I had looked at that also. The vsftpd config - comments removed for brevity. listen=YES max_clients=20 use_localtime=YES log_ftp_protocol=YES # enable FTPS ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_request_cert=NO rsa_cert_file=/etc/vsftpd/mainline-wc-2011.crt rsa_private_key_file=/etc/vsftpd/mainline-wc-2011.key ssl_ciphers=RC4-SHA debug_ssl=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 anon_umask=666 anon_upload_enable=NO dirmessage_enable=YES message_file=.message xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log banner_file=/etc/vsftpd.banner deny_email_enable=YES banned_email_file=/etc/vsftpd.banned_emails chroot_local_user=YES
pasv_enable=YES listen_ipv6=NO On Wed, May 7, 2014 at 3:20 PM, Gibney, Dave <[email protected]> wrote: > I am now reminded of a difficulty I had with this once. My plea to the > list(s) resulted in this: > > Skip to site navigation (Press enter) > Re: FTP TLS Handshake Fails with SSL RC 410 Cal McCracken Thu, 10 Mar 2011 > 07:44:54 -0800 > > Thanks to a private responder, I was able to get this resolved. I don't > know if the SSL RC 410 covers other error situations, but in my case, the > resolution was to set configuration parm, ssl_request_cert to NO (defaults > to YES). This is a config parm for the vsftpd FTP server on our Linux > system. > > My humble thanks to the responder. > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected]] > > On Behalf Of Mark Pace > > Sent: Wednesday, May 07, 2014 12:02 PM > > To: [email protected] > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > And for giggles I setup another Linux FTP server - this one pure-ftpd - > again no > > issues connecting with a windows FTPS client - still no connection with > z/OS. > > > > > > On Wed, May 7, 2014 at 2:39 PM, Mark Pace <[email protected]> > > wrote: > > > > > Yes - it was at that time. Since I started working on the RACF > > > certs/keyring stuff the ftp.data has been updated as I go along. > Currently. > > > > > > SECURE_CTRLCONN CLEAR > > > SECURE_DATACONN PRIVATE > > > SECURE_FTP REQUIRED > > > SECURE_HOSTNAME OPTIONAL > > > SECURE_MECHANISM TLS > > > KEYRING IBMUSER/FtpSecur > > > TLSPORT 21 > > > TLSRFCLEVEL CCCNONOTIFY > > > TLSTIMEOUT 10 > > > ; > > > ;CTRLCONN 7BIT > > > SECUREIMPLICITZOS FALSE > > > TLSMECHANISM FTP > > > CIPHERSUITE SSL_RC4_SHA > > > ; > > > DEBUG SEC > > > > > > > > > On Wed, May 7, 2014 at 2:06 PM, Gibney, Dave <[email protected]> wrote: > > > > > >> You said latest, so maybe you have tried others. In the parms listed > > >> here, your keyring is commented out. > > >> > > >> > -----Original Message----- > > >> > From: IBM Mainframe Discussion List > > >> > [mailto:[email protected]] On Behalf Of Mark Pace > > >> > Sent: Wednesday, May 07, 2014 5:26 AM > > >> > To: [email protected] > > >> > Subject: z/OS FTPS Client & Linux FTP server > > >> > > > >> > Has anyone successfully sent data to a Linux FTP server using TLS > > >> security > > >> > from the z/OS FTP client? > > >> > > > >> > I have a Linux server running vsftpd - I've been using it for years > > >> > to > > >> send SMF > > >> > data. I've added TLS support to this server. I've verified that > > >> > the > > >> Secure > > >> > connect works via a Filezilla client, > > >> > > > >> > So now I would like to be able to send SMF data to the server. But > > >> > I > > >> always > > >> > get an authentication failure. I've tried every combination of > > >> > Security parameters I can come up with. > > >> > > > >> > These are the latest parms in my ftp.data file. > > >> > > > >> > ;SECURE_CTRLCONN SAFE > > >> > SECURE_DATACONN CLEAR > > >> > SECURE_FTP REQUIRED > > >> > SECURE_HOSTNAME OPTIONAL > > >> > SECURE_MECHANISM TLS > > >> > SECUREIMPLICITZOS FALSE > > >> > CIPHERSUITE SSL_RC4_SHA > > >> > ;KEYRING IBMUSER/SecureFTPKeyRing > > >> > TLSPORT 21 > > >> > TLSRFCLEVEL CCCNONOTIFY > > >> > TLSTIMEOUT 10 > > >> > ;SECURE_PBSZ 16384 > > >> > ; > > >> > ;CTRLCONN 7BIT > > >> > > > >> > I'm beginning to think I am doing something fundamentally wrong > > >> > instead > > >> of > > >> > it being a matter of wrong parameters. > > >> > > > >> > //FTP EXEC PGM=FTP,REGION=5M,PARM='(EXIT' > > >> > //SYSPRINT DD SYSOUT=* > > >> > //SYSFTPD DD DISP=SHR,DSN=MARPACE.JCL.CNTL(FTPSDATA) > > >> > //OUTPUT DD SYSOUT=* > > >> > //INPUT DD * USE LOWER CASE BELOW > > >> > ftp.s390.mainline.com > > >> > userid password > > >> > dir > > >> > quit > > >> > > > >> > > > >> > EZA1736I FTP > > >> > (EXIT > > >> > > > >> > EZY2640I Using dd:SYSFTPD=MARPACE.JCL.CNTL(FTPSDATA) for local site > > >> > configuration parameters. > > >> > EZA1450I IBM FTP CS > > >> > V2R1 > > >> > EZA1772I FTP: EXIT has been > > >> > set. > > >> > EZA1456I Connect to > > >> > ? > > >> > EZA1736I ftp.s390.mainline.com > > >> > > > >> > EZA1554I Connecting to: ftp.s390.mainline.com 10.6.0.10 port: > > >> > 21. > > >> > EZA2897I Authentication negotiation failed EZA2898I Unable to > > >> > successfully negotiate required authentication > > >> EZA1735I > > >> > Std Return Code = 10000, Error Code = > > >> > 00017 > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > -- > > >> > The postings on this site are my own and don’t necessarily > > >> > represent Mainline’s positions or opinions > > >> > > > >> > Mark D Pace > > >> > Senior Systems Engineer > > >> > Mainline Information Systems > > >> > > > >> > ------------------------------------------------------------------- > > >> > --- For IBM-MAIN subscribe / signoff / archive access instructions, > > >> > send > > >> email to > > >> > [email protected] with the message: INFO IBM-MAIN > > >> > > >> --------------------------------------------------------------------- > > >> - For IBM-MAIN subscribe / signoff / archive access instructions, > > >> send email to [email protected] with the message: INFO > > >> IBM-MAIN > > >> > > > > > > > > > > > > -- > > > The postings on this site are my own and don’t necessarily represent > > > Mainline’s positions or opinions > > > > > > Mark D Pace > > > Senior Systems Engineer > > > Mainline Information Systems > > > > > > > > > > > > > > > > > > -- > > The postings on this site are my own and don’t necessarily represent > > Mainline’s positions or opinions > > > > Mark D Pace > > Senior Systems Engineer > > Mainline Information Systems > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to > > [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
