Re: z/OS FTPS Client & Linux FTP server

[Neil Duffee]

I'm delayed by the daily digest but did anyone mention the BpxMText suggested 
Action?  To me, it indicates the solution might rely on the other end.

TSO BPXMTEXT 77B17343

TCPIP JrTtlsClearTxtReceived: AT-TLS received clear text data when secure data 
was expected.

Action: Enable the remote application for secure connections. Retry the 
connection.

ps.  *definitely* a n00b for both tcp/ip & at-tls and probably not helping any.

>  signature = 6 lines follows  <
Neil Duffee, Joe Sysprog, uOttawa, Ottawa, Ont, Canada
telephone:1 613 562 5800 x4585  fax:1 613 562 5161
mailto:NDuffee of uOttawa.ca http:/ /aix1.uOttawa.ca/ ~nduffee
“How *do* you plan for something like that?”  Guardian Bob, Reboot
“For every action, there is an equal and opposite criticism.”
“Systems Programming: Guilty, until proven innocent”  John Norgauer 2004


-Original Message-
From: Mark Pace [mailto:pacemainl...@gmail.com] 
Sent: May 12, 2014 14:42
Subject: Re: z/OS FTPS Client & Linux FTP server

EZA1554I Connecting to:   10.6.0.10 port: 21.
[snip]
EDC8121I Connection reset. (errno2=0x77B17343) 
EZA2897I Authentication negotiation failed 
EZA1534I *** Control connection with 10.6.0.10 dies.

If I read this right the 7343 part of the errno2 says that it expected a secure 
response, but it was sent clear text.
I've tried SECUREIMPLICITZOS  both TRUE and FALSE - with true I don't see the 
220- messages, but still get the same error.
[snip]


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Donald -
I really don't understand this whole certificate thing. And only working
with them once every couple of years, I quickly forget what little bit I
learned.  However I was able to follow your logic about the certificates,
root and intermediate.  I added the intermediate cert and now I can connect
with TLS.  Still no joy trying to use AT-TTLS even with the corrected certs.

I give up on AT-TTLS.  I'll come back to it one day when I TLS no longer
works.



On Mon, May 12, 2014 at 3:44 PM, Donald J.  wrote:

> A GSK trace is most likely needed.
> Did you ever resolve the intermediate certificate issue I mentioned on
> my May 8 message?
>
> Your ftp.s390.mainline.com server certificate is issued by the GoDaddy
> intermediate cert:
> Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
> OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
> Certification Authority/
> serialNumber=07969287
>
> The GoDaddy intermediate cert above is issued by the root cert :
> Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
> Certification Authority
>
> It appears you do not have the intermediate cert in the keyring at
> either end.  If you have 100 clients and 1 server, it would be easier to
> put in the one server keystore.   But you can probably put it in your
> z/OS client keystore instead.
>
> If you can't find it, you can download it from the 3rd cert
> (gd_intermediate.crt) on this page:
> https://certs.godaddy.com/anonymous/repository.pki
>
> --
>   Donald J.
>   dona...@4email.net
>
>
> > FC2903 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I
> > Connection
> > reset. (errno2=0x77B17343)
> > EZA2897I Authentication negotiation
> > failed
> > EZA1534I *** Control connection with 10.6.0.10
> > dies.
> >
> > If I read this right the 7343 part of the errno2 says that it expected a
> > secure response, but it was sent clear text.
> > I've tried
> > SECUREIMPLICITZOS  both TRUE and FALSE - with true I don't see the 220-
> > messages, but still get the same error.
> >
>
>
> --
> http://www.fastmail.fm - A fast, anti-spam email service.
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

A GSK trace is most likely needed.
Did you ever resolve the intermediate certificate issue I mentioned on
my May 8 message?

Your ftp.s390.mainline.com server certificate is issued by the GoDaddy
intermediate cert:
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/
serialNumber=07969287

The GoDaddy intermediate cert above is issued by the root cert :
Issuer: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority

It appears you do not have the intermediate cert in the keyring at
either end.  If you have 100 clients and 1 server, it would be easier to
put in the one server keystore.   But you can probably put it in your
z/OS client keystore instead.  

If you can't find it, you can download it from the 3rd cert
(gd_intermediate.crt) on this page:
https://certs.godaddy.com/anonymous/repository.pki

-- 
  Donald J.
  dona...@4email.net
 
 
> FC2903 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I
> Connection
> reset. (errno2=0x77B17343)
> EZA2897I Authentication negotiation
> failed
> EZA1534I *** Control connection with 10.6.0.10
> dies.
> 
> If I read this right the 7343 part of the errno2 says that it expected a
> secure response, but it was sent clear text.
> I've tried
> SECUREIMPLICITZOS  both TRUE and FALSE - with true I don't see the 220-
> messages, but still get the same error.
> 
 

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

EZA1554I Connecting to:   10.6.0.10 port:
21.
220-Welcome to Mainline's FTP
Server.
220-

220-This FTP server is limited to use by Mainline employees,
customers
220-and authorized business
partners.
220-

220-NOTE: All files may be deleted after 30
days.
220

GU5349 ftpSetApplData:
entered

FC0254 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, sFTP=R, sCC=P,
sDC=P
FC2738 ftpAuthAttls: AT-TLS policy set as application
controlled.
FU1810 TTLSRule:
Secure_Ftp_client

FU1816 TTLSGroupAction:
grp_Production

FU1822 TTLSEnvironmentAction:
Secure_Ftp_Client_Env
FC2894 authServerAttls: Start
Handshake
FC2903 authServerAttls: ioctl() failed on SIOCTTLSCTL - EDC8121I Connection
reset. (errno2=0x77B17343)
EZA2897I Authentication negotiation
failed
EZA1534I *** Control connection with 10.6.0.10
dies.

If I read this right the 7343 part of the errno2 says that it expected a
secure response, but it was sent clear text.
I've tried
SECUREIMPLICITZOS  both TRUE and FALSE - with true I don't see the 220-
messages, but still get the same error.





On Mon, May 12, 2014 at 1:39 PM, Donald J.  wrote:

> You need ApplicationControlled On  as well as SecondaryMap On.
>
> Issue this command to see your resultant config:
> pasearch -p TCPIP > tcpip.pagent.dat
>
>
> --
>   Donald J.
>   dona...@4email.net
>  > >   TTLSEnvironmentAdvancedParms
> > >   {
> > > SecondaryMap  On
>
>
> --
> http://www.fastmail.fm - The way an email service should be
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

You need ApplicationControlled On  as well as SecondaryMap On.

Issue this command to see your resultant config:
pasearch -p TCPIP > tcpip.pagent.dat   


-- 
  Donald J.
  dona...@4email.net
 > >   TTLSEnvironmentAdvancedParms
> >   {
> > SecondaryMap  On
 

-- 
http://www.fastmail.fm - The way an email service should be

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

t;
>> > On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave  wrote:
>> >
>> > > On looking at it, I think the
>> > > > TLSRFCLEVEL   CCCNONOTIFY ;
>> > > And/or the
>> > > > EPSV4 TRUE
>> > > Are newish (in that they were what I had to put in to make it work the
>> > > last time it broke :) It tends to break when maintenance is put on
>> Linux
>> > or
>> > > vsftp :)
>> > >
>> > > > -Original Message-
>> > > > From: IBM Mainframe Discussion List [mailto:
>> IBM-MAIN@LISTSERV.UA.EDU]
>> > > > On Behalf Of Mark Pace
>> > > > Sent: Friday, May 09, 2014 1:00 PM
>> > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > >
>> > > > WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your
>> FTP.DATA
>> > > > file
>> > > > into my FTP.DATA file  and now it works.
>> > > >
>> > > > Now I just have to determine what was different on yours than every
>> > > iteration
>> > > > that I have been through so far.
>> > > >
>> > > > THANKS,  I think.   ;)
>> > > >
>> > > >
>> > > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave 
>> wrote:
>> > > >
>> > > > > Well, for what it is worth, I use the following in my
>> userid.FTP.DATA
>> > > > > and successfully talk to vsftp with SSL Encryption:
>> > > > > TLSRFCLEVEL   CCCNONOTIFY ;
>> > > > > EPSV4 TRUE
>> > > > > TLSMECHANISM  FTP
>> > > > > SECURE_MECHANISM TLS
>> > > > > SECURE_FTP REQUIRED
>> > > > > SECURE_CTRLCONN   CLEAR
>> > > > > SECURE_DATACONN PRIVATE
>> > > > > CIPHERSUITE   SSL_NULL_MD5  ; 01
>> > > > > CIPHERSUITE   SSL_NULL_SHA  ; 02
>> > > > > CIPHERSUITE   SSL_RC4_MD5_EX; 03
>> > > > > CIPHERSUITE   SSL_RC4_MD5   ; 04
>> > > > > CIPHERSUITE   SSL_RC4_SHA   ; 05
>> > > > > CIPHERSUITE   SSL_RC2_MD5_EX; 06
>> > > > > CIPHERSUITE   SSL_DES_SHA   ; 09
>> > > > > CIPHERSUITE   SSL_3DES_SHA      ; 0A
>> > > > >
>> > > > > KEYRING FTPClientRing
>> > > > >
>> > > > > My RACF keyring has:
>> > > > > Ring:
>> > > > >  >FTPClientRing<
>> > > > > Certificate Label Name Cert Owner USAGE
>>  DEFAULT
>> > > > >       
>> ---
>> > > > > Thawte Premium Server CA   CERTAUTH   CERTAUTH NO
>> > > > >
>> > > > > thawte Primary Root CA CERTAUTH   CERTAUTH NO
>> > > > >
>> > > > > Thawte Server CA   CERTAUTH   CERTAUTH NO
>> > > > >
>> > > > > Thawte DV SSL CA           CERTAUTH   CERTAUTH NO
>> > > > >
>> > > > > I did find it necessary to have the full chain in my keyring.
>> > > > >
>> > > > > I just use //MVSFTP   EXEC PGM=FTP,
>> > > > >
>> > > > > I don't maintain the Linux server, so I can't quickly get the full
>> > > > > vsftp parm deck. I can ask for it.
>> > > > >
>> > > > > > -Original Message-
>> > > > > > From: IBM Mainframe Discussion List
>> > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
>> > > > > > Sent: Friday, May 09, 2014 10:58 AM
>> > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > > > >
>> > > > > > Sorry, confused, again.
>> > > > > >
>> > > > > > We currently do userid/password authentication - without SSL.
>> > > > > >
>> > > > > >
>> > > > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave 
>> > wrote:
>> > > > > >
>> > > > > > > Well, if your are doing the SSL server s

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

I'm trying to make the AT-TLS stuff work, but I'm just as confused by this
as the original stuff.  The PAGENT setup seemed pretty straight forward.
pagent.conf
TTLSConfig /etc/pagent_TTLS.conf

pagent_TTLS.conf
# Common Production Group that all Rules use
TTLSGroupAction grp_Production
{
 TTLSEnabled On
 Trace 2 # Log Errors to syslogd
}


###
# #
#  FTP Specific Rules and Actions #
# #
###
# FTP data connections must use SecondaryMap
# to access keyring and certificate under server's security context.
# Do not define separate rules for FTP data connections.
TTLSRule  Secure_Ftp_client
{
 LocalPortRange   21
 DirectionOutbound
 TTLSGroupActionRef   grp_Production
 TTLSEnvironmentActionRef Secure_Ftp_Client_Env
}

# Environment Shared by all secure FTP client connections.
# each client must own their own key ring named Client_Ring
TTLSEnvironmentAction Secure_Ftp_Client_Env
{
  HandshakeRole   Client
  TTLSKeyRingParms
  {
Keyring   Client_Ring
  }
  TTLSEnvironmentAdvancedParms
  {
SecondaryMap  On
  }
}

It appears that the correct configurations are loaded. - my only question
being if INET is the correct name.
EZZ8432I PAGENT INITIALIZATION COMPLETE
EZD1289I TCPIP ICSF SERVICES ARE CURRENTLY AVAILABLE FOR AT-TLS GROUP
grp_Production
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR INET : TTLS
EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR INET


Run the FTP and it fails saying there is now matching policy

GU5349 ftpSetApplData:
entered
FC0254 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, sFTP=R, sCC=P,
sDC=P
FC2723 ftpAuthAttls: No AT-TLS policy matched
connection
EZA2897I Authentication negotiation
failed


On Sat, May 10, 2014 at 2:21 PM, Rob Schramm  wrote:

> Congrats.
>
> Of course the latest recommendations are to move away from TLS 1.0 because
> of vulnerabilities.
>
> Rob Schramm
> On May 9, 2014 4:48 PM, "Mark Pace"  wrote:
>
> > One thing I just noticed as I was documenting this.
> > I had changed my ftp server from using the GoDaddy assigned certificate
> to
> > a self-signed certificate.  I had send a copy of the .pem file to z/OS
> and
> > added it to my keyring as Site certificate. - That is what worked.
> >
> > So I went back to the GoDaddy certificate on the server,  and I still
> have,
> > what I thought was a good Certauth from GoDaddy on my key ring and now my
> > error is - FC1003 authServer: secure_socket_init failed with rc = 417
> > (Self-signed certificate cannot be validated)
> >
> > So now I need to figure out how to get the Certauth working as I don't
> > really want to have to send my self-signed out.
> >
> > Something to ponder next week.
> >
> >
> > On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave  wrote:
> >
> > > On looking at it, I think the
> > > > TLSRFCLEVEL   CCCNONOTIFY ;
> > > And/or the
> > > > EPSV4 TRUE
> > > Are newish (in that they were what I had to put in to make it work the
> > > last time it broke :) It tends to break when maintenance is put on
> Linux
> > or
> > > vsftp :)
> > >
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU
> ]
> > > > On Behalf Of Mark Pace
> > > > Sent: Friday, May 09, 2014 1:00 PM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your FTP.DATA
> > > > file
> > > > into my FTP.DATA file  and now it works.
> > > >
> > > > Now I just have to determine what was different on yours than every
> > > iteration
> > > > that I have been through so far.
> > > >
> > > > THANKS,  I think.   ;)
> > > >
> > > >
> > > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave  wrote:
> > > >
> > > > > Well, for what it is worth, I use the following in my
> userid.FTP.DATA
> > > > > and successfully talk to vsftp with SSL Encryption:
> > > > > TLSRFCLEVEL   CCCNONOTIFY ;
> > > > > EPSV4 TRUE
> > > > > TLSMECHANISM  FTP
> > > > > SECURE_MECHANISM TLS
> > > > > SECURE_FTP REQ

Re: z/OS FTPS Client & Linux FTP server

[Rob Schramm]

Congrats.

Of course the latest recommendations are to move away from TLS 1.0 because
of vulnerabilities.

