Well, for what it is worth, I use the following in my userid.FTP.DATA and
successfully talk to vsftp with SSL Encryption:
TLSRFCLEVEL CCCNONOTIFY ;
EPSV4 TRUE
TLSMECHANISM FTP
SECURE_MECHANISM TLS
SECURE_FTP REQUIRED
SECURE_CTRLCONN CLEAR
SECURE_DATACONN PRIVATE
CIPHERSUITE SSL_NULL_MD5 ; 01
CIPHERSUITE SSL_NULL_SHA ; 02
CIPHERSUITE SSL_RC4_MD5_EX ; 03
CIPHERSUITE SSL_RC4_MD5 ; 04
CIPHERSUITE SSL_RC4_SHA ; 05
CIPHERSUITE SSL_RC2_MD5_EX ; 06
CIPHERSUITE SSL_DES_SHA ; 09
CIPHERSUITE SSL_3DES_SHA ; 0A
KEYRING FTPClientRing
My RACF keyring has:
Ring:
>FTPClientRing<
Certificate Label Name Cert Owner USAGE DEFAULT
-------------------------------- ------------ -------- -------
Thawte Premium Server CA CERTAUTH CERTAUTH NO
thawte Primary Root CA CERTAUTH CERTAUTH NO
Thawte Server CA CERTAUTH CERTAUTH NO
Thawte DV SSL CA CERTAUTH CERTAUTH NO
I did find it necessary to have the full chain in my keyring.
I just use //MVSFTP EXEC PGM=FTP,
I don't maintain the Linux server, so I can't quickly get the full vsftp parm
deck. I can ask for it.
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of Mark Pace
> Sent: Friday, May 09, 2014 10:58 AM
> To: [email protected]
> Subject: Re: z/OS FTPS Client & Linux FTP server
>
> Sorry, confused, again.
>
> We currently do userid/password authentication - without SSL.
>
>
> On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave <[email protected]> wrote:
>
> > Well, if your are doing the SSL server stuff, then the password is not
> > flowing in the clear. On the other hand, my interpretation of the
> > vsftp parm I sent a few days ago is to NOT do certificate based client
> > authentication.
> >
> > > -----Original Message-----
> > > From: IBM Mainframe Discussion List
> > > [mailto:[email protected]] On Behalf Of Mark Pace
> > > Sent: Friday, May 09, 2014 9:19 AM
> > > To: [email protected]
> > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > >
> > > Oh yes. We've been doing it that way for years.
> > >
> > > Trying to add the ability to secure the log in process.
> > >
> > >
> > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave <[email protected]> wrote:
> > >
> > > > I haven't used SSL client verification by certificate, so you are
> > > > past my knowledge. As an experiment, can you get a working
> > > > connection using userid/password authentication.
> > > >
> > > > > -----Original Message-----
> > > > > From: IBM Mainframe Discussion List
> > > > > [mailto:[email protected]] On Behalf Of Mark Pace
> > > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > > To: [email protected]
> > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > >
> > > > > I was able to get the Trace to work - after removing the -r TLS,
> > > > > that generated an error.
> > > > > *EZA2892I Secure port 21 does not allow the -a or -r start
> > > > > parameter
> > > > > *
> > > > >
> > > > > And from that trace it appears, to me, that the FTP server is
> > > > > not responding correctly to the z/OS client handshake.
> > > > >
> > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent V3
> > > > > CLIENT- HELLO message
> > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3
> > > > > CLIENT-HELLO message
> > > > > 00000000: 0100002b 0301536b ed23cf50 8d72c5f7
> > > > > *...+..Sk.#.P.r..*
> > > > > 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177 *
> > > > > .../...2(....qw*
> > > > > 00000020: a3e6e150 a3c50000 0400ff00 050100
> > > > > *...P...........
> > > > > *
> > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): Calling
> > > > > write routine for 52 bytes
> > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 bytes
> > > > > written
> > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling
> > > > > read routine for 5 bytes
> > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes
> > > > > received
> > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): Content
> > > > > Type
> > > > > 50 is not supported
> > > > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL record
> > > header
> > > > > 00000000: 3232302d 57 *220-W
> > > > > *
> > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): SSL V3
> > > > > client handshake failed with 10.6.0.15[21]
> > > > >
> > > > >
> > > > >
> > > > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave <[email protected]>
> > > wrote:
> > > > >
> > > > > > Add this to the FTP Client job parms:
> > > > > > //
> > > > >
> > >
> PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > > > > > // '/-r TLS (TRACE EXIT')
> > > > > >
> > > > > > There is a formatted documented with gsktrace. Should get you
> > > > > > to the exact error when you format gskwix.trc
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: IBM Mainframe Discussion List
> > > > > > > [mailto:[email protected]] On Behalf Of Mark Post
> > > > > > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > > > > > To: [email protected]
> > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > > >
> > > > > > > Mark,
> > > > > > >
> > > > > > > This may be yet another case where running strace or ltrace
> > > > > > > on the server side will give you some insight into what is
> > > > > > > going on. If you don't
> > > > > > want to go
> > > > > > > down that road, i would say it's time to open up a PMR with IBM.
> > > > > > >
> > > > > > >
> > > > > > > Mark Post
> > > > > > >
> > > > > > > ------------------------------------------------------------
> > > > > > > ----
> > > > > > > ---
> > > > > -
> > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > instructions, send
> > > > > > email to
> > > > > > > [email protected] with the message: INFO IBM-MAIN
> > > > > >
> > > > > > --------------------------------------------------------------
> > > > > > ----
> > > > > > ---
> > > > > -
> > > > > > For IBM-MAIN subscribe / signoff / archive access
> > > > > > instructions, send email to [email protected] with the
> > > > > > message: INFO IBM-MAIN
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > The postings on this site are my own and don’t necessarily
> > > > > represent Mainline’s positions or opinions
> > > > >
> > > > > Mark D Pace
> > > > > Senior Systems Engineer
> > > > > Mainline Information Systems
> > > > >
> > > > > ----------------------------------------------------------------
> > > > > ----
> > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > instructions, send email to [email protected] with the
> > > > > message: INFO IBM-MAIN
> > > >
> > > > ------------------------------------------------------------------
> > > > ---- For IBM-MAIN subscribe / signoff / archive access
> > > > instructions, send email to [email protected] with the
> > > > message: INFO IBM-MAIN
> > > >
> > >
> > >
> > >
> > > --
> > > The postings on this site are my own and don’t necessarily represent
> > > Mainline’s positions or opinions
> > >
> > > Mark D Pace
> > > Senior Systems Engineer
> > > Mainline Information Systems
> > >
> > > --------------------------------------------------------------------
> > > -- For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send
> > email to
> > > [email protected] with the message: INFO IBM-MAIN
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > email to [email protected] with the message: INFO IBM-MAIN
> >
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions, send email to
> [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
