I'm trying to make the AT-TLS stuff work, but I'm just as confused by this
as the original stuff. The PAGENT setup seemed pretty straight forward.
pagent.conf
TTLSConfig /etc/pagent_TTLS.conf
pagent_TTLS.conf
# Common Production Group that all Rules use
TTLSGroupAction grp_Production
{
TTLSEnabled On
Trace 2 # Log Errors to syslogd
}
###################################################################
# #
# FTP Specific Rules and Actions #
# #
###################################################################
# FTP data connections must use SecondaryMap
# to access keyring and certificate under server's security context.
# Do not define separate rules for FTP data connections.
TTLSRule Secure_Ftp_client
{
LocalPortRange 21
Direction Outbound
TTLSGroupActionRef grp_Production
TTLSEnvironmentActionRef Secure_Ftp_Client_Env
}
# Environment Shared by all secure FTP client connections.
# each client must own their own key ring named Client_Ring
TTLSEnvironmentAction Secure_Ftp_Client_Env
{
HandshakeRole Client
TTLSKeyRingParms
{
Keyring Client_Ring
}
TTLSEnvironmentAdvancedParms
{
SecondaryMap On
}
}
It appears that the correct configurations are loaded. - my only question
being if INET is the correct name.
EZZ8432I PAGENT INITIALIZATION COMPLETE
EZD1289I TCPIP ICSF SERVICES ARE CURRENTLY AVAILABLE FOR AT-TLS GROUP
grp_Production
EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR INET : TTLS
EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR INET
Run the FTP and it fails saying there is now matching policy
GU5349 ftpSetApplData:
entered
FC0254 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, sFTP=R, sCC=P,
sDC=P
FC2723 ftpAuthAttls: No AT-TLS policy matched
connection
EZA2897I Authentication negotiation
failed
On Sat, May 10, 2014 at 2:21 PM, Rob Schramm <[email protected]> wrote:
> Congrats.
>
> Of course the latest recommendations are to move away from TLS 1.0 because
> of vulnerabilities.
>
> Rob Schramm
> On May 9, 2014 4:48 PM, "Mark Pace" <[email protected]> wrote:
>
> > One thing I just noticed as I was documenting this.
> > I had changed my ftp server from using the GoDaddy assigned certificate
> to
> > a self-signed certificate. I had send a copy of the .pem file to z/OS
> and
> > added it to my keyring as Site certificate. - That is what worked.
> >
> > So I went back to the GoDaddy certificate on the server, and I still
> have,
> > what I thought was a good Certauth from GoDaddy on my key ring and now my
> > error is - FC1003 authServer: secure_socket_init failed with rc = 417
> > (Self-signed certificate cannot be validated)
> >
> > So now I need to figure out how to get the Certauth working as I don't
> > really want to have to send my self-signed out.
> >
> > Something to ponder next week.
> >
> >
> > On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave <[email protected]> wrote:
> >
> > > On looking at it, I think the
> > > > TLSRFCLEVEL CCCNONOTIFY ;
> > > And/or the
> > > > EPSV4 TRUE
> > > Are newish (in that they were what I had to put in to make it work the
> > > last time it broke :) It tends to break when maintenance is put on
> Linux
> > or
> > > vsftp :)
> > >
> > > > -----Original Message-----
> > > > From: IBM Mainframe Discussion List [mailto:[email protected]
> ]
> > > > On Behalf Of Mark Pace
> > > > Sent: Friday, May 09, 2014 1:00 PM
> > > > To: [email protected]
> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > >
> > > > WOAH, WOAH, WOAH, what the hell? I copied and pasted your FTP.DATA
> > > > file
> > > > into my FTP.DATA file and now it works.
> > > >
> > > > Now I just have to determine what was different on yours than every
> > > iteration
> > > > that I have been through so far.
> > > >
> > > > THANKS, I think. ;)
> > > >
> > > >
> > > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave <[email protected]> wrote:
> > > >
> > > > > Well, for what it is worth, I use the following in my
> userid.FTP.DATA
> > > > > and successfully talk to vsftp with SSL Encryption:
> > > > > TLSRFCLEVEL CCCNONOTIFY ;
> > > > > EPSV4 TRUE
> > > > > TLSMECHANISM FTP
> > > > > SECURE_MECHANISM TLS
> > > > > SECURE_FTP REQUIRED
> > > > > SECURE_CTRLCONN CLEAR
> > > > > SECURE_DATACONN PRIVATE
> > > > > CIPHERSUITE SSL_NULL_MD5 ; 01
> > > > > CIPHERSUITE SSL_NULL_SHA ; 02
> > > > > CIPHERSUITE SSL_RC4_MD5_EX ; 03
> > > > > CIPHERSUITE SSL_RC4_MD5 ; 04
> > > > > CIPHERSUITE SSL_RC4_SHA ; 05
> > > > > CIPHERSUITE SSL_RC2_MD5_EX ; 06
> > > > > CIPHERSUITE SSL_DES_SHA ; 09
> > > > > CIPHERSUITE SSL_3DES_SHA ; 0A
> > > > >
> > > > > KEYRING FTPClientRing
> > > > >
> > > > > My RACF keyring has:
> > > > > Ring:
> > > > > >FTPClientRing<
> > > > > Certificate Label Name Cert Owner USAGE
> DEFAULT
> > > > > -------------------------------- ------------ --------
> -------
> > > > > Thawte Premium Server CA CERTAUTH CERTAUTH NO
> > > > >
> > > > > thawte Primary Root CA CERTAUTH CERTAUTH NO
> > > > >
> > > > > Thawte Server CA CERTAUTH CERTAUTH NO
> > > > >
> > > > > Thawte DV SSL CA CERTAUTH CERTAUTH NO
> > > > >
> > > > > I did find it necessary to have the full chain in my keyring.
