/.ssh/known_hosts file. //* -oPort -- identifies the port on which the server is listening. //* //SFTP EXEC PGM=BPXBATCH //STDENVDD * SSH_ASKPASS=/tgtWorkDir/Tttt/sftp.pw.sh DISPLAY=FOOBAR /* //STDPARM DD * SH /bin/sftp -b /tgtWorkDir/Tttt/sftp.cmds -oBatchMode=no -oStrictHostKeyChecking=no -oPort=22use...@source.sftp.host.name /* //STDOUTDD SYSOUT=* //STDERRDD SYSOUT=* I didn't attend but I heard Ed Jaffe in the recent online SHARE discussed this very topic in the Bit Bucket session. I would check out his slides if you have access. Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
On 10/15/2020 8:36 PM, Wendell Lovewell wrote: Is it possible to code a proc that would invoke SFTP to transfer a file to or from a non-z/OS ftp server using only that server's public key and a userid/password combination like you would use for FTP or FTPS? Yes it is possible. Check out the SSH_ASKPASS and DISPLAY environment variables. Here's a job snippet that should get you going in the right direction. //* //* Create the ssh_askpass script. When called, this script echoes //* the password to the caller. It is used for obtaining the password //* "interactively" when running sftp in the UNIX shell. //*//ASKPASS EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSIN DD DUMMY //SYSUT2DD PATHOPTS=(OWRONLY,OCREAT,OTRUNC), // PATHMODE=SIRWXU,FILEDATA=TEXT, // PATH='/tgtWorkDir/Tttt/sftp.pw.sh' //SYSUT1DD * echo 'password' /* //* //* Execute sftp in the UNIX shell. //* //* Environment variables: //* SSH_ASKPASS -- identifies a script or program that returns the //* password. //* DISPLAY -- identifies the X11 server. Any non-null value //* enables the SSH_ASKPASS program to read the password. //* //* sftp options: //* -oBatchMode=no -- batch mode is disabled, thus allowing the //* password to be obtained "interactively". //* -b filename -- identifies the file containing the sftp commands. //* -oStrictHostKeyChecking=no -- allows connection to servers that //* are not identified in the client ~/.ssh/known_hosts file. //* -oPort -- identifies the port on which the server is listening. //*//SFTP EXEC PGM=BPXBATCH //STDENVDD * SSH_ASKPASS=/tgtWorkDir/Tttt/sftp.pw.sh DISPLAY=FOOBAR /* //STDPARM DD * SH /bin/sftp -b /tgtWorkDir/Tttt/sftp.cmds -oBatchMode=no -oStrictHostKeyChecking=no -oPort=22use...@source.sftp.host.name /* //STDOUTDD SYSOUT=* //STDERRDD SYSOUT=* I didn't attend but I heard Ed Jaffe in the recent online SHARE discussed this very topic in the Bit Bucket session. I would check out his slides if you have access. Kurt Quackenbush -- IBM, SMP/E Development Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Classification: HCL Internal Up to the "foreign host" -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Thursday, October 15, 2020 10:55 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Batch SFTP without client keys or USS files? [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] On Thu, 15 Oct 2020 19:36:33 -0500, Wendell Lovewell wrote: > >... modifying USS files like even ~/.ssh/anything is probably also off >limits. > Why? But I'd expect you'd need to install the client's public key in the server's authorized_keys, which might be a problem. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
On Thu, 15 Oct 2020 19:36:33 -0500, Wendell Lovewell wrote: > >... modifying USS files like even ~/.ssh/anything is probably also off >limits. > Why? But I'd expect you'd need to install the client's public key in the server's authorized_keys, which might be a problem. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch SFTP without client keys or USS files?
Classification: HCL Internal
Yes it is . I do this many times daily.
There are 2 stages to the authentication. Server and User.
For Server Authentication, all that is needed is the public key of the foreign
host in the /etc/ssh./known_hosts
For the sake of discussion, I am going to assusme this is MF--.foreign host.
You need to install the foreign host public key (for whatever user on the
foreign host) in /&uid/.ssh/authorized_keys.
The job(s) will run with a ESM id of &UID.
CoZ makes things much easier than the zOS version of OpenSSH, but is not
required. The IBM code can handle everything just fine.
For more info see: http://www.dovetail.com/webinars.html
Towards the bottom of the page you will see: " IBM Ported Tools for z/OS:
OpenSSH - Key Authentication"
Although Dovetail produced the content, it is non-CoZ dependent.
Disclaimer. I have no affiliation with Dovetail except as a user of their fine
products.
HTH,
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Wendell Lovewell
Sent: Thursday, October 15, 2020 7:37 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Batch SFTP without client keys or USS files?
[CAUTION: This Email is from outside the Organization. Unless you trust the
sender, Don’t click links or open attachments as it may be a Phishing email,
which can steal your Information and compromise your Computer.]
Is it possible to code a proc that would invoke SFTP to transfer a file to or
from a non-z/OS ftp server using only that server's public key and a
userid/password combination like you would use for FTP or FTPS?
