Thanks, rob - I am working on this now. One issue, I don't have z/OSMF on my systems. Guess I'll be stuck with trying to create policies by hand. I seem to recall there was a stand-alone version of the policy tool, but it appears that can not be used with a z/OS 2.1 system.
Starting wonder how many tools/functions are going to moved to OSMF and if I should be considering implementing OSMF. On Fri, May 9, 2014 at 9:37 AM, Rob Schramm <[email protected]> wrote: > I did a quick search and the error seems like a TLS 1.0 only issue. > > As I remember it, the FTP TLS on z/OS is restricted to TLS 1.0 with IBM > stating something like > > <my impression> > "please use AT-TLS... we are done putting work into task specific TLS > implementations" > </my impression> > > AT-TLS provides support for a wider ranges of TLS levels. It isn't too > much work to get operating for FTP. Don't take the redbooks advice when > creating rules... the writer succeeded in making it more complicated. Copy > an existing rule for FTP. > > The key is setting up the client rule not the server rule > the SYSFTPD - FTPCDATA > > TLSMECHANISM ATTLS > secure_mechanism tls > secure_ctrlconn private > secure_dataconn private > epsv4 true > TLSRFCLEVEL RFC4217 > secure_ftp required > extensions auth_tls > secure_pbsz 32768 > > You'll need PAGENT and > > Obey this for TCPIP > TCPCONFIG TCPSENDBFRSIZE 32K TCPRCVBUFRSIZE 32K SENDGARBAGE FALSE TTLS > > If you are after z/OS 1.13.. then the stand alone Config Assistant is not > available.. and the z/OSMF must be used. I would not recommend hand coding > Policy Agent Rules. > > Rob Schramm > > > > > > Rob Schramm > Senior Systems Consultant > Imperium Group > > > > On Fri, May 9, 2014 at 9:06 AM, Rob Schramm <[email protected]> wrote: > > > Sorry.. was doing my post via phone.. > > > > Here is the short version of GSKSRVR trace > > > > Run a GSKSRVR for SSL trace.. the only gotcha is that it must come up > > before the task you want to trace. > > > > - S GSKSRVR > > - Restart STC > > - Update GSKWTR PROC to add a dataset to hold the trace. > > - TRACE CT,WTRSTART=GSKWTR > > - TRACE CT,ON,COMP=GSKSRVR > > - R n,JOBNAME=(yyy),OPTIONS=(LEVEL=255),WTR=GSKWTR,END where yyy is the > > name of STC. > > - Recreate the problem. > > - TRACE CT,OFF,COMP=GSKSRVR > > - TRACE CT,WTRSTOP=GSKWTR > > - get into IPCS > > - update 0 DEFAULTS - Specify default dump and options with GSKWTR > > produced trace data set > > - 2 ANALYSIS - Analyze dump contents > > - 7 TRACES - Trace formatting > > - 1 CTRACE - Component trace > > - D DISPLAY - Specify parameters to display CTRACE entries > > - update "Component" with "GSKSRVR", update "Report type" with "full", > and > > issue "S" to start the analysis > > > > GSKSRVR Commands# > > > > - S GSKSRVR > > - F GSKSRVR,DISPLAY CRYPTO > > - F GSKSRVR,DISPLAY LEVEL > > - F GSKSRVR,DISPLAY SIDCACHE > > - F GSKSRVR,DISPLAY XCF > > - F GSKSRVR,STOP > > > > Rob Schramm > > > > Rob Schramm > > Senior Systems Consultant > > Imperium Group > > > > > > > > On Fri, May 9, 2014 at 8:46 AM, Mark Pace <[email protected]> > wrote: > > > >> I was able to get the Trace to work - after removing the -r TLS, that > >> generated an error. > >> *EZA2892I Secure port 21 does not allow the -a or -r start parameter * > >> > >> And from that trace it appears, to me, that the FTP server is not > >> responding correctly to the z/OS client handshake. > >> > >> 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3 > >> CLIENT-HELLO > >> message > >> 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 CLIENT-HELLO > >> message > >> 00000000: 0100002b 0301536b ed23cf50 8d72c5f7 > >> *...+..Sk.#.P.r..* > >> 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177 * > >> .../...2(....qw* > >> 00000020: a3e6e150 a3c50000 0400ff00 050100 *...P........... > >> * > >> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling write > >> routine > >> for 52 bytes > >> 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes > >> written > >> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling read > routine > >> for 5 bytes > >> 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes > >> received > >> 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content Type 50 is > >> not supported > >> 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record > >> header > >> 00000000: 3232302d 57 *220-W > >> * > >> 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3 client > >> handshake failed with 10.6.0.15[21] > >> > >> > >> > >> On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave <[email protected]> wrote: > >> > >> > Add this to the FTP Client job parms: > >> > // > PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")', > >> > // '/-r TLS (TRACE EXIT') > >> > > >> > There is a formatted documented with gsktrace. Should get you to the > >> exact > >> > error when you format gskwix.trc > >> > > >> > > -----Original Message----- > >> > > From: IBM Mainframe Discussion List [mailto: > [email protected]] > >> > > On Behalf Of Mark Post > >> > > Sent: Wednesday, May 07, 2014 12:55 PM > >> > > To: [email protected] > >> > > Subject: Re: z/OS FTPS Client & Linux FTP server > >> > > > >> > > Mark, > >> > > > >> > > This may be yet another case where running strace or ltrace on the > >> server > >> > > side will give you some insight into what is going on. If you don't > >> > want to go > >> > > down that road, i would say it's time to open up a PMR with IBM. > >> > > > >> > > > >> > > Mark Post > >> > > > >> > > > ---------------------------------------------------------------------- > >> > > For IBM-MAIN subscribe / signoff / archive access instructions, send > >> > email to > >> > > [email protected] with the message: INFO IBM-MAIN > >> > > >> > ---------------------------------------------------------------------- > >> > For IBM-MAIN subscribe / signoff / archive access instructions, > >> > send email to [email protected] with the message: INFO > IBM-MAIN > >> > > >> > >> > >> > >> -- > >> The postings on this site are my own and don’t necessarily represent > >> Mainline’s positions or opinions > >> > >> Mark D Pace > >> Senior Systems Engineer > >> Mainline Information Systems > >> > >> ---------------------------------------------------------------------- > >> For IBM-MAIN subscribe / signoff / archive access instructions, > >> send email to [email protected] with the message: INFO IBM-MAIN > >> > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