> > > > >
> > > > > I just use //MVSFTP EXEC PGM=FTP,
> > > > >
> > > > > I don't maintain the Linux server, so I can't quickly get the full
> > > > > vsftp parm deck. I can ask for it.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: IBM Mainframe Discussion List
> > > > > > [mailto:[email protected]] On Behalf Of Mark Pace
> > > > > > Sent: Friday, May 09, 2014 10:58 AM
> > > > > > To: [email protected]
> > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > >
> > > > > > Sorry, confused, again.
> > > > > >
> > > > > > We currently do userid/password authentication - without SSL.
> > > > > >
> > > > > >
> > > > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave <[email protected]>
> > wrote:
> > > > > >
> > > > > > > Well, if your are doing the SSL server stuff, then the password
> > is
> > > > > > > not flowing in the clear. On the other hand, my interpretation
> of
> > > > > > > the vsftp parm I sent a few days ago is to NOT do certificate
> > > > > > > based client authentication.
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: IBM Mainframe Discussion List
> > > > > > > > [mailto:[email protected]] On Behalf Of Mark Pace
> > > > > > > > Sent: Friday, May 09, 2014 9:19 AM
> > > > > > > > To: [email protected]
> > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > > > >
> > > > > > > > Oh yes. We've been doing it that way for years.
> > > > > > > >
> > > > > > > > Trying to add the ability to secure the log in process.
> > > > > > > >
> > > > > > > >
> > > > > > > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave <
> [email protected]>
> > > > > wrote:
> > > > > > > >
> > > > > > > > > I haven't used SSL client verification by certificate, so
> you
> > > > > > > > > are past my knowledge. As an experiment, can you get a
> > working
> > > > > > > > > connection using userid/password authentication.
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: IBM Mainframe Discussion List
> > > > > > > > > > [mailto:[email protected]] On Behalf Of Mark Pace
> > > > > > > > > > Sent: Friday, May 09, 2014 5:47 AM
> > > > > > > > > > To: [email protected]
> > > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > > > > > >
> > > > > > > > > > I was able to get the Trace to work - after removing the
> -r
> > > > > > > > > > TLS, that generated an error.
> > > > > > > > > > *EZA2892I Secure port 21 does not allow the -a or -r
> start
> > > > > > > > > > parameter
> > > > > > > > > > *
> > > > > > > > > >
> > > > > > > > > > And from that trace it appears, to me, that the FTP
> server
> > > > > > > > > > is not responding correctly to the z/OS client handshake.
> > > > > > > > > >
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello():
> Sent
> > > > > > > > > > V3
> > > > > > > > > > CLIENT- HELLO message
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello():
> V3
> > > > > > > > > > CLIENT-HELLO message
> > > > > > > > > > 00000000: 0100002b 0301536b ed23cf50 8d72c5f7
> > > > > > > > > > *...+..Sk.#.P.r..*
> > > > > > > > > > 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177 *
> > > > > > > > > > .../...2(....qw*
> > > > > > > > > > 00000020: a3e6e150 a3c50000 0400ff00 050100
> > > > > > > > > > *...P...........
> > > > > > > > > > *
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record():
> > > > > > > > > > Calling write routine for 52 bytes
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52
> > > > > > > > > > bytes written
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record():
> > Calling
> > > > > > > > > > read routine for 5 bytes
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5
> > bytes
> > > > > > > > > > received
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record():
> > > > > > > > > > Content Type
> > > > > > > > > > 50 is not supported
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL
> > > > > > > > > > record
> > > > > > > > header
> > > > > > > > > > 00000000: 3232302d 57
> > > *220-W
> > > > > > > > > > *
> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init():
> > > > > > > > > > SSL V3 client handshake failed with 10.6.0.15[21]
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave
> > > > > > > > > > <[email protected]>
> > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Add this to the FTP Client job parms:
> > > > > > > > > > > //
> > > > > > > > > >
> > > > > > > >
> > > > > >
> > > > PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")',
> > > > > > > > > > > // '/-r TLS (TRACE EXIT')
> > > > > > > > > > >
> > > > > > > > > > > There is a formatted documented with gsktrace. Should
> get
> > > > > > > > > > > you to the exact error when you format gskwix.trc
> > > > > > > > > > >
> > > > > > > > > > > > -----Original Message-----
> > > > > > > > > > > > From: IBM Mainframe Discussion List
> > > > > > > > > > > > [mailto:[email protected]] On Behalf Of Mark
> > Post
> > > > > > > > > > > > Sent: Wednesday, May 07, 2014 12:55 PM
> > > > > > > > > > > > To: [email protected]
> > > > > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
> > > > > > > > > > > >
> > > > > > > > > > > > Mark,
> > > > > > > > > > > >
> > > > > > > > > > > > This may be yet another case where running strace or
> > > > > > > > > > > > ltrace on the server side will give you some insight
> > > > > > > > > > > > into what is going on. If you don't
> > > > > > > > > > > want to go
> > > > > > > > > > > > down that road, i would say it's time to open up a
> PMR
> > > > > > > > > > > > with
> > > > > IBM.
