Re: Secure FTP on z/OS
Peter Vander Woude
Yes there is a secure ftp process. The FTP program on z/OS (starting at v1.2) supports FTP over SSL/TLS.
There is also sftp, which is secure file transfer over ssh. If this is what you're looking for, you need to get the IBM Ported tools, which brings the OpenSSH code to z/OS.
Peter I. Vander Woude
Sr. Mainframe Engineer
>>> Tonya_...@NAVYFEDERAL.ORG 12/07/2005 2:14 PM >>>
Hi All,
I would really like to understand what is and will be available on z/OS to
support Secure FTP
client. I have a requirement to run concurrent secure and non-secure FTP
client in batch mode
or command line on z/OS 1.4. Is there a "secure" ftp batch process
available on z/OS? If so,
what is the program name. Any sample jcl would be greatly appreciated.
Tonya Trotter :-)
Navy Federal Credit Union
Sr. Systems Software Programmer
Technical Support (ENCS)
Tel.nb: (703) 206-3542
Fax.nb: (703) 206-3977
Tonya_...@navyfederal.org
----------------------------------------------------------------------
For IBMTCP-L subscribe / signoff / archive access instructions,
send email to LIST...@VM.MARIST.EDU with the message: INFO IBMTCP-L
----------------------------------------------------------------------
For IBMTCP-L subscribe / signoff / archive access instructions,
send email to LIST...@VM.MARIST.EDU with the message: INFO IBMTCP-L
Bauer, Bobby (NIH/CIT) [C]
your batch job, it is just a normal FTP like this
//FTP EXEC PGM=FTP, PARM='ftp.server (EXIT TIMEOUT 20'
If this server allows non-SSl sessions you are OK.
To go to an FTP server that supports SSL use:
//FTP EXEC PGM=FTP, PARM='-r TLS ftp.server (EXIT TIMEOUT 20'
The -r TLS says to set up a secure session. Of course the client parms
have to be coded to support TSL and SSL.
Feel free to call or ask more questions. We have both flavors and I can
help with the parms if needed.
Bobby Bauer
Center for Information Technology
National Institutes of Health
Bethesda, MD 20892-5628
301-594-7474
Contractor
Mike Caughran
Would someone please post a HOWTO on setting up a (freeware) PC-bases
FTP/TLS server
and information on how to access that PC FTP/TLS server outbound from
Z/OS ?
I could not get Filezilla Server, ProFTP and half dozen others - I
forget which now - to work.
I either couldnt get GSKKYMAN to accept the cert or the FTP server would
not accept
the authentication negotiation.
We have successfully put up the Z/OS FTP/TLS server and have
been able to successfully send files to the server using the Z/OS
FTP/TLS client
and from PC-based FTP/TLS clients..
Here are links I have found on the subject:
http://os390.web.arizona.edu/tls-ftp.shtml
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext_col.html
I just stumbled across this doc on using WSFTPD as a TLS server -- Ill
give it a whirl
http://www.eits.uga.edu/mvs/security.html
A freeware server would be nice.
Thanks
Mike Caughran
State of Alaska
Mike Caughran
> -newkey rsa:1024 -keyout vsftpd.pem
> -out vsftpd.pem
>
>
I created a key and cert using that technique.
I uploaded the cert to Z/OS in ascii format.
I then tried to import the certificate above using gskkyman and get the
following error:
Unable to import certificate.
Status 0x03353021 - Certificate is not yet valid.
Mike Caughran
fact that we are runing the Z/OS system clock
as our local time rather than as UTC time.
When I tried again this morning, the key imported sucessfully.
I tried the key with Filezilla Server but it didnt like the TLS
connnection from Z/OS.
I installed FtpShell server from www.ftpshell.com and it did work.
Ill try a couple other servers.
Part of our other problems ( Access using Z/OS ftp client to the Z/OS
ftp server over TLS) were resolved
by creating and using a second keyring for the Z/OS ftp client and
importing the key that was exported from the
ftp server's keyring.
Thanks for the help
Mike Caughran
State of Alaska
>openssl req -x509 -nodes -days 7300 \
> -newkey rsa:1024 -keyout vsftpd.pem
> -out vsftpd.pem
>
>
----------------------------------------------------------------------
Gilson OLIVEIRA
I'd like to know if someone has any considerations about softwares to
monitor TCPIP on z/OS through the Packet Trace ??.
We have installed here a software that, to get some informations about
TCPIP, it needs to activate a packet trace with the following options:
V TCPIP,,PKTTRACE,ON,LINKNAME=*,PROT=254.
What does the PROT=254 option exactly mean ??
It doesn't cause any overhead for the TCPIP task ??
Thanks in advance for any help.
__________________________________
Gilson Cesar de Oliveira
HSBC - Bank Brasil S/A
IT - Telecomm Network and Planning
E-mail:gcoli...@hsbc.com.br
Fone: 55 41 3340-5588
__________________________________
This E-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions.