I need to distribute this outside our company, so using CO:Z isn't an option.
Adding keys to the server for the clients is not either. And modifying USS
files like /etc/ssh/config or even ~/.ssh/anything is probably also off limits.
I might be able to get away with stashing something in /tmp, but even that
might be a problem. I can (since I have to) assume z/OS 2.2 or later for
OpenSSH availability.
I was able to do this for FTPS by distributing the FTP server's public key as a
.PEM file & installing it into RACF, then adding it to a keyring. But so far
with SFTP, I'm stumped. Has anyone tried this?
TIA,
Wendell
fwiw, here is the FTPS proc:
//*---
//* TERSE a file & FTP it
//*---
//FTPSTRS PROC ZOSFILE=,
// FTPFILE=,
// OUTCLS=*,
// TMPHLQ=&SYSUID,
// TRSDISP=(NEW,PASS),
// KEYOWNR=TCPIP,
// KEYRING=FTPS.KEYRING
//*
//EXP EXPORT SYMLIST=*
// SETFTPFID=&FTPFILE
// SETFTPOWN=&KEYOWNR
// SETFTPKEY=&KEYRING
//*
//*---
//TERSEEXEC PGM=TRSMAIN,PARM=PACK
//SYSPRINT DD SYSOUT=&OUTCLS
//INFILE DD DISP=SHR,DSN=&ZOSFILE
//OUTFILEDD DSN=&TMPHLQ..TEMP.TRS,
// DISP=(&TRSDISP.),
// RECFM=FB,BLKSIZE=0,LRECL=1024,
// LIKE=&ZOSFILE
//*---
//FTPS EXEC PGM=FTP,REGION=4M,COND=(0,LT),
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.server.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//SYSFTPD DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING&FTPOWN/&FTPRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* TRACE
//TRSFILE DD DISP=SHR,DSN=*.TERSE.OUTFILE
//OUTPUT DD SYSOUT=&OUTCLS
//INPUT DD *,SYMBOLS=(JCLONLY)
ftpuser
ftppwd
sendsite
cd /somedir
BINARY
PUT //DD:TRSFILE &FTPFID
QUIT
//*
// PEND
--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
::DISCLAIMER::
The contents of this e-mail and any attachment(s) are confidential and intended
for the named recipient(s) only. E-mail transmission is not guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or may contain viruses in transmission.
The e mail and its contents (with or without referred errors) shall therefore
not attach any liability on the originator or HCL or its affiliates. Views or
opinions, if any, presented in this email are solely those of the author and
may not necessarily reflect the views or opinions of HCL or its affiliates. Any
form of reproduction,
Batch SFTP without client keys or USS files?
Is it possible to code a proc that would invoke SFTP to transfer a file to or
from a non-z/OS ftp server using only that server's public key and a
userid/password combination like you would use for FTP or FTPS?
I need to distribute this outside our company, so using CO:Z isn't an option.
Adding keys to the server for the clients is not either. And modifying USS
files like /etc/ssh/config or even ~/.ssh/anything is probably also off limits.
I might be able to get away with stashing something in /tmp, but even that
might be a problem. I can (since I have to) assume z/OS 2.2 or later for
OpenSSH availability.
I was able to do this for FTPS by distributing the FTP server's public key as a
.PEM file & installing it into RACF, then adding it to a keyring. But so far
with SFTP, I'm stumped. Has anyone tried this?
TIA,
Wendell
fwiw, here is the FTPS proc:
//*---
//* TERSE a file & FTP it
//*---
//FTPSTRS PROC ZOSFILE=,
// FTPFILE=,
// OUTCLS=*,
// TMPHLQ=&SYSUID,
// TRSDISP=(NEW,PASS),
// KEYOWNR=TCPIP,
// KEYRING=FTPS.KEYRING
//*
//EXP EXPORT SYMLIST=*
// SETFTPFID=&FTPFILE
// SETFTPOWN=&KEYOWNR
// SETFTPKEY=&KEYRING
//*
//*---
//TERSEEXEC PGM=TRSMAIN,PARM=PACK
//SYSPRINT DD SYSOUT=&OUTCLS
//INFILE DD DISP=SHR,DSN=&ZOSFILE
//OUTFILEDD DSN=&TMPHLQ..TEMP.TRS,
// DISP=(&TRSDISP.),
// RECFM=FB,BLKSIZE=0,LRECL=1024,
// LIKE=&ZOSFILE
//*---
//FTPS EXEC PGM=FTP,REGION=4M,COND=(0,LT),
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.server.com 21 -e')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//SYSFTPD DD *,SYMBOLS=(JCLONLY)
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING&FTPOWN/&FTPRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL RFC4217
//* TRACE
//TRSFILE DD DISP=SHR,DSN=*.TERSE.OUTFILE
//OUTPUT DD SYSOUT=&OUTCLS
//INPUT DD *,SYMBOLS=(JCLONLY)
ftpuser
ftppwd
sendsite
cd /somedir
BINARY
PUT //DD:TRSFILE &FTPFID
QUIT
//*
// PEND
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
