FTPS rc = 406 (Error while reading or writing data)
Finley, Frank
I've been beating my head against the wall for a while on this one and wondering if anyone has any thoughts that may help me in troubleshooting. I am having issues with an FTPS connection to a remote host. IBM Z/OS 1.8 (our side) client connecting to a Unix FTPS server running proftpd.
This is outside a firewall, but ports have been open between our two locations.
Windows clients aren't having any issues connecting to their server. We are using RACF for the certificates and I have verified that the certificate chain is in place for the user. Is anyone able to steer me in the right direction troubleshooting?
FC0760 authServer: entered
FC0767 authServer: secure_socket_open()
SC3717 getFNDELAY: entered
FC0834 authServer: secure_socket_init()
FU0536 secureWrite: entered
FU0436 secureRead: entered
SC3752 setFNDELAY: entered
FC0847 authServer: secure_socket_init failed with rc = 406 (Error while reading or writing data)
FC1004 endSecureConn: entered
EZA2897I Authentication negotiation failed
FC1025 endSecureEnv: entered
SC3607 inSession: entered
CZ0582 SETCEC code = 17
EZA2898I Unable to successfully negotiate required authentication
CX0336 main: error and exit on error
SC3558 getLastReply: entered
CX0350 main: RC=-0001 cmd_in_progress=10
CX0353 main: last_reply= 220 err=17
PC0905 setClientRC: entered
SC3558 getLastReply: entered
PC0975 setClientRC: std_rc=10220, rc_type=STD, rc=10220
EZA1735I Std Return Code = 10220, Error Code = 00017
CZ1170 ftpQuit: entered
CZ1242 ftpClose: entered
SC3607 inSession: entered
SC3686 setLoggedIn: entered
CZ1242 ftpClose: entered
SC3607 inSession: entered
SC3686 setLoggedIn: entered
CX0484 removeAff: entered
Thank you,
Frank Finley, CISSP
Information Systems Security Officer
United States Coast Guard
Pay and Personnel Center, Topeka KS
(ph) - 785-339-3578
(cell) - 785-813-1812
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
Hal Merritt
The next thing to try is a more detailed trace. I don't recall exactly what I did, but I do recall seeing that I did not have any case sensitivity issues. I also recall seeing a very explicit message as to the exact nature of the error.
Of course, it took me a while to accept what it was saying.
HTH and good luck.
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On Behalf Of Finley, Frank
Sent: Wednesday, September 23, 2009 9:03 AM
To: IBM-...@bama.ua.edu
Subject: FTPS rc = 406 (Error while reading or writing data)
Hello,
I've been beating my head against the wall for a while on this one and wondering if anyone has any thoughts that may help me in troubleshooting. I am having issues with an FTPS connection to a remote host. IBM Z/OS 1.8 (our side) client connecting to a Unix FTPS server running proftpd.
This is outside a firewall, but ports have been open between our two locations.
Windows clients aren't having any issues connecting to their server. We are using RACF for the certificates and I have verified that the certificate chain is in place for the user. Is anyone able to steer me in the right direction troubleshooting?
..snip
Thank you,
Frank Finley, CISSP
Information Systems Security Officer
United States Coast Guard
Pay and Personnel Center, Topeka KS
(ph) - 785-339-3578
(cell) - 785-813-1812
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to list...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
Richard Peurifoy
The RC = 406 message is pretty generic, and doesn't really provide
you with enough info to determine what the problem is.
Unfortunately in these cases, you need to run a packet and/or GSK
trace.
The last time I got one of these, it turned out to be the server
was sending an FTP error message in the middle of the SSL negotiation.
Turned out the server was configured wrong, and couldn't find it's
certificate store. This was easy to see in a packet trace.
For other SSL problems, the GSK trace is probably better.
--
Richard
Finley, Frank
It looks like the issue is resolving back to the server side running
explicit FTPS on port 990 rather than implicit which is what you would
normally expect on that port. Apparently this was done to get around some
firewall limitations with the normal port 21.
Is there a way to force the connection to use explicit FTP on my side while
connecting to port 990, I can not seem to find any settings in the FTP.DATA
file that would do it, and my google fu is failing me.
Thank you,
Frank Finley, CISSP
Information Systems Security Officer
United States Coast Guard
Pay and Personnel Center, Topeka KS
(ph) - 785-339-3578
(cell) - 785-813-1812
Richard Peurifoy
> Thank you for the pointers,
>
> It looks like the issue is resolving back to the server side running
> explicit FTPS on port 990 rather than implicit which is what you would
> normally expect on that port. Apparently this was done to get around some
> firewall limitations with the normal port 21.
>
> Is there a way to force the connection to use explicit FTP on my side while
> connecting to port 990, I can not seem to find any settings in the FTP.DATA
> file that would do it, and my google fu is failing me.
I think TLSPORT in the FTP.DATA file specifies the implicit port.
So if you code TLSPORT 999 or some such, port 990 will no longer
be considered implicit.
--
Richard
Finley, Frank
That solved the issue. I owe you one.
Frank Finley, CISSP
Information Systems Security Officer
United States Coast Guard
Pay and Personnel Center, Topeka KS
(ph) - 785-339-3578
(cell) - 785-813-1812
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-...@bama.ua.edu] On Behalf Of Richard Peurifoy
Sent: Thursday, September 24, 2009 10:18 AM
To: IBM-...@bama.ua.edu
Subject: Re: FTPS rc = 406 (Error while reading or writing data)
Frank Swarbrick
TLSPORT 0 ; don't treat port 990 as implicit TLS
--
Frank Swarbrick
Applications Architect - Mainframe Applications Development
FirstBank Data Corporation - Lakewood, CO USA
P: 303-235-1403
On 9/24/2009 at 7:03 AM, in message
<901B5EE367D94B418004...@emo-exmb-m-402.main.ads.uscg.mil>,
"Finley, Frank" <Francis....@USCG.MIL> wrote:
> Thank you for the pointers,
>
> It looks like the issue is resolving back to the server side running
> explicit FTPS on port 990 rather than implicit which is what you would
> normally expect on that port. Apparently this was done to get around some
> firewall limitations with the normal port 21.
>
> Is there a way to force the connection to use explicit FTP on my side while
> connecting to port 990, I can not seem to find any settings in the ftp.DATA
>>>
The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you.