I've been working with z/OS 2.4's FTP server using AT-TLS with certificates
for the last few days. PAGENT is setup, and it seems to be functioning
correctly. I've finally gotten to the point of the client sending in a
certificate
and logging on without having to specify a password, which is what I wanted.
I'm using Core FTP LE as my ftp client.
I'm almost through the door, so to speak, but when I get to the point of
getting a directory listing on Core FTP, on the z/OS side I get this error.
protDataConnAttls: ioctl() failed on SIOCTTLSCTL - EDC8148I Protocol error.
(errno2=0x77B70291)
At this point the TLS negotiation fails, and the data connection is closed.
Below the EDC8148I
message text are my FTP Server options. One more piece of information, z/OS
2.4 is
running under VM.
Looking up EDC8184I,
EDC8148I Protocol error.
Explanation
A protocol error occurred. This error is device-specific, but is usually not
caused by a hardware failure.
System action
The request fails. The application continues to run.
Programmer response
Proceed with cleanup of the application resources, and then close the socket.
When the socket has been freed, the application may begin the process again.
My z/OS FTP server options are,
TLSMECHANISM ATTLS
EXTENSIONS AUTH_TLS ; Enable TLS authentication
; Default is disabled.
SECURE_FTP ALLOWED ; Authentication indicator
; ALLOWED (D)
; REQUIRED
SECURE_LOGIN VERIFY_USER ; Authorization level indicator
; for TLS
; NO_CLIENT_AUTH (D)
; REQUIRED
; VERIFY_USER
SECURE_PASSWORD OPTIONAL ; REQUIRED (D) - User must enter
password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
SECURE_CTRLCONN PRIVATE ; Minimum level of security for
; the control connection
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_DATACONN PRIVATE ; Minimum level of security for
; the data connection
; NEVER
; CLEAR (D)
; SAFE
; PRIVATE
SECURE_PBSZ 16384 ; Kerberos maximum size of the
; encoded data blocks
; Default value is 16384
; Valid range is 512 through 32768
SECURE_SESSION_REUSE REQUIRED ; Specify whether session reuse is
; required when SSL/TLS is being
; used to protect the connections
; ALLOWED (D)
password
; OPTIONAL - User does not have to
; enter a password
; This setting has meaning only
; for TLS when implementing client
; certificate authentication
CIPHERSUITE SSL_NULL_MD5 ; 01
CIPHERSUITE SSL_NULL_SHA ; 02
CIPHERSUITE SSL_RC4_MD5_EX ; 03
CIPHERSUITE SSL_RC4_MD5 ; 04
CIPHERSUITE SSL_RC4_SHA ; 05
CIPHERSUITE SSL_RC2_MD5_EX ; 06
CIPHERSUITE SSL_DES_SHA ; 09
CIPHERSUITE SSL_3DES_SHA ; 0A
CIPHERSUITE SSL_AES_128_SHA ; 2F
CIPHERSUITE SSL_AES_256_SHA ; 35
KEYRING /usr/local/certificates/BCI.kdb ; Name of the keyring for TLS
; It can be the name of an HFS x
; file (name starts with /) or
; a resource name in the security
; product (e.g., RACF)
TLSTIMEOUT 100 ; Maximum time limit between full
; TLS handshakes to protect data
; connections
; Default value is 100 seconds.
; Valid range is 0 through 86400
TLSRFCLEVEL DRAFT ; Specify what level of RFC 4217,
; On Securing FTP with TLS, is
; supported.
; DRAFT (D) Internet Draft level
; RFC4217 RFC level
TLSCERTCROSSCHECK TRUE ; Specify TLS certificate
; cross-checking
; TRUE (D) - cross-checking is
; enabled
; FALSE - cross-checking is
; disabled
SECUREIMPLICITZOS TRUE ; Specify when the FTP server
; expects the security handshake
; to occur.
; TRUE (D) FTP server expects
; security handshake to occur after
; it sends the reply 220.
; FALSE FTP server expects
; the security handshake before
; it sends the reply 220.
Confidentiality notice:
This e-mail message, including any attachments, may contain legally privileged
and/or confidential information. If you are not the intended recipient(s), or
the employee or agent responsible for delivery of this message to the intended
recipient(s), you are hereby notified that any dissemination, distribution, or
copying of this e-mail message is strictly prohibited. If you have received
this message in error, please immediately notify the sender and delete this
e-mail message from your computer.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