Tony Post
protocol type of 254. This is not one of the common protocol types (TCP=6,
UDP=17) ... What software is this?. There will be some overhead, but the how
much really depends on the software in use and how its getting hold of the
trace information.
Dear List:
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 09/12/2005
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 09/12/2005
Sergio Eduardo Pinto Freire
Sérgio Freire
Sfreire - IT Consult
Sergio Eduardo Pinto Freire
document( http://www.iana.org/assignments/protocol-numbers ) keep the
number 254 for experiment e 255 reserved, however, some monitors
already have the number 255 how TCP(RAW) like ASG-TMON for TCP/IP.
Regards,
Sérgio
Em Seg, 2005-12-12 às 11:50 -0300, Gilson OLIVEIRA escreveu:
> Dear Sergio:
>
> Thanks for your help. It is exactly what I was looking for.
>
> __________________________________
> Gilson Cesar de Oliveira
> HSBC - Bank Brasil S/A
> IT - Telecomm Network and Planning
> E-mail:gcoli...@hsbc.com.br
> Fone: 55 41 3340-5588
> __________________________________
>
>
>
>
>
>
>
>
>
>
>
>
> Enviado Por : Sergio Eduardo Pinto Freire
> <sfreire.su...@bcb.gov.br> - 12/12/2005 11:05
> Enviado Por: IBM TCP/IP List <IBMT...@VM.MARIST.EDU>
> Responder a IBM TCP/IP List
>
> Para: IBMT...@VM.MARIST.EDU
> cc: (cco: Gilson OLIVEIRA/HBBR/HSBC)
> Assunto: Re: Options to monitor TCPIP with Packet Trace
Chris Mason
And following up on Sergio's suggestion you will see that RFC 3692 appears -
after a quick scan - to designate protocol 254 as one formally to be used
whenever needing to test an upgrade to software where both the production
and test software need to run together, for example.
Now you may be following this RFC for some, presumably testing, reason or,
given that the RFC dates from January 2004, it may be accidental that you
are using one of the protocol numbers - perhaps somewhat belatedly -
reserved by the RFC.
It may be that the statement you showed is purely an example, deliberately a
"testing" protocol number.
Incidentally, continuous tracing is always an overhead. It's up to you to
try to decide whether or not it is worth it.
Chris Mason
Dear Sergio:
----------------------------------------------------------------------
Bertrand MAHE
About software to monitor Packet Trace, you can use TDSLink "IP Trace for
z/OS".
Concerning the overhead, TDSLink is written 100% in assembler language with
special collectors for performance.
TDSLink "IP Trace for z/OS" is very easy to use, 2 ways of using it:
1) With a native web interface for real-time packet trace analysis
2) With any "sniffer PRO" compatible products on PC (by downloading the
trace in sniffer format). There are a lot of good tools able to read these
traces.
About the last available version, the new features are:
1) Real-time Response time analysis
2) Real-time IP Errors analysis (the goal is to analyze more than 20 kinds
of errors, now TDSLink analyzes 5 different TCP/IP errors).
TDSLink "IP Trace for z/OS" is free and is used by hundreds of large
companies every day. Optional Maintenance and technical support are
available.
Regards
Bertrand MAHE
TDS - Telecoms Data Systems
http://www.tdslink.com
IP Trace for z/OS, IP Watch for z/OS, IP Reporter for z/OS
-----Message d'origine-----
De : IBM TCP/IP List [mailto:IBMT...@VM.MARIST.EDU] De la part de Gilson
OLIVEIRA
Envoyé : lundi 12 décembre 2005 12:42
À : IBMT...@VM.MARIST.EDU
Objet : Options to monitor TCPIP with Packet Trace
Dear List:
I'd like to know if someone has any considerations about softwares to
monitor TCPIP on z/OS through the Packet Trace ??.
We have installed here a software that, to get some informations about
TCPIP, it needs to activate a packet trace with the following options:
V TCPIP,,PKTTRACE,ON,LINKNAME=*,PROT=254.
What does the PROT=254 option exactly mean ??
It doesn't cause any overhead for the TCPIP task ??
Thanks in advance for any help.
__________________________________
Gilson Cesar de Oliveira
HSBC - Bank Brasil S/A
IT - Telecomm Network and Planning
E-mail:gcoli...@hsbc.com.br
Fone: 55 41 3340-5588
__________________________________
This E-mail is confidential. It may also be legally privileged. If you are
not the addressee you may not copy, forward, disclose or use any part of it.
If you have received this message in error, please delete it and all copies
from your system and notify the sender immediately by return E-mail.
Internet communications cannot be guaranteed to be timely, secure, error or
virus-free. The sender does not accept liability for any errors or
omissions.
----------------------------------------------------------------------