Rob Schramm
On May 9, 2014 4:48 PM, "Mark Pace"  wrote:

> One thing I just noticed as I was documenting this.
> I had changed my ftp server from using the GoDaddy assigned certificate to
> a self-signed certificate.  I had send a copy of the .pem file to z/OS and
> added it to my keyring as Site certificate. - That is what worked.
>
> So I went back to the GoDaddy certificate on the server,  and I still have,
> what I thought was a good Certauth from GoDaddy on my key ring and now my
> error is - FC1003 authServer: secure_socket_init failed with rc = 417
> (Self-signed certificate cannot be validated)
>
> So now I need to figure out how to get the Certauth working as I don't
> really want to have to send my self-signed out.
>
> Something to ponder next week.
>
>
> On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave  wrote:
>
> > On looking at it, I think the
> > > TLSRFCLEVEL   CCCNONOTIFY ;
> > And/or the
> > > EPSV4 TRUE
> > Are newish (in that they were what I had to put in to make it work the
> > last time it broke :) It tends to break when maintenance is put on Linux
> or
> > vsftp :)
> >
> > > -Original Message-
> > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > > On Behalf Of Mark Pace
> > > Sent: Friday, May 09, 2014 1:00 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your FTP.DATA
> > > file
> > > into my FTP.DATA file  and now it works.
> > >
> > > Now I just have to determine what was different on yours than every
> > iteration
> > > that I have been through so far.
> > >
> > > THANKS,  I think.   ;)
> > >
> > >
> > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave  wrote:
> > >
> > > > Well, for what it is worth, I use the following in my userid.FTP.DATA
> > > > and successfully talk to vsftp with SSL Encryption:
> > > > TLSRFCLEVEL   CCCNONOTIFY ;
> > > > EPSV4 TRUE
> > > > TLSMECHANISM  FTP
> > > > SECURE_MECHANISM TLS
> > > > SECURE_FTP REQUIRED
> > > > SECURE_CTRLCONN   CLEAR
> > > > SECURE_DATACONN PRIVATE
> > > > CIPHERSUITE   SSL_NULL_MD5  ; 01
> > > > CIPHERSUITE   SSL_NULL_SHA  ; 02
> > > > CIPHERSUITE   SSL_RC4_MD5_EX; 03
> > > > CIPHERSUITE   SSL_RC4_MD5   ; 04
> > > > CIPHERSUITE   SSL_RC4_SHA   ; 05
> > > > CIPHERSUITE   SSL_RC2_MD5_EX; 06
> > > > CIPHERSUITE   SSL_DES_SHA   ; 09
> > > > CIPHERSUITE   SSL_3DES_SHA  ; 0A
> > > >
> > > > KEYRING FTPClientRing
> > > >
> > > > My RACF keyring has:
> > > > Ring:
> > > >  >FTPClientRing<
> > > > Certificate Label Name Cert Owner USAGE  DEFAULT
> > > >          ---
> > > > Thawte Premium Server CA   CERTAUTH   CERTAUTH NO
> > > >
> > > > thawte Primary Root CA CERTAUTH   CERTAUTH NO
> > > >
> > > > Thawte Server CA           CERTAUTH   CERTAUTH NO
> > > >
> > > > Thawte DV SSL CA   CERTAUTH   CERTAUTH NO
> > > >
> > > > I did find it necessary to have the full chain in my keyring.
> > > >
> > > > I just use //MVSFTP   EXEC PGM=FTP,
> > > >
> > > > I don't maintain the Linux server, so I can't quickly get the full
> > > > vsftp parm deck. I can ask for it.
> > > >
> > > > > -Original Message-
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > Sent: Friday, May 09, 2014 10:58 AM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > >
> > > > > Sorry, confused, again.
> > > > >
> > > > > We currently do userid/password authentication - without SSL.
> > > > >
> > > > >
> > > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave 
>

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

One thing I just noticed as I was documenting this.
I had changed my ftp server from using the GoDaddy assigned certificate to
a self-signed certificate.  I had send a copy of the .pem file to z/OS and
added it to my keyring as Site certificate. - That is what worked.

So I went back to the GoDaddy certificate on the server,  and I still have,
what I thought was a good Certauth from GoDaddy on my key ring and now my
error is - FC1003 authServer: secure_socket_init failed with rc = 417
(Self-signed certificate cannot be validated)

So now I need to figure out how to get the Certauth working as I don't
really want to have to send my self-signed out.

Something to ponder next week.


On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave  wrote:

> On looking at it, I think the
> > TLSRFCLEVEL   CCCNONOTIFY ;
> And/or the
> > EPSV4 TRUE
> Are newish (in that they were what I had to put in to make it work the
> last time it broke :) It tends to break when maintenance is put on Linux or
> vsftp :)
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Friday, May 09, 2014 1:00 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your FTP.DATA
> > file
> > into my FTP.DATA file  and now it works.
> >
> > Now I just have to determine what was different on yours than every
> iteration
> > that I have been through so far.
> >
> > THANKS,  I think.   ;)
> >
> >
> > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave  wrote:
> >
> > > Well, for what it is worth, I use the following in my userid.FTP.DATA
> > > and successfully talk to vsftp with SSL Encryption:
> > > TLSRFCLEVEL   CCCNONOTIFY ;
> > > EPSV4 TRUE
> > > TLSMECHANISM  FTP
> > > SECURE_MECHANISM TLS
> > > SECURE_FTP REQUIRED
> > > SECURE_CTRLCONN   CLEAR
> > > SECURE_DATACONN PRIVATE
> > > CIPHERSUITE   SSL_NULL_MD5  ; 01
> > > CIPHERSUITE   SSL_NULL_SHA  ; 02
> > > CIPHERSUITE   SSL_RC4_MD5_EX; 03
> > > CIPHERSUITE   SSL_RC4_MD5   ; 04
> > > CIPHERSUITE   SSL_RC4_SHA   ; 05
> > > CIPHERSUITE   SSL_RC2_MD5_EX; 06
> > > CIPHERSUITE   SSL_DES_SHA   ; 09
> > > CIPHERSUITE   SSL_3DES_SHA  ; 0A
> > >
> > > KEYRING FTPClientRing
> > >
> > > My RACF keyring has:
> > > Ring:
> > >  >FTPClientRing<
> > > Certificate Label Name Cert Owner USAGE  DEFAULT
> > >          ---
> > > Thawte Premium Server CA   CERTAUTH   CERTAUTH NO
> > >
> > > thawte Primary Root CA CERTAUTH   CERTAUTH NO
> > >
> > > Thawte Server CA   CERTAUTH   CERTAUTH NO
> > >
> > > Thawte DV SSL CA   CERTAUTH   CERTAUTH NO
> > >
> > > I did find it necessary to have the full chain in my keyring.
> > >
> > > I just use //MVSFTP   EXEC PGM=FTP,
> > >
> > > I don't maintain the Linux server, so I can't quickly get the full
> > > vsftp parm deck. I can ask for it.
> > >
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > Sent: Friday, May 09, 2014 10:58 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > Sorry, confused, again.
> > > >
> > > > We currently do userid/password authentication - without SSL.
> > > >
> > > >
> > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave  wrote:
> > > >
> > > > > Well, if your are doing the SSL server stuff, then the password is
> > > > > not flowing in the clear. On the other hand, my interpretation of
> > > > > the vsftp parm I sent a few days ago is to NOT do certificate
> > > > > based client authentication.
> > > > >
> > > > > > -Original Message-
> > > > > > From: IBM Mainframe Discussion List
> > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > > Sent: Friday, May 09, 2014 9:19 AM
> 

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

On looking at it, I think the 
> TLSRFCLEVEL   CCCNONOTIFY ;
And/or the
> EPSV4 TRUE
Are newish (in that they were what I had to put in to make it work the last 
time it broke :) It tends to break when maintenance is put on Linux or vsftp :)

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Friday, May 09, 2014 1:00 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your FTP.DATA
> file
> into my FTP.DATA file  and now it works.
> 
> Now I just have to determine what was different on yours than every iteration
> that I have been through so far.
> 
> THANKS,  I think.   ;)
> 
> 
> On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave  wrote:
> 
> > Well, for what it is worth, I use the following in my userid.FTP.DATA
> > and successfully talk to vsftp with SSL Encryption:
> > TLSRFCLEVEL   CCCNONOTIFY ;
> > EPSV4 TRUE
> > TLSMECHANISM  FTP
> > SECURE_MECHANISM TLS
> > SECURE_FTP REQUIRED
> > SECURE_CTRLCONN   CLEAR
> > SECURE_DATACONN PRIVATE
> > CIPHERSUITE   SSL_NULL_MD5  ; 01
> > CIPHERSUITE   SSL_NULL_SHA  ; 02
> > CIPHERSUITE   SSL_RC4_MD5_EX; 03
> > CIPHERSUITE   SSL_RC4_MD5   ; 04
> > CIPHERSUITE   SSL_RC4_SHA   ; 05
> > CIPHERSUITE   SSL_RC2_MD5_EX; 06
> > CIPHERSUITE   SSL_DES_SHA   ; 09
> > CIPHERSUITE   SSL_3DES_SHA  ; 0A
> >
> > KEYRING FTPClientRing
> >
> > My RACF keyring has:
> > Ring:
> >  >FTPClientRing<
> > Certificate Label Name Cert Owner USAGE  DEFAULT
> >          ---
> > Thawte Premium Server CA   CERTAUTH   CERTAUTH NO
> >
> > thawte Primary Root CA CERTAUTH   CERTAUTH NO
> >
> > Thawte Server CA   CERTAUTH   CERTAUTH NO
> >
> > Thawte DV SSL CA   CERTAUTH   CERTAUTH NO
> >
> > I did find it necessary to have the full chain in my keyring.
> >
> > I just use //MVSFTP   EXEC PGM=FTP,
> >
> > I don't maintain the Linux server, so I can't quickly get the full
> > vsftp parm deck. I can ask for it.
> >
> > > -Original Message-
> > > From: IBM Mainframe Discussion List
> > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > Sent: Friday, May 09, 2014 10:58 AM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > Sorry, confused, again.
> > >
> > > We currently do userid/password authentication - without SSL.
> > >
> > >
> > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave  wrote:
> > >
> > > > Well, if your are doing the SSL server stuff, then the password is
> > > > not flowing in the clear. On the other hand, my interpretation of
> > > > the vsftp parm I sent a few days ago is to NOT do certificate
> > > > based client authentication.
> > > >
> > > > > -Original Message-
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > Sent: Friday, May 09, 2014 9:19 AM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > >
> > > > > Oh yes.  We've been doing it that way for years.
> > > > >
> > > > > Trying to add the ability to secure the log in process.
> > > > >
> > > > >
> > > > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave 
> > wrote:
> > > > >
> > > > > > I haven't used SSL client verification by certificate, so you
> > > > > > are past my knowledge. As an experiment, can you get a working
> > > > > > connection using userid/password authentication.
> > > > > >
> > > > > > > -Original Message-
> > > > > > > From: IBM Mainframe Discussion List
> > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > > > Subject: Re: z/O

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

WOAH, WOAH, WOAH,  what the hell?   I copied and pasted your FTP.DATA file
into my FTP.DATA file  and now it works.

Now I just have to determine what was different on yours than every
iteration that I have been through so far.

THANKS,  I think.   ;)


On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave  wrote:

> Well, for what it is worth, I use the following in my userid.FTP.DATA and
> successfully talk to vsftp with SSL Encryption:
> TLSRFCLEVEL   CCCNONOTIFY ;
> EPSV4 TRUE
> TLSMECHANISM  FTP
> SECURE_MECHANISM TLS
> SECURE_FTP REQUIRED
> SECURE_CTRLCONN   CLEAR
> SECURE_DATACONN PRIVATE
> CIPHERSUITE   SSL_NULL_MD5  ; 01
> CIPHERSUITE   SSL_NULL_SHA  ; 02
> CIPHERSUITE   SSL_RC4_MD5_EX; 03
> CIPHERSUITE   SSL_RC4_MD5   ; 04
> CIPHERSUITE   SSL_RC4_SHA   ; 05
> CIPHERSUITE   SSL_RC2_MD5_EX; 06
> CIPHERSUITE   SSL_DES_SHA   ; 09
> CIPHERSUITE   SSL_3DES_SHA  ; 0A
>
> KEYRING FTPClientRing
>
> My RACF keyring has:
> Ring:
>  >FTPClientRing<
> Certificate Label Name Cert Owner USAGE  DEFAULT
>          ---
> Thawte Premium Server CA   CERTAUTH   CERTAUTH NO
>
> thawte Primary Root CA CERTAUTH   CERTAUTH NO
>
> Thawte Server CA   CERTAUTH   CERTAUTH NO
>
> Thawte DV SSL CA   CERTAUTH   CERTAUTH NO
>
> I did find it necessary to have the full chain in my keyring.
>
> I just use //MVSFTP   EXEC PGM=FTP,
>
> I don't maintain the Linux server, so I can't quickly get the full vsftp
> parm deck. I can ask for it.
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Friday, May 09, 2014 10:58 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > Sorry, confused, again.
> >
> > We currently do userid/password authentication - without SSL.
> >
> >
> > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave  wrote:
> >
> > > Well, if your are doing the SSL server stuff, then the password is not
> > > flowing in the clear. On the other hand, my interpretation of the
> > > vsftp parm I sent a few days ago is to NOT do certificate based client
> > > authentication.
> > >
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > Sent: Friday, May 09, 2014 9:19 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > Oh yes.  We've been doing it that way for years.
> > > >
> > > > Trying to add the ability to secure the log in process.
> > > >
> > > >
> > > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave 
> wrote:
> > > >
> > > > > I haven't used SSL client verification by certificate, so you are
> > > > > past my knowledge. As an experiment, can you get a working
> > > > > connection using userid/password authentication.
> > > > >
> > > > > > -Original Message-
> > > > > > From: IBM Mainframe Discussion List
> > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > >
> > > > > > I was able to get the Trace to work - after removing the -r TLS,
> > > > > > that generated an error.
> > > > > > *EZA2892I Secure port 21 does not allow the -a or -r start
> > > > > > parameter
> > > > > > *
> > > > > >
> > > > > > And from that trace it appears, to me, that the FTP server is
> > > > > > not responding correctly to the z/OS client handshake.
> > > > > >
> > > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
> > > > > > CLIENT- HELLO message
> > > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3
> > > > > > CLIENT-HELLO message
> > > > > > :  012b 0301536b ed23cf50 8d72c5f7
> > &

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

Well, for what it is worth, I use the following in my userid.FTP.DATA and 
successfully talk to vsftp with SSL Encryption:
TLSRFCLEVEL   CCCNONOTIFY ; 
EPSV4 TRUE  
TLSMECHANISM  FTP   
SECURE_MECHANISM TLS   
SECURE_FTP REQUIRED 
SECURE_CTRLCONN   CLEAR  
SECURE_DATACONN PRIVATE
CIPHERSUITE   SSL_NULL_MD5  ; 01  
CIPHERSUITE   SSL_NULL_SHA  ; 02  
CIPHERSUITE   SSL_RC4_MD5_EX; 03  
CIPHERSUITE   SSL_RC4_MD5   ; 04  
CIPHERSUITE   SSL_RC4_SHA   ; 05  
CIPHERSUITE   SSL_RC2_MD5_EX; 06  
CIPHERSUITE   SSL_DES_SHA   ; 09  
CIPHERSUITE   SSL_3DES_SHA  ; 0A  
  
KEYRING FTPClientRing 

My RACF keyring has:
Ring:   
 >FTPClientRing<
Certificate Label Name Cert Owner USAGE  DEFAULT
         ---

Thawte Premium Server CA   CERTAUTH   CERTAUTH NO   

thawte Primary Root CA CERTAUTH   CERTAUTH NO   

Thawte Server CA   CERTAUTH   CERTAUTH NO   

Thawte DV SSL CA   CERTAUTH   CERTAUTH NO

I did find it necessary to have the full chain in my keyring.

