I did a quick search and the error seems like a TLS 1.0 only issue. As I remember it, the FTP TLS on z/OS is restricted to TLS 1.0 with IBM stating something like
<my impression> "please use AT-TLS... we are done putting work into task specific TLS implementations" </my impression> AT-TLS provides support for a wider ranges of TLS levels. It isn't too much work to get operating for FTP. Don't take the redbooks advice when creating rules... the writer succeeded in making it more complicated. Copy an existing rule for FTP. The key is setting up the client rule not the server rule the SYSFTPD - FTPCDATA TLSMECHANISM ATTLS secure_mechanism tls secure_ctrlconn private secure_dataconn private epsv4 true TLSRFCLEVEL RFC4217 secure_ftp required extensions auth_tls secure_pbsz 32768 You'll need PAGENT and Obey this for TCPIP TCPCONFIG TCPSENDBFRSIZE 32K TCPRCVBUFRSIZE 32K SENDGARBAGE FALSE TTLS If you are after z/OS 1.13.. then the stand alone Config Assistant is not available.. and the z/OSMF must be used. I would not recommend hand coding Policy Agent Rules. Rob Schramm Rob Schramm Senior Systems Consultant Imperium Group On Fri, May 9, 2014 at 9:06 AM, Rob Schramm <[email protected]> wrote: > Sorry.. was doing my post via phone.. > > Here is the short version of GSKSRVR trace > > Run a GSKSRVR for SSL trace.. the only gotcha is that it must come up > before the task you want to trace. > > - S GSKSRVR > - Restart STC > - Update GSKWTR PROC to add a dataset to hold the trace. > - TRACE CT,WTRSTART=GSKWTR > - TRACE CT,ON,COMP=GSKSRVR > - R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the > name of STC. > - Recreate the problem. > - TRACE CT,OFF,COMP=GSKSRVR > - TRACE CT,WTRSTOP=GSKWTR > - get into IPCS > - update 0 DEFAULTS - Specify default dump and options with GSKWTR > produced trace data set > - 2 ANALYSIS - Analyze dump contents > - 7 TRACES - Trace formatting > - 1 CTRACE - Component trace > - D DISPLAY - Specify parameters to display CTRACE entries > - update "Component" with "GSKSRVR", update "Report type" with "full", and > issue "S" to start the analysis > > GSKSRVR Commands# > > - S GSKSRVR > - F GSKSRVR,DISPLAY CRYPTO > - F GSKSRVR,DISPLAY LEVEL > - F GSKSRVR,DISPLAY SIDCACHE > - F GSKSRVR,DISPLAY XCF > - F GSKSRVR,STOP > > Rob Schramm > > Rob Schramm > Senior Systems Consultant > Imperium Group > > > > On Fri, May 9, 2014 at 8:46 AM, Mark Pace <[email protected]> wrote: > >> I was able to get the Trace to work - after removing the -r TLS, that >> generated an error. >> *EZA2892I Secure port 21 does not allow the -a or -r start parameter * >> >> And from that trace it appears, to me, that the FTP server is not >> responding correctly to the z/OS client handshake. >> >> 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 >> CLIENT-HELLO >> message >> 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO >> message >> 00000000: 0100002b 0301536b ed23cf50 8d72c5f7 >> *...+..Sk.#.P.r..* >> 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177 * >> .../...2(....qw* >> 00000020: a3e6e150 a3c50000 0400ff00 050100 *...P........... >> * >> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write >> routine >> for 52 bytes >> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes >> written >> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read routine >> for 5 bytes >> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes >> received >> 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50 is >> not supported >> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record >> header >> 00000000: 3232302d 57 *220-W >> * >> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client >> handshake failed with 10.6.0.15[21] >> >> >> >> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave <[email protected]> wrote: >> >> > Add this to the FTP Client job parms: >> > // PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")', >> > // '/-r TLS (TRACE EXIT') >> > >> > There is a formatted documented with gsktrace. Should get you to the >> exact >> > error when you format gskwix.trc >> > >> > > -----Original Message----- >> > > From: IBM Mainframe Discussion List [mailto:[email protected]] >> > > On Behalf Of Mark Post >> > > Sent: Wednesday, May 07, 2014 12:55 PM >> > > To: [email protected] >> > > Subject: Re: z/OS FTPS Client & Linux FTP server >> > > >> > > Mark, >> > > >> > > This may be yet another case where running strace or ltrace on the >> server >> > > side will give you some insight into what is going on. If you don't >> > want to go >> > > down that road, i would say it's time to open up a PMR with IBM. >> > > >> > > >> > > Mark Post >> > > >> > > ---------------------------------------------------------------------- >> > > For IBM-MAIN subscribe / signoff / archive access instructions, send >> > email to >> > > [email protected] with the message: INFO IBM-MAIN >> > >> > ---------------------------------------------------------------------- >> > For IBM-MAIN subscribe / signoff / archive access instructions, >> > send email to [email protected] with the message: INFO IBM-MAIN >> > >> >> >> >> -- >> The postings on this site are my own and don’t necessarily represent >> Mainline’s positions or opinions >> >> Mark D Pace >> Senior Systems Engineer >> Mainline Information Systems >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