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Mark Post
> > > > > > > > > > > >
> > > > > > > > > > > >
> > --------------------------------------------------------
> > > > > > > > > > > > ----
> > > > > > > > > > > > ----
> > > > > > > > > > > > ---
> > > > > > > > > > -
> > > > > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > > > > > > instructions, send
> > > > > > > > > > > email to
> > > > > > > > > > > > [email protected] with the message: INFO
> > IBM-MAIN
> > > > > > > > > > >
> > > > > > > > > > >
> > ----------------------------------------------------------
> > > > > > > > > > > ----
> > > > > > > > > > > ----
> > > > > > > > > > > ---
> > > > > > > > > > -
> > > > > > > > > > > For IBM-MAIN subscribe / signoff / archive access
> > > > > > > > > > > instructions, send email to
> [email protected]
> > > > > > > > > > > the
> > > > > > > > > > > message: INFO IBM-MAIN
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > The postings on this site are my own and don’t
> necessarily
> > > > > > > > > > represent Mainline’s positions or opinions
> > > > > > > > > >
> > > > > > > > > > Mark D Pace
> > > > > > > > > > Senior Systems Engineer
> > > > > > > > > > Mainline Information Systems
> > > > > > > > > >
> > > > > > > > > >
> > ------------------------------------------------------------
> > > > > > > > > > ----
> > > > > > > > > > ----
> > > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > > > > instructions, send email to [email protected]
> > > > > > > > > > the
> > > > > > > > > > message: INFO IBM-MAIN
> > > > > > > > >
> > > > > > > > >
> > --------------------------------------------------------------
> > > > > > > > > ----
> > > > > > > > > ---- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > > > instructions, send email to [email protected] with
> > the
> > > > > > > > > message: INFO IBM-MAIN
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > The postings on this site are my own and don’t necessarily
> > > > > > > > represent Mainline’s positions or opinions
> > > > > > > >
> > > > > > > > Mark D Pace
> > > > > > > > Senior Systems Engineer
> > > > > > > > Mainline Information Systems
> > > > > > > >
> > > > > > > >
> > ----------------------------------------------------------------
> > > > > > > > ----
> > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > > instructions, send
> > > > > > > email to
> > > > > > > > [email protected] with the message: INFO IBM-MAIN
> > > > > > >
> > > > > > >
> > ------------------------------------------------------------------
> > > > > > > ---- For IBM-MAIN subscribe / signoff / archive access
> > > > > > > instructions, send email to [email protected] with the
> > > > > > > message: INFO IBM-MAIN
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > The postings on this site are my own and don’t necessarily
> > represent
> > > > > > Mainline’s positions or opinions
> > > > > >
> > > > > > Mark D Pace
> > > > > > Senior Systems Engineer
> > > > > > Mainline Information Systems
> > > > > >
> > > > > >
> > --------------------------------------------------------------------
> > > > > > -- For IBM-MAIN subscribe / signoff / archive access
> instructions,
> > > > > > send
> > > > > email to
> > > > > > [email protected] with the message: INFO IBM-MAIN
> > > > >
> > > > >
> > ----------------------------------------------------------------------
> > > > > For IBM-MAIN subscribe / signoff / archive access instructions,
> send
> > > > > email to [email protected] with the message: INFO IBM-MAIN
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > The postings on this site are my own and don’t necessarily represent
> > > > Mainline’s positions or opinions
> > > >
> > > > Mark D Pace
> > > > Senior Systems Engineer
> > > > Mainline Information Systems
> > > >
> > > >
> ----------------------------------------------------------------------
> > > > For IBM-MAIN subscribe / signoff / archive access instructions, send
> > > email to
> > > > [email protected] with the message: INFO IBM-MAIN
> > >
> > > ----------------------------------------------------------------------
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to [email protected] with the message: INFO IBM-MAIN
> > >
> >
> >
> >
> > --
> > The postings on this site are my own and don’t necessarily represent
> > Mainline’s positions or opinions
> >
> > Mark D Pace
> > Senior Systems Engineer
> > Mainline Information Systems
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to [email protected] with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
--
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions
Mark D Pace
Senior Systems Engineer
Mainline Information Systems
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