I just use //MVSFTP   EXEC PGM=FTP,

I don't maintain the Linux server, so I can't quickly get the full vsftp parm 
deck. I can ask for it.   

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Friday, May 09, 2014 10:58 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> Sorry, confused, again.
> 
> We currently do userid/password authentication - without SSL.
> 
> 
> On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave  wrote:
> 
> > Well, if your are doing the SSL server stuff, then the password is not
> > flowing in the clear. On the other hand, my interpretation of the
> > vsftp parm I sent a few days ago is to NOT do certificate based client
> > authentication.
> >
> > > -Original Message-
> > > From: IBM Mainframe Discussion List
> > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > Sent: Friday, May 09, 2014 9:19 AM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > Oh yes.  We've been doing it that way for years.
> > >
> > > Trying to add the ability to secure the log in process.
> > >
> > >
> > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave  wrote:
> > >
> > > > I haven't used SSL client verification by certificate, so you are
> > > > past my knowledge. As an experiment, can you get a working
> > > > connection using userid/password authentication.
> > > >
> > > > > -Original Message-
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > >
> > > > > I was able to get the Trace to work - after removing the -r TLS,
> > > > > that generated an error.
> > > > > *EZA2892I Secure port 21 does not allow the -a or -r start
> > > > > parameter
> > > > > *
> > > > >
> > > > > And from that trace it appears, to me, that the FTP server is
> > > > > not responding correctly to the z/OS client handshake.
> > > > >
> > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
> > > > > CLIENT- HELLO message
> > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3
> > > > > CLIENT-HELLO message
> > > > > :  012b 0301536b ed23cf50 8d72c5f7
> > > > > *...+..Sk.#.P.r..*
> > > > > 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> > > > > .../...2(qw*
> > > > > 0020:  a3e6e150 a3c5 0400ff00 050100
> > > > > *...P...
> > &

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Sorry, confused, again.

We currently do userid/password authentication - without SSL.


On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave  wrote:

> Well, if your are doing the SSL server stuff, then the password is not
> flowing in the clear. On the other hand, my interpretation of the vsftp
> parm I sent a few days ago is to NOT do certificate based client
> authentication.
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Friday, May 09, 2014 9:19 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > Oh yes.  We've been doing it that way for years.
> >
> > Trying to add the ability to secure the log in process.
> >
> >
> > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave  wrote:
> >
> > > I haven't used SSL client verification by certificate, so you are past
> > > my knowledge. As an experiment, can you get a working connection using
> > > userid/password authentication.
> > >
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > I was able to get the Trace to work - after removing the -r TLS,
> > > > that generated an error.
> > > > *EZA2892I Secure port 21 does not allow the -a or -r start parameter
> > > > *
> > > >
> > > > And from that trace it appears, to me, that the FTP server is not
> > > > responding correctly to the z/OS client handshake.
> > > >
> > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
> > > > CLIENT- HELLO message
> > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3
> > > > CLIENT-HELLO message
> > > > :  012b 0301536b ed23cf50 8d72c5f7
> > > > *...+..Sk.#.P.r..*
> > > > 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> > > > .../...2(qw*
> > > > 0020:  a3e6e150 a3c5 0400ff00 050100
> > > > *...P...
> > > > *
> > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write
> > > > routine for 52 bytes
> > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
> > > > written
> > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read
> > > > routine for 5 bytes
> > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
> > > > received
> > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type
> > > > 50 is not supported
> > > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
> > header
> > > > :  3232302d 57  *220-W
> > > > *
> > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3
> > > > client handshake failed with 10.6.0.15[21]
> > > >
> > > >
> > > >
> > > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave 
> > wrote:
> > > >
> > > > > Add this to the FTP Client job parms:
> > > > > //
> > > >
> > PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > > > > //'/-r TLS (TRACE EXIT')
> > > > >
> > > > > There is a formatted documented with gsktrace. Should get you to
> > > > > the exact error when you format gskwix.trc
> > > > >
> > > > > > -Original Message-
> > > > > > From: IBM Mainframe Discussion List
> > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post
> > > > > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > >
> > > > > > Mark,
> > > > > >
> > > > > > This may be yet another case where running strace or ltrace on
> > > > > > the server side will give you some insight into what is going
> > > > > > on.  If you don't
> > > > > want to

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

Well, if your are doing the SSL server stuff, then the password is not flowing 
in the clear. On the other hand, my interpretation of the vsftp parm I sent a 
few days ago is to NOT do certificate based client authentication.

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Friday, May 09, 2014 9:19 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> Oh yes.  We've been doing it that way for years.
> 
> Trying to add the ability to secure the log in process.
> 
> 
> On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave  wrote:
> 
> > I haven't used SSL client verification by certificate, so you are past
> > my knowledge. As an experiment, can you get a working connection using
> > userid/password authentication.
> >
> > > -Original Message-
> > > From: IBM Mainframe Discussion List
> > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > > Sent: Friday, May 09, 2014 5:47 AM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > I was able to get the Trace to work - after removing the -r TLS,
> > > that generated an error.
> > > *EZA2892I Secure port 21 does not allow the -a or -r start parameter
> > > *
> > >
> > > And from that trace it appears, to me, that the FTP server is not
> > > responding correctly to the z/OS client handshake.
> > >
> > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
> > > CLIENT- HELLO message
> > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3
> > > CLIENT-HELLO message
> > > :  012b 0301536b ed23cf50 8d72c5f7
> > > *...+..Sk.#.P.r..*
> > > 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> > > .../...2(qw*
> > > 0020:  a3e6e150 a3c5 0400ff00 050100
> > > *...P...
> > > *
> > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write
> > > routine for 52 bytes
> > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
> > > written
> > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read
> > > routine for 5 bytes
> > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
> > > received
> > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type
> > > 50 is not supported
> > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
> header
> > > :  3232302d 57  *220-W
> > > *
> > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3
> > > client handshake failed with 10.6.0.15[21]
> > >
> > >
> > >
> > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave 
> wrote:
> > >
> > > > Add this to the FTP Client job parms:
> > > > //
> > >
> PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > > > //'/-r TLS (TRACE EXIT')
> > > >
> > > > There is a formatted documented with gsktrace. Should get you to
> > > > the exact error when you format gskwix.trc
> > > >
> > > > > -Original Message-
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post
> > > > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > >
> > > > > Mark,
> > > > >
> > > > > This may be yet another case where running strace or ltrace on
> > > > > the server side will give you some insight into what is going
> > > > > on.  If you don't
> > > > want to go
> > > > > down that road, i would say it's time to open up a PMR with IBM.
> > > > >
> > > > >
> > > > > Mark Post
> > > > >
> > > > > 
> > > > > ---
> > > -
> > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > instructions, send
> > > > email to
> > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > > >

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Oh yes.  We've been doing it that way for years.

Trying to add the ability to secure the log in process.


On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave  wrote:

> I haven't used SSL client verification by certificate, so you are past my
> knowledge. As an experiment, can you get a working connection using
> userid/password authentication.
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Friday, May 09, 2014 5:47 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > I was able to get the Trace to work - after removing the -r TLS, that
> > generated an error.
> > *EZA2892I Secure port 21 does not allow the -a or -r start parameter *
> >
> > And from that trace it appears, to me, that the FTP server is not
> > responding correctly to the z/OS client handshake.
> >
> > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-
> > HELLO message
> > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO
> > message
> > :  012b 0301536b ed23cf50 8d72c5f7
> > *...+..Sk.#.P.r..*
> > 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> > .../...2(qw*
> > 0020:  a3e6e150 a3c5 0400ff00 050100
> > *...P...
> > *
> > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write
> > routine for 52 bytes
> > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes written
> > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read
> > routine for 5 bytes
> > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes received
> > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50
> > is not supported
> > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record header
> > :  3232302d 57  *220-W
> > *
> > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
> > handshake failed with 10.6.0.15[21]
> >
> >
> >
> > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:
> >
> > > Add this to the FTP Client job parms:
> > > //
> > PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > > //'/-r TLS (TRACE EXIT')
> > >
> > > There is a formatted documented with gsktrace. Should get you to the
> > > exact error when you format gskwix.trc
> > >
> > > > -Original Message-
> > > > From: IBM Mainframe Discussion List
> > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post
> > > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > Mark,
> > > >
> > > > This may be yet another case where running strace or ltrace on the
> > > > server side will give you some insight into what is going on.  If
> > > > you don't
> > > want to go
> > > > down that road, i would say it's time to open up a PMR with IBM.
> > > >
> > > >
> > > > Mark Post
> > > >
> > > > ---
> > -
> > > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > > send
> > > email to
> > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > > -
> > -
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

I haven't used SSL client verification by certificate, so you are past my 
knowledge. As an experiment, can you get a working connection using 
userid/password authentication.

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Friday, May 09, 2014 5:47 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> I was able to get the Trace to work - after removing the -r TLS, that
> generated an error.
> *EZA2892I Secure port 21 does not allow the -a or -r start parameter *
> 
> And from that trace it appears, to me, that the FTP server is not
> responding correctly to the z/OS client handshake.
> 
> 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-
> HELLO message
> 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO
> message
> :  012b 0301536b ed23cf50 8d72c5f7
> *...+..Sk.#.P.r..*
> 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> .../...2(qw*
> 0020:  a3e6e150 a3c5 0400ff00 050100
> *...P...
> *
> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write
> routine for 52 bytes
> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes written
> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read
> routine for 5 bytes
> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes received
> 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50
> is not supported
> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record header
> :  3232302d 57  *220-W
> *
> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
> handshake failed with 10.6.0.15[21]
> 
> 
> 
> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:
> 
> > Add this to the FTP Client job parms:
> > //
> PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > //'/-r TLS (TRACE EXIT')
> >
> > There is a formatted documented with gsktrace. Should get you to the
> > exact error when you format gskwix.trc
> >
> > > -----Original Message-----
> > > From: IBM Mainframe Discussion List
> > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post
> > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > Mark,
> > >
> > > This may be yet another case where running strace or ltrace on the
> > > server side will give you some insight into what is going on.  If
> > > you don't
> > want to go
> > > down that road, i would say it's time to open up a PMR with IBM.
> > >
> > >
> > > Mark Post
> > >
> > > ---
> -
> > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send
> > email to
> > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > -
> -
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

ead_v3_record(): Content Type 50 is
> >> not supported
> >> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
> >> header
> >> :  3232302d 57              *220-W
> >> *
> >> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
> >> handshake failed with 10.6.0.15[21]
> >>
> >>
> >>
> >> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:
> >>
> >> > Add this to the FTP Client job parms:
> >> > //
>  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> >> > //'/-r TLS (TRACE EXIT')
> >> >
> >> > There is a formatted documented with gsktrace. Should get you to the
> >> exact
> >> > error when you format gskwix.trc
> >> >
> >> > > -Original Message-
> >> > > From: IBM Mainframe Discussion List [mailto:
> IBM-MAIN@LISTSERV.UA.EDU]
> >> > > On Behalf Of Mark Post
> >> > > Sent: Wednesday, May 07, 2014 12:55 PM
> >> > > To: IBM-MAIN@LISTSERV.UA.EDU
> >> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> >> > >
> >> > > Mark,
> >> > >
> >> > > This may be yet another case where running strace or ltrace on the
> >> server
> >> > > side will give you some insight into what is going on.  If you don't
> >> > want to go
> >> > > down that road, i would say it's time to open up a PMR with IBM.
> >> > >
> >> > >
> >> > > Mark Post
> >> > >
> >> > >
> --
> >> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> >> > email to
> >> > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >> >
> >> > --
> >> > For IBM-MAIN subscribe / signoff / archive access instructions,
> >> > send email to lists...@listserv.ua.edu with the message: INFO
> IBM-MAIN
> >> >
> >>
> >>
> >>
> >> --
> >> The postings on this site are my own and don’t necessarily represent
> >> Mainline’s positions or opinions
> >>
> >> Mark D Pace
> >> Senior Systems Engineer
> >> Mainline Information Systems
> >>
> >> --
> >> For IBM-MAIN subscribe / signoff / archive access instructions,
> >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >>
> >
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Rob Schramm]

I did a quick search and the error seems like a TLS 1.0 only issue.

As I remember it, the FTP TLS on z/OS is restricted to TLS 1.0 with IBM
stating something like


"please use AT-TLS... we are done putting work into task specific TLS
implementations"


AT-TLS provides support for a wider ranges of TLS levels.  It isn't too
much work to get operating for FTP.  Don't take the redbooks advice when
creating rules... the writer succeeded in making it more complicated.  Copy
an existing rule for FTP.

The key is setting up the client rule not the server rule
the SYSFTPD - FTPCDATA

TLSMECHANISM  ATTLS
secure_mechanism  tls
secure_ctrlconn   private
secure_dataconn   private
epsv4 true
TLSRFCLEVEL   RFC4217
secure_ftprequired
extensionsauth_tls
secure_pbsz   32768

You'll need PAGENT and

Obey this for TCPIP
TCPCONFIG TCPSENDBFRSIZE 32K TCPRCVBUFRSIZE 32K SENDGARBAGE FALSE TTLS

If you are after z/OS 1.13.. then the stand alone Config Assistant is not
available.. and the z/OSMF must be used.  I would not recommend hand coding
Policy Agent Rules.

Rob Schramm





Rob Schramm
Senior Systems Consultant
Imperium Group



On Fri, May 9, 2014 at 9:06 AM, Rob Schramm  wrote:

> Sorry.. was doing my post via phone..
>
> Here is the short version of GSKSRVR trace
>
> Run a GSKSRVR for SSL trace.. the only gotcha is that it must come up
> before the task you want to trace.
>
> - S GSKSRVR
> - Restart STC
> - Update GSKWTR PROC to add a dataset to hold the trace.
> - TRACE CT,WTRSTART=GSKWTR
> - TRACE CT,ON,COMP=GSKSRVR
> - R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the
> name of STC.
> - Recreate the problem.
> - TRACE CT,OFF,COMP=GSKSRVR
> - TRACE CT,WTRSTOP=GSKWTR
> - get into IPCS
> - update 0 DEFAULTS - Specify default dump and options with GSKWTR
> produced trace data set
> - 2 ANALYSIS - Analyze dump contents
> - 7 TRACES - Trace formatting
> - 1 CTRACE - Component trace
> - D DISPLAY - Specify parameters to display CTRACE entries
> - update "Component" with "GSKSRVR", update "Report type" with "full", and
> issue "S" to start the analysis
>
> GSKSRVR Commands#
>
> - S GSKSRVR
> - F GSKSRVR,DISPLAY CRYPTO
> - F GSKSRVR,DISPLAY LEVEL
> - F GSKSRVR,DISPLAY SIDCACHE
> - F GSKSRVR,DISPLAY XCF
> - F GSKSRVR,STOP
>
> Rob Schramm
>
> Rob Schramm
> Senior Systems Consultant
> Imperium Group
>
>
>
> On Fri, May 9, 2014 at 8:46 AM, Mark Pace  wrote:
>
>> I was able to get the Trace to work - after removing the -r TLS, that
>> generated an error.
>> *EZA2892I Secure port 21 does not allow the -a or -r start parameter *
>>
>> And from that trace it appears, to me, that the FTP server is not
>> responding correctly to the z/OS client handshake.
>>
>> 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
>> CLIENT-HELLO
>> message
>> 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO
>> message
>> :  012b 0301536b ed23cf50 8d72c5f7
>> *...+..Sk.#.P.r..*
>> 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
>> .../...2(qw*
>> 0020:  a3e6e150 a3c5 0400ff00 050100*...P...
>> *
>> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write
>> routine
>> for 52 bytes
>> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
>> written
>> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read routine
>> for 5 bytes
>> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
>> received
>> 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50 is
>> not supported
>> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
>> header
>> :  3232302d 57  *220-W
>> *
>> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
>> handshake failed with 10.6.0.15[21]
>>
>>
>>
>> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:
>>
>> > Add this to the FTP Client job parms:
>> > //  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
>> > //'/-r TLS (TRACE EXIT')
>> >
>> > There is a formatted documented with gsktrace. Should get you to the
>> exact
>> > error when you format gskwix.trc
>> >
>> > > -Original Message-
>> > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
>> > > On Behalf Of Mark Post
>> > > Sent: Wednesday, May 07, 2014 12:55 PM

Re: z/OS FTPS Client & Linux FTP server

[Rob Schramm]

Sorry.. was doing my post via phone..

Here is the short version of GSKSRVR trace

Run a GSKSRVR for SSL trace.. the only gotcha is that it must come up
before the task you want to trace.

- S GSKSRVR
- Restart STC
- Update GSKWTR PROC to add a dataset to hold the trace.
- TRACE CT,WTRSTART=GSKWTR
- TRACE CT,ON,COMP=GSKSRVR
- R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the
name of STC.
- Recreate the problem.
- TRACE CT,OFF,COMP=GSKSRVR
- TRACE CT,WTRSTOP=GSKWTR
- get into IPCS
- update 0 DEFAULTS - Specify default dump and options with GSKWTR produced
trace data set
- 2 ANALYSIS - Analyze dump contents
- 7 TRACES - Trace formatting
- 1 CTRACE - Component trace
- D DISPLAY - Specify parameters to display CTRACE entries
- update "Component" with "GSKSRVR", update "Report type" with "full", and
issue "S" to start the analysis

GSKSRVR Commands#

- S GSKSRVR
- F GSKSRVR,DISPLAY CRYPTO
- F GSKSRVR,DISPLAY LEVEL
- F GSKSRVR,DISPLAY SIDCACHE
- F GSKSRVR,DISPLAY XCF
- F GSKSRVR,STOP

Rob Schramm

Rob Schramm
Senior Systems Consultant
Imperium Group



On Fri, May 9, 2014 at 8:46 AM, Mark Pace  wrote:

> I was able to get the Trace to work - after removing the -r TLS, that
> generated an error.
> *EZA2892I Secure port 21 does not allow the -a or -r start parameter *
>
> And from that trace it appears, to me, that the FTP server is not
> responding correctly to the z/OS client handshake.
>
> 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-HELLO
> message
> 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO
> message
> :  012b 0301536b ed23cf50 8d72c5f7
> *...+..Sk.#.P.r..*
> 0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
> .../...2(qw*
> 0020:  a3e6e150 a3c5 0400ff00 050100*...P...
> *
> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write routine
> for 52 bytes
> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
> written
> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read routine
> for 5 bytes
> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
> received
> 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50 is
> not supported
> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
> header
> :  3232302d 57  *220-W
> *
> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
> handshake failed with 10.6.0.15[21]
>
>
>
> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:
>
> > Add this to the FTP Client job parms:
> > //  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > //'/-r TLS (TRACE EXIT')
> >
> > There is a formatted documented with gsktrace. Should get you to the
> exact
> > error when you format gskwix.trc
> >
> > > -----Original Message-
> > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > > On Behalf Of Mark Post
> > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > To: IBM-MAIN@LISTSERV.UA.EDU
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > Mark,
> > >
> > > This may be yet another case where running strace or ltrace on the
> server
> > > side will give you some insight into what is going on.  If you don't
> > want to go
> > > down that road, i would say it's time to open up a PMR with IBM.
> > >
> > >
> > > Mark Post
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to
> > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

I was able to get the Trace to work - after removing the -r TLS, that
generated an error.
*EZA2892I Secure port 21 does not allow the -a or -r start parameter *

And from that trace it appears, to me, that the FTP server is not
responding correctly to the z/OS client handshake.

05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 CLIENT-HELLO
message
05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO
message
:  012b 0301536b ed23cf50 8d72c5f7
*...+..Sk.#.P.r..*
0010:  201c1c84 2fef8ce6 3228c3b3 8de37177  *
.../...2(qw*
0020:  a3e6e150 a3c5 0400ff00 050100*...P...
*
05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write routine
for 52 bytes
05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
written
05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read routine
for 5 bytes
05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
received
05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50 is
not supported
05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
header
:  3232302d 57  *220-W
*
05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client
handshake failed with 10.6.0.15[21]



On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:

> Add this to the FTP Client job parms:
> //  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> //'/-r TLS (TRACE EXIT')
>
> There is a formatted documented with gsktrace. Should get you to the exact
> error when you format gskwix.trc
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Post
> > Sent: Wednesday, May 07, 2014 12:55 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > Mark,
> >
> > This may be yet another case where running strace or ltrace on the server
> > side will give you some insight into what is going on.  If you don't
> want to go
> > down that road, i would say it's time to open up a PMR with IBM.
> >
> >
> > Mark Post
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to
> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

The root cert is all that should be needed on the z/OS side,
if linux side is set up correctly.

But as mentioned in my last email, it doesn't look like the
linux side cert file is complete.  Your server cert is issued
by a GoDaddy intermediate cert, which is issued by a
GoDaddy root cert.  I would guess your linux file only
has the server cert in it, and it needs the intermediate
cert in it as well, and optionally the root cert.

-- 
  Donald J.
  dona...@4email.net

On Thu, May 8, 2014, at 07:31 AM, Mark Pace wrote:
> I assume it's complete  - I don't see an obvious error.
 

-- 
http://www.fastmail.fm - One of many happy users:
  http://www.fastmail.fm/help/overview_quotes.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

I assume it's complete  - I don't see an obvious error.
Digital certificate information for
CERTAUTH:


  Label: Go Daddy Class
2
  Certificate ID:
2QiJmZmDhZmjgceWQMSBhISoQMOTgaKiQPJA
  Status:
TRUST

  Start Date: 2004/06/29
13:06:20
  End Date:   2034/06/29
13:06:20
  Serial
Number:


>00<

  Issuer's
Name:

   >OU=Go Daddy Class 2 Certification Authority.O=The Go Daddy Group,
Inc<

>..C=US<

  Subject's
Name:
   >OU=Go Daddy Class 2 Certification Authority.O=The Go Daddy Group,
Inc<

>..C=US<

  Signing Algorithm:
sha1RSA
  Key Type:
RSA
  Key Size:
2048
  Private Key:
NO
  Ring
Associations:

Ring Owner:
TN3270

Ring:


>TNRING<

Ring Owner:
IBMUSER

Ring:


>FtpSecur<





Wow - that SEARCH CLASS(DIGTCERT)   spewed out a lot of stuff.  I'm not
sure what I was looking for on a cursory glance.  I'll have to study that
one closer.

Question -  The certificate on my FTP server was issued by Go Daddy,  On my
z/OS system (Client)  is all I need the Go Daddy root authority certificate
- or do I need to generate a public key from my FTP server and send to z/OS
to include in a ring?



On Wed, May 7, 2014 at 6:38 PM, Neubert, Kevin
wrote:

> Is the chain complete?  Check trust and Issuer's/Subject's Names.
>  RACDCERT LIST(LABEL('Go Daddy Class 2')) CERTAUTH.  Do you have all the
> names?  SEARCH CLASS(DIGTCERT).
>
> Regards,
>
> Kevin
>
> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
> Behalf Of Mark Pace
> Sent: Wednesday, May 07, 2014 1:01 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
>
> Yes, I did the digtcert refresh
>  Digital ring information for user IBMUSER:
>
>Ring:
> >FtpSecur<
>Certificate Label Name Cert Owner USAGE  DEFAULT
>         ---
>GeoTrust Global CA CERTAUTH   CERTAUTH NO
>Go Daddy Class 2   CERTAUTH   CERTAUTH YES
>
>  ***
>
> No ICH408I errors.
>
>
>
> On Wed, May 7, 2014 at 3:27 PM, Donald J.  wrote:
>
> > You did do a:
> > SETROPTS RACLIST(DIGTCERT) REFRESH
> > after last changing the keyring?
> >
> > What does the LISTRING show now?
> >
> > Does the userid submitting the batch job have any ICH408I errors in
> > the log?
> >
> > --
> >   Donald J.
> >
> >
> > --
> > http://www.fastmail.fm - Send your email first class
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email
> to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

Kevin is right about the complete chain.
I issued this openssl command:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile gd-class2-root.crt
and got error:
Verify return code: 21 (unable to verify the first certificate)

I created a cacerts file with both the intermediate and root cert:
copy gd_intermediate.crt+gd-class2-root.crt daddy.cacerts.crt

Then I got code 0 with:
openssl s_client -connect ftp.s390.mainline.com:21 -starttls ftp -tls1
-CAfile daddy.cacerts.crt

So your rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt file probably
does not have the chain
of 3 certs in it:  They should be stacked in the file as follows:

-BEGIN CERTIFICATE-
mainline server cert
-END CERTIFICATE-
-BEGIN CERTIFICATE-
gd_intermediate.crt cert
-END CERTIFICATE-
-BEGIN CERTIFICATE-
gd-class2-root.crt cert
-END CERTIFICATE-

Filezilla is not a good program to test with, as it appears to not do
server cert 
authenticatation.  It is better to use curl for windows or curl for
z/OS.

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 03:38 PM, Neubert, Kevin wrote:
> Is the chain complete?  Check trust and Issuer's/Subject's Names. 
> RACDCERT LIST(LABEL('Go Daddy Class 2')) CERTAUTH.  Do you have all the
> names?  SEARCH CLASS(DIGTCERT).
> 
> Regards,
> 
> Kevin
> 
 
> 
>Ring:
> >FtpSecur<
>Certificate Label Name Cert Owner USAGE  DEFAULT
>         ---
>GeoTrust Global CA CERTAUTH   CERTAUTH NO
>Go Daddy Class 2   CERTAUTH   CERTAUTH YES
 

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Neubert, Kevin]

Is the chain complete?  Check trust and Issuer's/Subject's Names.  RACDCERT 
LIST(LABEL('Go Daddy Class 2')) CERTAUTH.  Do you have all the names?  SEARCH 
CLASS(DIGTCERT).

Regards,

Kevin

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Mark Pace
Sent: Wednesday, May 07, 2014 1:01 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client & Linux FTP server

Yes, I did the digtcert refresh
 Digital ring information for user IBMUSER:

   Ring:
>FtpSecur<
   Certificate Label Name Cert Owner USAGE  DEFAULT
            ---
   GeoTrust Global CA CERTAUTH   CERTAUTH NO
   Go Daddy Class 2   CERTAUTH   CERTAUTH YES

 ***

No ICH408I errors.



On Wed, May 7, 2014 at 3:27 PM, Donald J.  wrote:

> You did do a:
> SETROPTS RACLIST(DIGTCERT) REFRESH
> after last changing the keyring?
>
> What does the LISTRING show now?
>
> Does the userid submitting the batch job have any ICH408I errors in 
> the log?
>
> --
>   Donald J.
>
>
> --
> http://www.fastmail.fm - Send your email first class
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send 
> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



--
The postings on this site are my own and don’t necessarily represent Mainline’s 
positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

You need to change that to DEFAULT NO.

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 01:01 PM, Mark Pace wrote:
> Yes, I did the digtcert refresh
>  Digital ring information for user IBMUSER:
> 
>Ring:
> >FtpSecur<
>Certificate Label Name Cert Owner USAGE  DEFAULT
>         ---
>GeoTrust Global CA CERTAUTH   CERTAUTH NO
>Go Daddy Class 2   CERTAUTH   CERTAUTH YES
> 
>  ***
> 
> No ICH408I errors.
> 
> 
> 
> On Wed, May 7, 2014 at 3:27 PM, Donald J.  wrote:
> 
> > You did do a:
> > SETROPTS RACLIST(DIGTCERT) REFRESH
> > after last changing the keyring?
> >
> > What does the LISTRING show now?
> >
> > Does the userid submitting the batch job have any ICH408I
> > errors in the log?
> >
> > --
> >   Donald J.
> >
> >
> > --
> > http://www.fastmail.fm - Send your email first class
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> -- 
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
  love email again

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Thank you.   I will give that a try tomorrow.   Today - my brain hurts.  :)


On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave  wrote:

> Add this to the FTP Client job parms:
> //  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> //'/-r TLS (TRACE EXIT')
>
> There is a formatted documented with gsktrace. Should get you to the exact
> error when you format gskwix.trc
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Post
> > Sent: Wednesday, May 07, 2014 12:55 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > Mark,
> >
> > This may be yet another case where running strace or ltrace on the server
> > side will give you some insight into what is going on.  If you don't
> want to go
> > down that road, i would say it's time to open up a PMR with IBM.
> >
> >
> > Mark Post
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to
> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

Add this to the FTP Client job parms:
//  PARM=('ENVAR("GSK_TRACE=0X","GSK_TRACE_FILE=/tmp/gskwix.trc")',
//'/-r TLS (TRACE EXIT')   

There is a formatted documented with gsktrace. Should get you to the exact 
error when you format gskwix.trc

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Post
> Sent: Wednesday, May 07, 2014 12:55 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> Mark,
> 
> This may be yet another case where running strace or ltrace on the server
> side will give you some insight into what is going on.  If you don't want to 
> go
> down that road, i would say it's time to open up a PMR with IBM.
> 
> 
> Mark Post
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Yes, I did the digtcert refresh
 Digital ring information for user IBMUSER:

   Ring:
>FtpSecur<
   Certificate Label Name Cert Owner USAGE  DEFAULT
            ---
   GeoTrust Global CA CERTAUTH   CERTAUTH NO
   Go Daddy Class 2   CERTAUTH   CERTAUTH YES

 ***

No ICH408I errors.



On Wed, May 7, 2014 at 3:27 PM, Donald J.  wrote:

> You did do a:
> SETROPTS RACLIST(DIGTCERT) REFRESH
> after last changing the keyring?
>
> What does the LISTRING show now?
>
> Does the userid submitting the batch job have any ICH408I
> errors in the log?
>
> --
>   Donald J.
>
>
> --
> http://www.fastmail.fm - Send your email first class
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Post]

Mark,

This may be yet another case where running strace or ltrace on the server side 
will give you some insight into what is going on.  If you don't want to go down 
that road, i would say it's time to open up a PMR with IBM.


Mark Post

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Brian France]

I see you have pasv_enable=yes

I think there's a setting in z/OS parms maybe related. EPSV4 True

On 5/7/2014 3:36 PM, Mark Pace wrote:

I had looked at that also.  The vsftpd config -  comments removed for
brevity.
listen=YES
max_clients=20
use_localtime=YES
log_ftp_protocol=YES
# enable FTPS
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_request_cert=NO
rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt
rsa_private_key_file=/etc/vsftpd/mainline-wc-2011.key
ssl_ciphers=RC4-SHA
debug_ssl=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_umask=666
anon_upload_enable=NO
dirmessage_enable=YES
message_file=.message
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
banner_file=/etc/vsftpd.banner
deny_email_enable=YES
banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES

pasv_enable=YES
listen_ipv6=NO



On Wed, May 7, 2014 at 3:20 PM, Gibney, Dave  wrote:


I am now reminded of a difficulty I had with this once. My plea to the
list(s) resulted in this:

Skip to site navigation (Press enter)
Re: FTP TLS Handshake Fails with SSL RC 410 Cal McCracken Thu, 10 Mar 2011
07:44:54 -0800

Thanks to a private responder, I was able to get this resolved. I don't
know if the SSL RC 410 covers other error situations, but in my case, the
resolution was to set configuration parm, ssl_request_cert to NO (defaults
to YES). This is a config parm for the vsftpd FTP server on our Linux
system.

My humble thanks to the responder.




-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 12:02 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client & Linux FTP server

And for giggles I setup another Linux FTP server - this one pure-ftpd -

again no

issues connecting with a windows FTPS client - still no connection with

z/OS.


On Wed, May 7, 2014 at 2:39 PM, Mark Pace 
wrote:


Yes - it was at that time.  Since I started working on the RACF
certs/keyring stuff the ftp.data has been updated as I go along.

  Currently.

SECURE_CTRLCONN  CLEAR
SECURE_DATACONN  PRIVATE
SECURE_FTP   REQUIRED
SECURE_HOSTNAME  OPTIONAL
SECURE_MECHANISM TLS
KEYRING  IBMUSER/FtpSecur
TLSPORT  21
TLSRFCLEVEL  CCCNONOTIFY
TLSTIMEOUT 10
;
;CTRLCONN 7BIT
SECUREIMPLICITZOS FALSE
TLSMECHANISM  FTP
CIPHERSUITE   SSL_RC4_SHA
;
DEBUG SEC


On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave  wrote:


You said latest, so maybe you have tried others. In the parms listed
here, your keyring is commented out.


-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
Sent: Wednesday, May 07, 2014 5:26 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: z/OS FTPS Client & Linux FTP server

Has anyone successfully sent data to a Linux FTP server using TLS

security

from the z/OS FTP client?

I have a Linux server running vsftpd - I've been using it for years
to

send SMF

data.  I've added TLS support to this server.  I've verified that
the

Secure

connect works via a Filezilla client,

So now I would like to be able to send SMF data to the server.  But
I

always

get an authentication failure.  I've tried every combination of
Security parameters I can come up with.

These are the latest parms in my ftp.data file.

;SECURE_CTRLCONN SAFE
SECURE_DATACONN CLEAR
SECURE_FTP REQUIRED
SECURE_HOSTNAME OPTIONAL
SECURE_MECHANISM TLS
SECUREIMPLICITZOS FALSE
CIPHERSUITE SSL_RC4_SHA
;KEYRING IBMUSER/SecureFTPKeyRing
TLSPORT 21
TLSRFCLEVEL CCCNONOTIFY
TLSTIMEOUT 10
;SECURE_PBSZ 16384
;
;CTRLCONN 7BIT

I'm beginning to think I am doing something fundamentally wrong
instead

of

it being a matter of wrong parameters.

//FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
//SYSPRINT  DD  SYSOUT=*
//SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
//OUTPUTDD  SYSOUT=*
//INPUT DD  *  USE LOWER CASE BELOW
ftp.s390.mainline.com
userid password
dir
quit


EZA1736I FTP
(EXIT

EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
configuration parameters.
EZA1450I IBM FTP CS
V2R1
EZA1772I FTP: EXIT has been
set.
EZA1456I Connect to
?
EZA1736I ftp.s390.mainline.com

EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port:
21.
EZA2897I Authentication negotiation failed EZA2898I Unable to
successfully negotiate required authentication

EZA1735I

Std Return Code = 1, Error Code =
00017








--
The postings on this site are my own and don’t necessarily
represent Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

---
--- For IBM-MAIN subscribe / signoff / archive access instructions,
send

email to

lis

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Hi, Mark -
That is contained in the ftp.data file  DD name SYSFTPD.  In this case the
DSN is
MARPACE.JCL.CNTL(FTPSDATA)

which contains
SECURE_CTRLCONN  CLEAR
SECURE_DATACONN  PRIVATE
SECURE_FTP   REQUIRED
SECURE_HOSTNAME  OPTIONAL
SECURE_MECHANISM TLS
KEYRING  IBMUSER/FtpSecur
TLSPORT  21
TLSRFCLEVEL  CCCNONOTIFY
TLSTIMEOUT 10
;
;CTRLCONN 7BIT
SECUREIMPLICITZOS FALSE
TLSMECHANISM  FTP
CIPHERSUITE   SSL_RC4_SHA
;
DEBUG SEC


On Wed, May 7, 2014 at 3:36 PM, Mark Post  wrote:

> >>> On 5/7/2014 at 08:25 AM, Mark Pace  wrote:
> > I'm beginning to think I am doing something fundamentally wrong instead
> of
> > it being a matter of wrong parameters.
> >
> > //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
> > //SYSPRINT  DD  SYSOUT=*
> > //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
> > //OUTPUTDD  SYSOUT=*
> > //INPUT DD  *  USE LOWER CASE BELOW
> > ftp.s390.mainline.com
> > userid password
> > dir
> > quit
>
> I'm not at all familiar with the z/OS FTP client, so this may be entirely
> irrelevant.  But, where in this JCL stream are you telling the client to
> try to use SSL and not just plain-text FTP?
>
>
> Mark Post
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Post]

>>> On 5/7/2014 at 08:25 AM, Mark Pace  wrote: 
> I'm beginning to think I am doing something fundamentally wrong instead of
> it being a matter of wrong parameters.
> 
> //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
> //SYSPRINT  DD  SYSOUT=*
> //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
> //OUTPUTDD  SYSOUT=*
> //INPUT DD  *  USE LOWER CASE BELOW
> ftp.s390.mainline.com
> userid password
> dir
> quit

I'm not at all familiar with the z/OS FTP client, so this may be entirely 
irrelevant.  But, where in this JCL stream are you telling the client to try to 
use SSL and not just plain-text FTP?


Mark Post

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

I had looked at that also.  The vsftpd config -  comments removed for
brevity.
listen=YES
max_clients=20
use_localtime=YES
log_ftp_protocol=YES
# enable FTPS
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_request_cert=NO
rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt
rsa_private_key_file=/etc/vsftpd/mainline-wc-2011.key
ssl_ciphers=RC4-SHA
debug_ssl=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_umask=666
anon_upload_enable=NO
dirmessage_enable=YES
message_file=.message
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
banner_file=/etc/vsftpd.banner
deny_email_enable=YES
banned_email_file=/etc/vsftpd.banned_emails
chroot_local_user=YES

pasv_enable=YES
listen_ipv6=NO



On Wed, May 7, 2014 at 3:20 PM, Gibney, Dave  wrote:

> I am now reminded of a difficulty I had with this once. My plea to the
> list(s) resulted in this:
>
> Skip to site navigation (Press enter)
> Re: FTP TLS Handshake Fails with SSL RC 410 Cal McCracken Thu, 10 Mar 2011
> 07:44:54 -0800
>
> Thanks to a private responder, I was able to get this resolved. I don't
> know if the SSL RC 410 covers other error situations, but in my case, the
> resolution was to set configuration parm, ssl_request_cert to NO (defaults
> to YES). This is a config parm for the vsftpd FTP server on our Linux
> system.
>
> My humble thanks to the responder.
>
>
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Wednesday, May 07, 2014 12:02 PM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > And for giggles I setup another Linux FTP server - this one pure-ftpd -
> again no
> > issues connecting with a windows FTPS client - still no connection with
> z/OS.
> >
> >
> > On Wed, May 7, 2014 at 2:39 PM, Mark Pace 
> > wrote:
> >
> > > Yes - it was at that time.  Since I started working on the RACF
> > > certs/keyring stuff the ftp.data has been updated as I go along.
>  Currently.
> > >
> > > SECURE_CTRLCONN  CLEAR
> > > SECURE_DATACONN  PRIVATE
> > > SECURE_FTP   REQUIRED
> > > SECURE_HOSTNAME  OPTIONAL
> > > SECURE_MECHANISM TLS
> > > KEYRING  IBMUSER/FtpSecur
> > > TLSPORT  21
> > > TLSRFCLEVEL  CCCNONOTIFY
> > > TLSTIMEOUT 10
> > > ;
> > > ;CTRLCONN 7BIT
> > > SECUREIMPLICITZOS FALSE
> > > TLSMECHANISM  FTP
> > > CIPHERSUITE   SSL_RC4_SHA
> > > ;
> > > DEBUG SEC
> > >
> > >
> > > On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave  wrote:
> > >
> > >> You said latest, so maybe you have tried others. In the parms listed
> > >> here, your keyring is commented out.
> > >>
> > >> > -Original Message-
> > >> > From: IBM Mainframe Discussion List
> > >> > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> > >> > Sent: Wednesday, May 07, 2014 5:26 AM
> > >> > To: IBM-MAIN@LISTSERV.UA.EDU
> > >> > Subject: z/OS FTPS Client & Linux FTP server
> > >> >
> > >> > Has anyone successfully sent data to a Linux FTP server using TLS
> > >> security
> > >> > from the z/OS FTP client?
> > >> >
> > >> > I have a Linux server running vsftpd - I've been using it for years
> > >> > to
> > >> send SMF
> > >> > data.  I've added TLS support to this server.  I've verified that
> > >> > the
> > >> Secure
> > >> > connect works via a Filezilla client,
> > >> >
> > >> > So now I would like to be able to send SMF data to the server.  But
> > >> > I
> > >> always
> > >> > get an authentication failure.  I've tried every combination of
> > >> > Security parameters I can come up with.
> > >> >
> > >> > These are the latest parms in my ftp.data file.
> > >> >
> > >> > ;SECURE_CTRLCONN SAFE
> > >> > SECURE_DATACONN CLEAR
> > >> > SECURE_FTP REQUIRED
> > >> > SECURE_HOSTNAME OPTIONAL
> > >> > SECURE_MECHANISM TLS
> > >> > SECUREIMPLICITZOS FALSE
> > >> > CIPHERSUITE SSL_RC4_SHA
> > >> > ;KEYRING IBMUSER/SecureFTPKeyRing
> > >> > TLSPORT 21
> > >&

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

You did do a:
SETROPTS RACLIST(DIGTCERT) REFRESH  
after last changing the keyring?

What does the LISTRING show now?

Does the userid submitting the batch job have any ICH408I 
errors in the log?

-- 
  Donald J.
 

-- 
http://www.fastmail.fm - Send your email first class

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

I am now reminded of a difficulty I had with this once. My plea to the list(s) 
resulted in this:

Skip to site navigation (Press enter)
Re: FTP TLS Handshake Fails with SSL RC 410 Cal McCracken Thu, 10 Mar 2011 
07:44:54 -0800 

Thanks to a private responder, I was able to get this resolved. I don't know if 
the SSL RC 410 covers other error situations, but in my case, the resolution 
was to set configuration parm, ssl_request_cert to NO (defaults to YES). This 
is a config parm for the vsftpd FTP server on our Linux system. 
 
My humble thanks to the responder.



> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Wednesday, May 07, 2014 12:02 PM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> And for giggles I setup another Linux FTP server - this one pure-ftpd - again 
> no
> issues connecting with a windows FTPS client - still no connection with z/OS.
> 
> 
> On Wed, May 7, 2014 at 2:39 PM, Mark Pace 
> wrote:
> 
> > Yes - it was at that time.  Since I started working on the RACF
> > certs/keyring stuff the ftp.data has been updated as I go along.  Currently.
> >
> > SECURE_CTRLCONN  CLEAR
> > SECURE_DATACONN  PRIVATE
> > SECURE_FTP   REQUIRED
> > SECURE_HOSTNAME  OPTIONAL
> > SECURE_MECHANISM TLS
> > KEYRING  IBMUSER/FtpSecur
> > TLSPORT  21
> > TLSRFCLEVEL  CCCNONOTIFY
> > TLSTIMEOUT 10
> > ;
> > ;CTRLCONN 7BIT
> > SECUREIMPLICITZOS FALSE
> > TLSMECHANISM  FTP
> > CIPHERSUITE   SSL_RC4_SHA
> > ;
> > DEBUG SEC
> >
> >
> > On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave  wrote:
> >
> >> You said latest, so maybe you have tried others. In the parms listed
> >> here, your keyring is commented out.
> >>
> >> > -----Original Message-----
> >> > From: IBM Mainframe Discussion List
> >> > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
> >> > Sent: Wednesday, May 07, 2014 5:26 AM
> >> > To: IBM-MAIN@LISTSERV.UA.EDU
> >> > Subject: z/OS FTPS Client & Linux FTP server
> >> >
> >> > Has anyone successfully sent data to a Linux FTP server using TLS
> >> security
> >> > from the z/OS FTP client?
> >> >
> >> > I have a Linux server running vsftpd - I've been using it for years
> >> > to
> >> send SMF
> >> > data.  I've added TLS support to this server.  I've verified that
> >> > the
> >> Secure
> >> > connect works via a Filezilla client,
> >> >
> >> > So now I would like to be able to send SMF data to the server.  But
> >> > I
> >> always
> >> > get an authentication failure.  I've tried every combination of
> >> > Security parameters I can come up with.
> >> >
> >> > These are the latest parms in my ftp.data file.
> >> >
> >> > ;SECURE_CTRLCONN SAFE
> >> > SECURE_DATACONN CLEAR
> >> > SECURE_FTP REQUIRED
> >> > SECURE_HOSTNAME OPTIONAL
> >> > SECURE_MECHANISM TLS
> >> > SECUREIMPLICITZOS FALSE
> >> > CIPHERSUITE SSL_RC4_SHA
> >> > ;KEYRING IBMUSER/SecureFTPKeyRing
> >> > TLSPORT 21
> >> > TLSRFCLEVEL CCCNONOTIFY
> >> > TLSTIMEOUT 10
> >> > ;SECURE_PBSZ 16384
> >> > ;
> >> > ;CTRLCONN 7BIT
> >> >
> >> > I'm beginning to think I am doing something fundamentally wrong
> >> > instead
> >> of
> >> > it being a matter of wrong parameters.
> >> >
> >> > //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
> >> > //SYSPRINT  DD  SYSOUT=*
> >> > //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
> >> > //OUTPUTDD  SYSOUT=*
> >> > //INPUT DD  *  USE LOWER CASE BELOW
> >> > ftp.s390.mainline.com
> >> > userid password
> >> > dir
> >> > quit
> >> >
> >> >
> >> > EZA1736I FTP
> >> > (EXIT
> >> >
> >> > EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
> >> > configuration parameters.
> >> > EZA1450I IBM FTP CS
> >> > V2R1
> >> > EZA1772I FTP: EXIT has been
> >> > set.
> >> > EZA1456I Connect to
> >> > ?
> >> > EZA1736I ftp.s390.mainline.com
> >> >
> >

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

And for giggles I setup another Linux FTP server - this one pure-ftpd -
again no issues connecting with a windows FTPS client - still no connection
with z/OS.


On Wed, May 7, 2014 at 2:39 PM, Mark Pace  wrote:

> Yes - it was at that time.  Since I started working on the RACF
> certs/keyring stuff the ftp.data has been updated as I go along.  Currently.
>
> SECURE_CTRLCONN  CLEAR
> SECURE_DATACONN  PRIVATE
> SECURE_FTP   REQUIRED
> SECURE_HOSTNAME  OPTIONAL
> SECURE_MECHANISM TLS
> KEYRING  IBMUSER/FtpSecur
> TLSPORT  21
> TLSRFCLEVEL  CCCNONOTIFY
> TLSTIMEOUT 10
> ;
> ;CTRLCONN 7BIT
> SECUREIMPLICITZOS FALSE
> TLSMECHANISM  FTP
> CIPHERSUITE   SSL_RC4_SHA
> ;
> DEBUG SEC
>
>
> On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave  wrote:
>
>> You said latest, so maybe you have tried others. In the parms listed
>> here, your keyring is commented out.
>>
>> > -Original Message-
>> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
>> > On Behalf Of Mark Pace
>> > Sent: Wednesday, May 07, 2014 5:26 AM
>> > To: IBM-MAIN@LISTSERV.UA.EDU
>> > Subject: z/OS FTPS Client & Linux FTP server
>> >
>> > Has anyone successfully sent data to a Linux FTP server using TLS
>> security
>> > from the z/OS FTP client?
>> >
>> > I have a Linux server running vsftpd - I've been using it for years to
>> send SMF
>> > data.  I've added TLS support to this server.  I've verified that the
>> Secure
>> > connect works via a Filezilla client,
>> >
>> > So now I would like to be able to send SMF data to the server.  But I
>> always
>> > get an authentication failure.  I've tried every combination of Security
>> > parameters I can come up with.
>> >
>> > These are the latest parms in my ftp.data file.
>> >
>> > ;SECURE_CTRLCONN SAFE
>> > SECURE_DATACONN CLEAR
>> > SECURE_FTP REQUIRED
>> > SECURE_HOSTNAME OPTIONAL
>> > SECURE_MECHANISM TLS
>> > SECUREIMPLICITZOS FALSE
>> > CIPHERSUITE SSL_RC4_SHA
>> > ;KEYRING IBMUSER/SecureFTPKeyRing
>> > TLSPORT 21
>> > TLSRFCLEVEL CCCNONOTIFY
>> > TLSTIMEOUT 10
>> > ;SECURE_PBSZ 16384
>> > ;
>> > ;CTRLCONN 7BIT
>> >
>> > I'm beginning to think I am doing something fundamentally wrong instead
>> of
>> > it being a matter of wrong parameters.
>> >
>> > //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
>> > //SYSPRINT  DD  SYSOUT=*
>> > //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
>> > //OUTPUTDD  SYSOUT=*
>> > //INPUT DD  *  USE LOWER CASE BELOW
>> > ftp.s390.mainline.com
>> > userid password
>> > dir
>> > quit
>> >
>> >
>> > EZA1736I FTP
>> > (EXIT
>> >
>> > EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
>> > configuration parameters.
>> > EZA1450I IBM FTP CS
>> > V2R1
>> > EZA1772I FTP: EXIT has been
>> > set.
>> > EZA1456I Connect to
>> > ?
>> > EZA1736I ftp.s390.mainline.com
>> >
>> > EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port:
>> > 21.
>> > EZA2897I Authentication negotiation
>> > failed
>> > EZA2898I Unable to successfully negotiate required authentication
>> EZA1735I
>> > Std Return Code = 1, Error Code =
>> > 00017
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > The postings on this site are my own and don’t necessarily represent
>> > Mainline’s positions or opinions
>> >
>> > Mark D Pace
>> > Senior Systems Engineer
>> > Mainline Information Systems
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to
>> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
>
>
>


-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Yes - it was at that time.  Since I started working on the RACF
certs/keyring stuff the ftp.data has been updated as I go along.  Currently.

SECURE_CTRLCONN  CLEAR
SECURE_DATACONN  PRIVATE
SECURE_FTP   REQUIRED
SECURE_HOSTNAME  OPTIONAL
SECURE_MECHANISM TLS
KEYRING  IBMUSER/FtpSecur
TLSPORT  21
TLSRFCLEVEL  CCCNONOTIFY
TLSTIMEOUT 10
;
;CTRLCONN 7BIT
SECUREIMPLICITZOS FALSE
TLSMECHANISM  FTP
CIPHERSUITE   SSL_RC4_SHA
;
DEBUG SEC


On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave  wrote:

> You said latest, so maybe you have tried others. In the parms listed here,
> your keyring is commented out.
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> > On Behalf Of Mark Pace
> > Sent: Wednesday, May 07, 2014 5:26 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: z/OS FTPS Client & Linux FTP server
> >
> > Has anyone successfully sent data to a Linux FTP server using TLS
> security
> > from the z/OS FTP client?
> >
> > I have a Linux server running vsftpd - I've been using it for years to
> send SMF
> > data.  I've added TLS support to this server.  I've verified that the
> Secure
> > connect works via a Filezilla client,
> >
> > So now I would like to be able to send SMF data to the server.  But I
> always
> > get an authentication failure.  I've tried every combination of Security
> > parameters I can come up with.
> >
> > These are the latest parms in my ftp.data file.
> >
> > ;SECURE_CTRLCONN SAFE
> > SECURE_DATACONN CLEAR
> > SECURE_FTP REQUIRED
> > SECURE_HOSTNAME OPTIONAL
> > SECURE_MECHANISM TLS
> > SECUREIMPLICITZOS FALSE
> > CIPHERSUITE SSL_RC4_SHA
> > ;KEYRING IBMUSER/SecureFTPKeyRing
> > TLSPORT 21
> > TLSRFCLEVEL CCCNONOTIFY
> > TLSTIMEOUT 10
> > ;SECURE_PBSZ 16384
> > ;
> > ;CTRLCONN 7BIT
> >
> > I'm beginning to think I am doing something fundamentally wrong instead
> of
> > it being a matter of wrong parameters.
> >
> > //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
> > //SYSPRINT  DD  SYSOUT=*
> > //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
> > //OUTPUTDD  SYSOUT=*
> > //INPUT DD  *  USE LOWER CASE BELOW
> > ftp.s390.mainline.com
> > userid password
> > dir
> > quit
> >
> >
> > EZA1736I FTP
> > (EXIT
> >
> > EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
> > configuration parameters.
> > EZA1450I IBM FTP CS
> > V2R1
> > EZA1772I FTP: EXIT has been
> > set.
> > EZA1456I Connect to
> > ?
> > EZA1736I ftp.s390.mainline.com
> >
> > EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port:
> > 21.
> > EZA2897I Authentication negotiation
> > failed
> > EZA2898I Unable to successfully negotiate required authentication
> EZA1735I
> > Std Return Code = 1, Error Code =
> > 00017
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to
> > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Gibney, Dave]

You said latest, so maybe you have tried others. In the parms listed here, your 
keyring is commented out.

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> Sent: Wednesday, May 07, 2014 5:26 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: z/OS FTPS Client & Linux FTP server
> 
> Has anyone successfully sent data to a Linux FTP server using TLS security
> from the z/OS FTP client?
> 
> I have a Linux server running vsftpd - I've been using it for years to send 
> SMF
> data.  I've added TLS support to this server.  I've verified that the Secure
> connect works via a Filezilla client,
> 
> So now I would like to be able to send SMF data to the server.  But I always
> get an authentication failure.  I've tried every combination of Security
> parameters I can come up with.
> 
> These are the latest parms in my ftp.data file.
> 
> ;SECURE_CTRLCONN SAFE
> SECURE_DATACONN CLEAR
> SECURE_FTP REQUIRED
> SECURE_HOSTNAME OPTIONAL
> SECURE_MECHANISM TLS
> SECUREIMPLICITZOS FALSE
> CIPHERSUITE SSL_RC4_SHA
> ;KEYRING IBMUSER/SecureFTPKeyRing
> TLSPORT 21
> TLSRFCLEVEL CCCNONOTIFY
> TLSTIMEOUT 10
> ;SECURE_PBSZ 16384
> ;
> ;CTRLCONN 7BIT
> 
> I'm beginning to think I am doing something fundamentally wrong instead of
> it being a matter of wrong parameters.
> 
> //FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
> //SYSPRINT  DD  SYSOUT=*
> //SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
> //OUTPUTDD  SYSOUT=*
> //INPUT DD  *  USE LOWER CASE BELOW
> ftp.s390.mainline.com
> userid password
> dir
> quit
> 
> 
> EZA1736I FTP
> (EXIT
> 
> EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
> configuration parameters.
> EZA1450I IBM FTP CS
> V2R1
> EZA1772I FTP: EXIT has been
> set.
> EZA1456I Connect to
> ?
> EZA1736I ftp.s390.mainline.com
> 
> EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port:
> 21.
> EZA2897I Authentication negotiation
> failed
> EZA2898I Unable to successfully negotiate required authentication EZA1735I
> Std Return Code = 1, Error Code =
> 00017
> 
> 
> 
> 
> 
> 
> 
> 
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Anything is possible.  The vsftpd server is of no use for debugging.  There
is an ssl_debug parameter, but it doesn't produce any output.


On Wed, May 7, 2014 at 1:19 PM, Brian France  wrote:

> I saw this same message before. We had a guy here that ran a tcp trace
> during the connection process, moved it to a linux workstation and used
> TCPDUMP? on it. What he determined was the windows server we were trying to
> connect to had a checkpoint firewall and it actually was re-writting the
> first two byes of the cert. There was a setting that had to change. I know
> you said no firewalls BUT is it possible that something else is doing this
> on the linux server? A setting in VSFTP maybe? He left doc somewhere and if
> you're interested I'll dig it up.
>
>
> On 5/7/2014 10:38 AM, Mark Pace wrote:
>
>> Trying to turn on some DEBUG information
>> DEBUG FLO
>>
>> FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
>> format is incorrect)
>>
>> So not to try to figure out where to find this error message.
>>
>>
>> On Wed, May 7, 2014 at 10:19 AM, Mark Pace 
>> wrote:
>>
>>  I remember setting up something very similar to connect to IBM.   So I
>>> added the GoDady cert to the same keyring.
>>>
>>> sr cla(digtring)
>>> IBMUSER.smpemaint
>>> *IBMUSER.FtpSecur *
>>>
>>> IBMUSER.IBMRing
>>> IBMUSER.SecureFTPKeyRing
>>> IBMUSER.SMPEMAINT
>>> TN3270.TNRING
>>> ***
>>>
>>>
>>>
>>> racdcert id(ibmuser) listring(*FtpSecur*)
>>>
>>> Digital ring information for user IBMUSER:
>>>
>>>Ring:
>>> >FtpSecur<
>>>Certificate Label Name Cert Owner USAGE  DEFAULT
>>>         ---
>>>GeoTrust Global CA CERTAUTH   CERTAUTH NO
>>>   * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
>>>
>>>
>>>
>>> So I added to my ftp.data
>>> KEYRING  IBMUSER/FtpSecur
>>>
>>> But that still isn't the final answer
>>>
>>> EZA2897I Authentication negotiation failed
>>> EZA2898I Unable to successfully negotiate required authentication
>>> EZA1735I Std Return Code = 1, Error Code = 00017
>>>
>>>
>>>
>>> On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:
>>>
>>>  If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to
>>>> list
>>>> defined key rings (format is userid.ringname), then RACDCERT ID(userid)
>>>> LISTRING(ringname or *) to see the ring(s) contents.
>>>>
>>>> Also ensure that the root cert you're interested in has TRUST status
>>>> (default is NOTRUST).
>>>>
>>>>-jc-
>>>>
>>>>  -Original Message-
>>>>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
>>>>>
>>>> On Behalf Of Mark Pace
>>>>
>>>>> Sent: Wednesday, May 07, 2014 8:34 AM
>>>>> To: IBM-MAIN@LISTSERV.UA.EDU
>>>>> Subject: Re: z/OS FTPS Client & Linux FTP server
>>>>>
>>>>> The cipher was one of my early problems.  But I figured that one out.
>>>>> vsftpd -  ssl_ciphers=RC4-SHA
>>>>> z/OS - CIPHERSUITE SSL_RC4_SHA
>>>>>
>>>>> I'm certain that this Keyring  is (part of) my problem.   Stumbling
>>>>>
>>>> through
>>>>
>>>>> RACF I have found that the GoDaddy Root CA is already defined in z/OS,
>>>>>
>>>> but still trying to determine
>>>>
>>>>> if it is part of a keyring.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
>>>>>
>>>>>  Make sure client and server have a common cipher.
>>>>>> SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
>>>>>> than SSL_RC4_SHA.
>>>>>>
>>>>>> Make sure the linus root certificate is in your z/OS client keyring.
>>>>>>
>>>>>> --
>>>>>>Donald J.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> http://www.fastmail.fm - A no graphics, no pop-ups email

Re: z/OS FTPS Client & Linux FTP server

[Brian France]

I saw this same message before. We had a guy here that ran a tcp trace 
during the connection process, moved it to a linux workstation and used 
TCPDUMP? on it. What he determined was the windows server we were trying 
to connect to had a checkpoint firewall and it actually was re-writting 
the first two byes of the cert. There was a setting that had to change. 
I know you said no firewalls BUT is it possible that something else is 
doing this on the linux server? A setting in VSFTP maybe? He left doc 
somewhere and if you're interested I'll dig it up.


On 5/7/2014 10:38 AM, Mark Pace wrote:

Trying to turn on some DEBUG information
DEBUG FLO

FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
format is incorrect)

So not to try to figure out where to find this error message.


On Wed, May 7, 2014 at 10:19 AM, Mark Pace  wrote:


I remember setting up something very similar to connect to IBM.   So I
added the GoDady cert to the same keyring.

sr cla(digtring)
IBMUSER.smpemaint
*IBMUSER.FtpSecur *
IBMUSER.IBMRing
IBMUSER.SecureFTPKeyRing
IBMUSER.SMPEMAINT
TN3270.TNRING
***



racdcert id(ibmuser) listring(*FtpSecur*)
Digital ring information for user IBMUSER:

   Ring:
>FtpSecur<
   Certificate Label Name Cert Owner USAGE  DEFAULT
            ---
   GeoTrust Global CA CERTAUTH   CERTAUTH NO
  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*


So I added to my ftp.data
KEYRING  IBMUSER/FtpSecur

But that still isn't the final answer

EZA2897I Authentication negotiation failed
EZA2898I Unable to successfully negotiate required authentication
EZA1735I Std Return Code = 1, Error Code = 00017



On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:


If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
defined key rings (format is userid.ringname), then RACDCERT ID(userid)
LISTRING(ringname or *) to see the ring(s) contents.

Also ensure that the root cert you're interested in has TRUST status
(default is NOTRUST).

   -jc-


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]

On Behalf Of Mark Pace

Sent: Wednesday, May 07, 2014 8:34 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: z/OS FTPS Client & Linux FTP server

The cipher was one of my early problems.  But I figured that one out.
vsftpd -  ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA

I'm certain that this Keyring  is (part of) my problem.   Stumbling

through

RACF I have found that the GoDaddy Root CA is already defined in z/OS,

but still trying to determine

if it is part of a keyring.



On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:


Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
than SSL_RC4_SHA.

Make sure the linus root certificate is in your z/OS client keyring.

--
   Donald J.




--
http://www.fastmail.fm - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions, send
email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
The postings on this site are my own and don’t necessarily represent

Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions, send

email to lists...@listserv.ua.edu

with the message: INFO IBM-MAIN

**
Information contained in this e-mail message and in any attachments
thereto is confidential. If you are not the intended recipient, please
destroy this message, delete any copies held on your systems, notify the
sender immediately, and refrain from using or disclosing all or any part of
its content to any other person.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems








--
Brian W. France
Systems Administrator (Mainframe)
Pennsylvania State University
Administrative Information Services - Infrastructure/SYSARC
Rm 25 Shields Bldg., University Park, Pa. 16802
814-863-4739
b...@psu.edu

"To make an apple pie from scratch, you must first invent the universe."

Carl Sagan

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

These are not self signed certs.  It was issued by Go Daddy. Why I was
trying to add the Root authority certificate, and failed.
Still researching what FC level vsftpd uses for TLS
No firewalls involved, at least for this test.  This a hipersocket
connection between z/OS and a Linux for System running on the same CEC.

Now off to try to figure out GSKSRVR.


On Wed, May 7, 2014 at 12:56 PM, Rob Schramm  wrote:

> It is definitely TLS and not ATTLS.
>
> GSKSRVR trace is your friend.
>
> Biggest issues that i have had
> -Self signed certs are not allowed courtesy of TLS 1.0
> -RFC level is very important!!!
> -Firewalls and extended pasv are not supported by many clients
>
> Rob
> On May 7, 2014 11:51 AM, "Mark Pace"  wrote:
>
> > Crap - I've gotten myself so confused.
> > That was a client certificate I put in many years ago when we did SSL on
> > our TN3270 connections.   I think I still need to add the Go Daddy root
> > certificate, which what I thought that one was.   How I hate this stuff.
> >
> >
> > On Wed, May 7, 2014 at 11:43 AM, Donald J.  wrote:
> >
> > > The DEFAULT YES would be used for a client certificate,
> > > not for a CERTAUTH entry.
> > >
> > > --
> > >   Donald J.
> > >
> > > > Digital ring information for user IBMUSER:
> > > >
> > > >   Ring:
> > > >>FtpSecur<
> > > >   Certificate Label Name Cert Owner USAGE
>  DEFAULT
> > > >         
> ---
> > > >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> > > >  * Go Daddy Class 2   CERTAUTH   CERTAUTH
> YES*
> > > >
> > >
> > > --
> > > http://www.fastmail.fm - mmm... Fastmail...
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Rob Schramm]

It is definitely TLS and not ATTLS.

GSKSRVR trace is your friend.

Biggest issues that i have had
-Self signed certs are not allowed courtesy of TLS 1.0
-RFC level is very important!!!
-Firewalls and extended pasv are not supported by many clients

Rob
On May 7, 2014 11:51 AM, "Mark Pace"  wrote:

> Crap - I've gotten myself so confused.
> That was a client certificate I put in many years ago when we did SSL on
> our TN3270 connections.   I think I still need to add the Go Daddy root
> certificate, which what I thought that one was.   How I hate this stuff.
>
>
> On Wed, May 7, 2014 at 11:43 AM, Donald J.  wrote:
>
> > The DEFAULT YES would be used for a client certificate,
> > not for a CERTAUTH entry.
> >
> > --
> >   Donald J.
> >
> > > Digital ring information for user IBMUSER:
> > >
> > >   Ring:
> > >>FtpSecur<
> > >   Certificate Label Name Cert Owner USAGE  DEFAULT
> > >            ---
> > >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> > >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> > >
> >
> > --
> > http://www.fastmail.fm - mmm... Fastmail...
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Nope - no proxy involved.


On Wed, May 7, 2014 at 11:53 AM, Skip Robinson wrote:

> I didn't see in this thread any mention of proxy. In our case, company
> policy requires use of a proxy for outside connections to vendors,
> including IBM. We cannot use FTPS from mainframe because our proxy (an
> appliance) does not understand FTPS and treats any FTPS command as a
> syntax error. For initial FTPS debugging, I would suggest looking at the
> proxy (if any) to make sure it's handling command pass-through correctly.
>
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler
> SHARE MVS Program Co-Manager
> 626-302-7535 Office
> 323-715-0595 Mobile
> jo.skip.robin...@sce.com
>
>
>
> From:   "Donald J." 
> To:     IBM-MAIN@LISTSERV.UA.EDU,
> Date:   05/07/2014 08:43 AM
> Subject:Re: z/OS FTPS Client & Linux FTP server
> Sent by:IBM Mainframe Discussion List 
>
>
>
> The DEFAULT YES would be used for a client certificate,
> not for a CERTAUTH entry.
>
> --
>   Donald J.
>
> > Digital ring information for user IBMUSER:
> >
> >   Ring:
> >>FtpSecur<
> >   Certificate Label Name Cert Owner USAGE  DEFAULT
> >            ---
> >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> >
>
> --
> http://www.fastmail.fm - mmm... Fastmail...
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Skip Robinson]

I didn't see in this thread any mention of proxy. In our case, company 
policy requires use of a proxy for outside connections to vendors, 
including IBM. We cannot use FTPS from mainframe because our proxy (an 
appliance) does not understand FTPS and treats any FTPS command as a 
syntax error. For initial FTPS debugging, I would suggest looking at the 
proxy (if any) to make sure it's handling command pass-through correctly. 

.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
626-302-7535 Office
323-715-0595 Mobile
jo.skip.robin...@sce.com



From:   "Donald J." 
To: IBM-MAIN@LISTSERV.UA.EDU, 
Date:   05/07/2014 08:43 AM
Subject:    Re: z/OS FTPS Client & Linux FTP server
Sent by:IBM Mainframe Discussion List 



The DEFAULT YES would be used for a client certificate,
not for a CERTAUTH entry.

-- 
  Donald J.
 
> Digital ring information for user IBMUSER:
> 
>   Ring:
>>FtpSecur<
>   Certificate Label Name Cert Owner USAGE  DEFAULT
>            ---
>   GeoTrust Global CA CERTAUTH   CERTAUTH NO
>  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> 

-- 
http://www.fastmail.fm - mmm... Fastmail...


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Crap - I've gotten myself so confused.
That was a client certificate I put in many years ago when we did SSL on
our TN3270 connections.   I think I still need to add the Go Daddy root
certificate, which what I thought that one was.   How I hate this stuff.


On Wed, May 7, 2014 at 11:43 AM, Donald J.  wrote:

> The DEFAULT YES would be used for a client certificate,
> not for a CERTAUTH entry.
>
> --
>   Donald J.
>
> > Digital ring information for user IBMUSER:
> >
> >   Ring:
> >>FtpSecur<
> >   Certificate Label Name Cert Owner USAGE  DEFAULT
> >            ---
> >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> >
>
> --
> http://www.fastmail.fm - mmm... Fastmail...
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

The DEFAULT YES would be used for a client certificate,
not for a CERTAUTH entry.

-- 
  Donald J.
 
> Digital ring information for user IBMUSER:
> 
>   Ring:
>>FtpSecur<
>   Certificate Label Name Cert Owner USAGE  DEFAULT
>            ---
>   GeoTrust Global CA CERTAUTH   CERTAUTH NO
>  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
>   

-- 
http://www.fastmail.fm - mmm... Fastmail...

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Paul Gilmartin]

On Wed, 7 May 2014 11:06:32 -0400, Mark Pace wrote:

>First - thank you for the manual number so that I can look these up.
>
>I've no idea what AT-TLS environment means.
> 
By rote memorization: "Application Transparent Transport Layer Security".

"Transparent" would seem to imply that the "Application" (in this case,
the FTP client)  may be entirely unaware that a security protocol is
operating at a lower layer.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

First - thank you for the manual number so that I can look these up.

Now - Dunce hat firmly in place.

I've no idea what AT-TLS environment means.


On Wed, May 7, 2014 at 11:00 AM, Donald J.  wrote:

> SC24-5901
>
> 410 SSL message format is incorrect.
> Explanation: An incorrectly formatted SSL message is
> received from the communication partner.
> User response: Collect a System SSL trace
> containing a dump of the SSL message and then
> contact your service representative
>
> You usually have to run a GSK trace to track down these problems.
> Are you using AT-TLS environment for the FTPS client ?
>
> --
>   Donald J.
>   dona...@4email.net
>
> On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
> > Trying to turn on some DEBUG information
> > DEBUG FLO
> >
> > FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
> > format is incorrect)
> >
> > So not to try to figure out where to find this error message.
> >
> >
> > On Wed, May 7, 2014 at 10:19 AM, Mark Pace 
> > wrote:
> >
> > > I remember setting up something very similar to connect to IBM.   So I
> > > added the GoDady cert to the same keyring.
> > >
> > > sr cla(digtring)
> > > IBMUSER.smpemaint
> > > *IBMUSER.FtpSecur *
> > > IBMUSER.IBMRing
> > > IBMUSER.SecureFTPKeyRing
> > > IBMUSER.SMPEMAINT
> > > TN3270.TNRING
> > > ***
> > >
> > >
> > >
> > > racdcert id(ibmuser) listring(*FtpSecur*)
> > > Digital ring information for user IBMUSER:
> > >
> > >   Ring:
> > >>FtpSecur<
> > >   Certificate Label Name Cert Owner USAGE  DEFAULT
> > >            ---
> > >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> > >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> > >
> > >
> > > So I added to my ftp.data
> > > KEYRING  IBMUSER/FtpSecur
> > >
> > > But that still isn't the final answer
> > >
> > > EZA2897I Authentication negotiation failed
> > > EZA2898I Unable to successfully negotiate required authentication
> > > EZA1735I Std Return Code = 1, Error Code = 00017
> > >
> > >
> > >
> > > On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:
> > >
> > >> If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to
> list
> > >> defined key rings (format is userid.ringname), then RACDCERT
> ID(userid)
> > >> LISTRING(ringname or *) to see the ring(s) contents.
> > >>
> > >> Also ensure that the root cert you're interested in has TRUST status
> > >> (default is NOTRUST).
> > >>
> > >>   -jc-
> > >>
> > >> > -Original Message-
> > >> > From: IBM Mainframe Discussion List [mailto:
> IBM-MAIN@LISTSERV.UA.EDU]
> > >> On Behalf Of Mark Pace
> > >> > Sent: Wednesday, May 07, 2014 8:34 AM
> > >> > To: IBM-MAIN@LISTSERV.UA.EDU
> > >> > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >> >
> > >> > The cipher was one of my early problems.  But I figured that one
> out.
> > >> > vsftpd -  ssl_ciphers=RC4-SHA
> > >> > z/OS - CIPHERSUITE SSL_RC4_SHA
> > >> >
> > >> > I'm certain that this Keyring  is (part of) my problem.   Stumbling
> > >> through
> > >> > RACF I have found that the GoDaddy Root CA is already defined in
> z/OS,
> > >> but still trying to determine
> > >> > if it is part of a keyring.
> > >> >
> > >> >
> > >> >
> > >> > On Wed, May 7, 2014 at 8:57 AM, Donald J. 
> wrote:
> > >> >
> > >> > > Make sure client and server have a common cipher.
> > >> > > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly
> used
> > >> > > than SSL_RC4_SHA.
> > >> > >
> > >> > > Make sure the linus root certificate is in your z/OS client
> keyring.
> > >> > >
> > >> > > --
> > >> > >   Donald J.
> > >> > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > http://www.fastmail.fm - A no graphics, no pop-ups em

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

If you aren't using any client certs, it is easier to just use a 
RAC virtual keyring  for CERTAUTH server authentication:
KEYRING *AUTH*/*

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
> Trying to turn on some DEBUG information
> DEBUG FLO
> 
> FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
> format is incorrect)
> 
> So not to try to figure out where to find this error message.
> 
> 
> On Wed, May 7, 2014 at 10:19 AM, Mark Pace 
> wrote:
> 
> > I remember setting up something very similar to connect to IBM.   So I
> > added the GoDady cert to the same keyring.
> >
> > sr cla(digtring)
> > IBMUSER.smpemaint
> > *IBMUSER.FtpSecur *
> > IBMUSER.IBMRing
> > IBMUSER.SecureFTPKeyRing
> > IBMUSER.SMPEMAINT
> > TN3270.TNRING
> > ***
> >
> >
> >
> > racdcert id(ibmuser) listring(*FtpSecur*)
> > Digital ring information for user IBMUSER:
> >
> >   Ring:
> >>FtpSecur<
> >   Certificate Label Name Cert Owner USAGE  DEFAULT
> >            ---
> >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> >
> >
> > So I added to my ftp.data
> > KEYRING  IBMUSER/FtpSecur
> >
> > But that still isn't the final answer
> >
> > EZA2897I Authentication negotiation failed
> > EZA2898I Unable to successfully negotiate required authentication
> > EZA1735I Std Return Code = 1, Error Code = 00017
> >
> >
> >
> > On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:
> >
> >> If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
> >> defined key rings (format is userid.ringname), then RACDCERT ID(userid)
> >> LISTRING(ringname or *) to see the ring(s) contents.
> >>
> >> Also ensure that the root cert you're interested in has TRUST status
> >> (default is NOTRUST).
> >>
> >>   -jc-
> >>
> >> > -Original Message-
> >> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> >> On Behalf Of Mark Pace
> >> > Sent: Wednesday, May 07, 2014 8:34 AM
> >> > To: IBM-MAIN@LISTSERV.UA.EDU
> >> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >> >
> >> > The cipher was one of my early problems.  But I figured that one out.
> >> > vsftpd -  ssl_ciphers=RC4-SHA
> >> > z/OS - CIPHERSUITE SSL_RC4_SHA
> >> >
> >> > I'm certain that this Keyring  is (part of) my problem.   Stumbling
> >> through
> >> > RACF I have found that the GoDaddy Root CA is already defined in z/OS,
> >> but still trying to determine
> >> > if it is part of a keyring.
> >> >
> >> >
> >> >
> >> > On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
> >> >
> >> > > Make sure client and server have a common cipher.
> >> > > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
> >> > > than SSL_RC4_SHA.
> >> > >
> >> > > Make sure the linus root certificate is in your z/OS client keyring.
> >> > >
> >> > > --
> >> > >   Donald J.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > http://www.fastmail.fm - A no graphics, no pop-ups email service
> >> > >
> >> > > --
> >> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> >> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > The postings on this site are my own and don’t necessarily represent
> >> Mainline’s positions or opinions
> >> >
> >> > Mark D Pace
> >> > Senior Systems Engineer
> >> > Mainline Information Systems
> >> >
> >> > --
> >> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> >> email to lists...@listserv.ua.edu
> >> > with the message: INFO IBM-MAI

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

SC24-5901

410 SSL message format is incorrect.
Explanation: An incorrectly formatted SSL message is
received from the communication partner.
User response: Collect a System SSL trace
containing a dump of the SSL message and then
contact your service representative

You usually have to run a GSK trace to track down these problems.
Are you using AT-TLS environment for the FTPS client ?

-- 
  Donald J.
  dona...@4email.net

On Wed, May 7, 2014, at 07:38 AM, Mark Pace wrote:
> Trying to turn on some DEBUG information
> DEBUG FLO
> 
> FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
> format is incorrect)
> 
> So not to try to figure out where to find this error message.
> 
> 
> On Wed, May 7, 2014 at 10:19 AM, Mark Pace 
> wrote:
> 
> > I remember setting up something very similar to connect to IBM.   So I
> > added the GoDady cert to the same keyring.
> >
> > sr cla(digtring)
> > IBMUSER.smpemaint
> > *IBMUSER.FtpSecur *
> > IBMUSER.IBMRing
> > IBMUSER.SecureFTPKeyRing
> > IBMUSER.SMPEMAINT
> > TN3270.TNRING
> > ***
> >
> >
> >
> > racdcert id(ibmuser) listring(*FtpSecur*)
> > Digital ring information for user IBMUSER:
> >
> >   Ring:
> >>FtpSecur<
> >   Certificate Label Name Cert Owner USAGE  DEFAULT
> >            ---
> >   GeoTrust Global CA CERTAUTH   CERTAUTH NO
> >  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
> >
> >
> > So I added to my ftp.data
> > KEYRING  IBMUSER/FtpSecur
> >
> > But that still isn't the final answer
> >
> > EZA2897I Authentication negotiation failed
> > EZA2898I Unable to successfully negotiate required authentication
> > EZA1735I Std Return Code = 1, Error Code = 00017
> >
> >
> >
> > On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:
> >
> >> If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
> >> defined key rings (format is userid.ringname), then RACDCERT ID(userid)
> >> LISTRING(ringname or *) to see the ring(s) contents.
> >>
> >> Also ensure that the root cert you're interested in has TRUST status
> >> (default is NOTRUST).
> >>
> >>   -jc-
> >>
> >> > -Original Message-
> >> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> >> On Behalf Of Mark Pace
> >> > Sent: Wednesday, May 07, 2014 8:34 AM
> >> > To: IBM-MAIN@LISTSERV.UA.EDU
> >> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >> >
> >> > The cipher was one of my early problems.  But I figured that one out.
> >> > vsftpd -  ssl_ciphers=RC4-SHA
> >> > z/OS - CIPHERSUITE SSL_RC4_SHA
> >> >
> >> > I'm certain that this Keyring  is (part of) my problem.   Stumbling
> >> through
> >> > RACF I have found that the GoDaddy Root CA is already defined in z/OS,
> >> but still trying to determine
> >> > if it is part of a keyring.
> >> >
> >> >
> >> >
> >> > On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
> >> >
> >> > > Make sure client and server have a common cipher.
> >> > > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
> >> > > than SSL_RC4_SHA.
> >> > >
> >> > > Make sure the linus root certificate is in your z/OS client keyring.
> >> > >
> >> > > --
> >> > >   Donald J.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > http://www.fastmail.fm - A no graphics, no pop-ups email service
> >> > >
> >> > > --
> >> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> >> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >> > >
> >> >
> >> >
> >> >
> >> > --
> >> > The postings on this site are my own and don’t necessarily represent
> >> Mainline’s positions or opinions
> >> >
> >> > Mark D Pace
> >> > Senior Systems Engineer
> >> > Mainline Information Systems
> >> >
> >> > -

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

Trying to turn on some DEBUG information
DEBUG FLO

FC1003 authServer: secure_socket_init failed with rc = 410 (SSL message
format is incorrect)

So not to try to figure out where to find this error message.


On Wed, May 7, 2014 at 10:19 AM, Mark Pace  wrote:

> I remember setting up something very similar to connect to IBM.   So I
> added the GoDady cert to the same keyring.
>
> sr cla(digtring)
> IBMUSER.smpemaint
> *IBMUSER.FtpSecur *
> IBMUSER.IBMRing
> IBMUSER.SecureFTPKeyRing
> IBMUSER.SMPEMAINT
> TN3270.TNRING
> ***
>
>
>
> racdcert id(ibmuser) listring(*FtpSecur*)
> Digital ring information for user IBMUSER:
>
>   Ring:
>>FtpSecur<
>   Certificate Label Name Cert Owner USAGE  DEFAULT
>            ---
>   GeoTrust Global CA CERTAUTH   CERTAUTH NO
>  * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*
>
>
> So I added to my ftp.data
> KEYRING  IBMUSER/FtpSecur
>
> But that still isn't the final answer
>
> EZA2897I Authentication negotiation failed
> EZA2898I Unable to successfully negotiate required authentication
> EZA1735I Std Return Code = 1, Error Code = 00017
>
>
>
> On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:
>
>> If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
>> defined key rings (format is userid.ringname), then RACDCERT ID(userid)
>> LISTRING(ringname or *) to see the ring(s) contents.
>>
>> Also ensure that the root cert you're interested in has TRUST status
>> (default is NOTRUST).
>>
>>   -jc-
>>
>> > -Original Message-
>> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
>> On Behalf Of Mark Pace
>> > Sent: Wednesday, May 07, 2014 8:34 AM
>> > To: IBM-MAIN@LISTSERV.UA.EDU
>> > Subject: Re: z/OS FTPS Client & Linux FTP server
>> >
>> > The cipher was one of my early problems.  But I figured that one out.
>> > vsftpd -  ssl_ciphers=RC4-SHA
>> > z/OS - CIPHERSUITE SSL_RC4_SHA
>> >
>> > I'm certain that this Keyring  is (part of) my problem.   Stumbling
>> through
>> > RACF I have found that the GoDaddy Root CA is already defined in z/OS,
>> but still trying to determine
>> > if it is part of a keyring.
>> >
>> >
>> >
>> > On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
>> >
>> > > Make sure client and server have a common cipher.
>> > > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
>> > > than SSL_RC4_SHA.
>> > >
>> > > Make sure the linus root certificate is in your z/OS client keyring.
>> > >
>> > > --
>> > >   Donald J.
>> > >
>> > >
>> > >
>> > >
>> > > --
>> > > http://www.fastmail.fm - A no graphics, no pop-ups email service
>> > >
>> > > --
>> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
>> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > >
>> >
>> >
>> >
>> > --
>> > The postings on this site are my own and don’t necessarily represent
>> Mainline’s positions or opinions
>> >
>> > Mark D Pace
>> > Senior Systems Engineer
>> > Mainline Information Systems
>> >
>> > --
>> > For IBM-MAIN subscribe / signoff / archive access instructions, send
>> email to lists...@listserv.ua.edu
>> > with the message: INFO IBM-MAIN
>>
>> **
>> Information contained in this e-mail message and in any attachments
>> thereto is confidential. If you are not the intended recipient, please
>> destroy this message, delete any copies held on your systems, notify the
>> sender immediately, and refrain from using or disclosing all or any part of
>> its content to any other person.
>>
>>
>> --
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
>
>
>


-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

I remember setting up something very similar to connect to IBM.   So I
added the GoDady cert to the same keyring.

sr cla(digtring)
IBMUSER.smpemaint
*IBMUSER.FtpSecur *
IBMUSER.IBMRing
IBMUSER.SecureFTPKeyRing
IBMUSER.SMPEMAINT
TN3270.TNRING
***



racdcert id(ibmuser) listring(*FtpSecur*)
Digital ring information for user IBMUSER:

  Ring:
   >FtpSecur<
  Certificate Label Name Cert Owner USAGE  DEFAULT
           ---
  GeoTrust Global CA CERTAUTH   CERTAUTH NO
 * Go Daddy Class 2   CERTAUTH   CERTAUTH YES*

So I added to my ftp.data
KEYRING  IBMUSER/FtpSecur

But that still isn't the final answer
EZA2897I Authentication negotiation failed
EZA2898I Unable to successfully negotiate required authentication
EZA1735I Std Return Code = 1, Error Code = 00017



On Wed, May 7, 2014 at 9:44 AM, Chase, John  wrote:

> If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list
> defined key rings (format is userid.ringname), then RACDCERT ID(userid)
> LISTRING(ringname or *) to see the ring(s) contents.
>
> Also ensure that the root cert you're interested in has TRUST status
> (default is NOTRUST).
>
>   -jc-
>
> > -Original Message-
> > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU]
> On Behalf Of Mark Pace
> > Sent: Wednesday, May 07, 2014 8:34 AM
> > To: IBM-MAIN@LISTSERV.UA.EDU
> > Subject: Re: z/OS FTPS Client & Linux FTP server
> >
> > The cipher was one of my early problems.  But I figured that one out.
> > vsftpd -  ssl_ciphers=RC4-SHA
> > z/OS - CIPHERSUITE SSL_RC4_SHA
> >
> > I'm certain that this Keyring  is (part of) my problem.   Stumbling
> through
> > RACF I have found that the GoDaddy Root CA is already defined in z/OS,
> but still trying to determine
> > if it is part of a keyring.
> >
> >
> >
> > On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
> >
> > > Make sure client and server have a common cipher.
> > > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
> > > than SSL_RC4_SHA.
> > >
> > > Make sure the linus root certificate is in your z/OS client keyring.
> > >
> > > --
> > >   Donald J.
> > >
> > >
> > >
> > >
> > > --
> > > http://www.fastmail.fm - A no graphics, no pop-ups email service
> > >
> > > --
> > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> email to lists...@listserv.ua.edu
> > with the message: INFO IBM-MAIN
>
> **
> Information contained in this e-mail message and in any attachments
> thereto is confidential. If you are not the intended recipient, please
> destroy this message, delete any copies held on your systems, notify the
> sender immediately, and refrain from using or disclosing all or any part of
> its content to any other person.
>
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Chase, John]

If you're authorized to issue RACF commands, try SR CLA(DIGTRING) to list 
defined key rings (format is userid.ringname), then RACDCERT ID(userid) 
LISTRING(ringname or *) to see the ring(s) contents.

Also ensure that the root cert you're interested in has TRUST status (default 
is NOTRUST).

  -jc-

> -Original Message-
> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On 
> Behalf Of Mark Pace
> Sent: Wednesday, May 07, 2014 8:34 AM
> To: IBM-MAIN@LISTSERV.UA.EDU
> Subject: Re: z/OS FTPS Client & Linux FTP server
> 
> The cipher was one of my early problems.  But I figured that one out.
> vsftpd -  ssl_ciphers=RC4-SHA
> z/OS - CIPHERSUITE SSL_RC4_SHA
> 
> I'm certain that this Keyring  is (part of) my problem.   Stumbling through
> RACF I have found that the GoDaddy Root CA is already defined in z/OS, but 
> still trying to determine
> if it is part of a keyring.
> 
> 
> 
> On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
> 
> > Make sure client and server have a common cipher.
> > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more commonly used
> > than SSL_RC4_SHA.
> >
> > Make sure the linus root certificate is in your z/OS client keyring.
> >
> > --
> >   Donald J.
> >
> >
> >
> >
> > --
> > http://www.fastmail.fm - A no graphics, no pop-ups email service
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> --
> The postings on this site are my own and don’t necessarily represent 
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
> lists...@listserv.ua.edu
> with the message: INFO IBM-MAIN

**
Information contained in this e-mail message and in any attachments thereto is 
confidential. If you are not the intended recipient, please destroy this 
message, delete any copies held on your systems, notify the sender immediately, 
and refrain from using or disclosing all or any part of its content to any 
other person.


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

racdcert id(userid) listring(ring.name)   
racdcert id(userid) connect(ring(ring.name)  LABEL('GoDaddy Root Label')
CERTAUTH usage(CERTAUTH) )  

-- 
  Donald J.


On Wed, May 7, 2014, at 06:34 AM, Mark Pace wrote:
> The cipher was one of my early problems.  But I figured that one out.
> vsftpd -  ssl_ciphers=RC4-SHA
> z/OS - CIPHERSUITE SSL_RC4_SHA
> 
> I'm certain that this Keyring  is (part of) my problem.   Stumbling
> through
> RACF I have found that the GoDaddy Root CA is already defined in z/OS,
> but
> still trying to determine if it is part of a keyring.
> 
> 
> 
> On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:
> 
> > Make sure client and server have a common cipher.
> > SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
> > commonly used than SSL_RC4_SHA.
> >
> > Make sure the linus root certificate is in your z/OS client keyring.
> >
> > --
> >   Donald J.
> >
> >
> >
> >
> > --
> > http://www.fastmail.fm - A no graphics, no pop-ups email service
> >
> > --
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> 
> 
> 
> -- 
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
> 
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
> 
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

-- 
http://www.fastmail.fm - A fast, anti-spam email service.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Mark Pace]

The cipher was one of my early problems.  But I figured that one out.
vsftpd -  ssl_ciphers=RC4-SHA
z/OS - CIPHERSUITE SSL_RC4_SHA

I'm certain that this Keyring  is (part of) my problem.   Stumbling through
RACF I have found that the GoDaddy Root CA is already defined in z/OS, but
still trying to determine if it is part of a keyring.



On Wed, May 7, 2014 at 8:57 AM, Donald J.  wrote:

> Make sure client and server have a common cipher.
> SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
> commonly used than SSL_RC4_SHA.
>
> Make sure the linus root certificate is in your z/OS client keyring.
>
> --
>   Donald J.
>
>
>
>
> --
> http://www.fastmail.fm - A no graphics, no pop-ups email service
>
> --
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>



-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Donald J.]

Make sure client and server have a common cipher.
SSL_AES_128_SHA and SSL_AES_256_SHA are probably more
commonly used than SSL_RC4_SHA.

Make sure the linus root certificate is in your z/OS client keyring.

-- 
  Donald J.
 

 

-- 
http://www.fastmail.fm - A no graphics, no pop-ups email service

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: z/OS FTPS Client & Linux FTP server

[Paul Gilmartin]

On Wed, 7 May 2014 08:25:47 -0400, Mark Pace wrote:

>Has anyone successfully sent data to a Linux FTP server using TLS security
>from the z/OS FTP client?
>
Is SFTP an option?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

z/OS FTPS Client & Linux FTP server

[Mark Pace]

Has anyone successfully sent data to a Linux FTP server using TLS security
from the z/OS FTP client?

I have a Linux server running vsftpd - I've been using it for years to send
SMF data.  I've added TLS support to this server.  I've verified that the
Secure connect works via a Filezilla client,

So now I would like to be able to send SMF data to the server.  But I
always get an authentication failure.  I've tried every combination of
Security parameters I can come up with.

These are the latest parms in my ftp.data file.

;SECURE_CTRLCONN SAFE
SECURE_DATACONN CLEAR
SECURE_FTP REQUIRED
SECURE_HOSTNAME OPTIONAL
SECURE_MECHANISM TLS
SECUREIMPLICITZOS FALSE
CIPHERSUITE SSL_RC4_SHA
;KEYRING IBMUSER/SecureFTPKeyRing
TLSPORT 21
TLSRFCLEVEL CCCNONOTIFY
TLSTIMEOUT 10
;SECURE_PBSZ 16384
;
;CTRLCONN 7BIT

I'm beginning to think I am doing something fundamentally wrong instead of
it being a matter of wrong parameters.

//FTP  EXEC PGM=FTP,REGION=5M,PARM='(EXIT'
//SYSPRINT  DD  SYSOUT=*
//SYSFTPD   DD  DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA)
//OUTPUTDD  SYSOUT=*
//INPUT DD  *  USE LOWER CASE BELOW
ftp.s390.mainline.com
userid password
dir
quit


EZA1736I FTP
(EXIT

EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site
configuration parameters.
EZA1450I IBM FTP CS
V2R1
EZA1772I FTP: EXIT has been
set.
EZA1456I Connect to
?
EZA1736I ftp.s390.mainline.com

EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port:
21.
EZA2897I Authentication negotiation
failed
EZA2898I Unable to successfully negotiate required
authentication
EZA1735I Std Return Code = 1, Error Code =
00017








-- 
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions

Mark D Pace
Senior Systems Engineer
Mainline Information Systems

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN