So I do, thanks. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Donald J. > Sent: Friday, March 11, 2016 12:32 PM > To: [email protected] > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get > locked > out! > > You need RemotePortRangeRef for port 21. > Port 21 is remote. > > -- > Donald J. > [email protected] > > On Fri, Mar 11, 2016, at 12:21 PM, Gibney, David Allen wrote: > > Actually, I do: > > TTLSRule ftp_client1 > > { > > LocalPortRange 21 > > Direction Outbound > > TTLSGroupActionRef ftp_grp_act > > TTLSEnvironmentActionRef ftp_client_env_act > > } > > TTLSGroupAction ftp_grp_act > > { > > TTLSEnabled On > > Trace 7 > > GroupUserInstance 1 > > } > > TTLSEnvironmentAction ftp_client_env_act > > { > > HandshakeRole Client > > TTLSKeyringParms > > { > > Keyring FTPClientRing > > } > > TTLSEnvironmentAdvancedParms > > { > > ApplicationControlled On > > SecondaryMap On > > } > > EnvironmentUserInstance 1 > > } > > > > I'll have debug all in my next run. > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:[email protected]] On Behalf Of Donald J. > > > Sent: Friday, March 11, 2016 10:13 AM > > > To: [email protected] > > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't > > > get locked out! > > > > > > He is using TLSMECHANISM ATTLS. Yours uses TLSMECHANISM FTP (non- > > > Pagent). > > > He is getting the error because he has no PAGENT TTLSRule for > > > Outbound Port 21. > > > Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging. > > > > > > It is working ok for me with TLSMECHANISM FTP. > > > I tried with ATTLS, but am getting a server error on the BINARY FTP > > > SUBCOMMAND. > > > Still looking in to that, but it is questionable if their FTPS > > > server works with PAGENT ATTLS. > > > Can't imagine why they would install a server incompatible with > > > PAGENT though. > > > > > > >>> TYPE I > > > SC3261 getReply: entered > > > SC4327 getNextReply: entered with waitForData = TRUE Connection with > > > dispby-117.boulder.ibm.com terminated > > > SC4445 SETCEC code = 10 > > > CZ1434 ftpClose: entered > > > SC4067 inSession: entered > > > SC4145 setLoggedIn: entered > > > CT0282 binary: getReply failed. > > > PC1047 logClientErrMsg: entered > > > PC0945 setClientRC: entered > > > SC4019 getLastReply: entered > > > PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006 > > > SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006 > > > SC4019 getLastReply: entered > > > CX0389 main: RC=-0001 cmd_in_progress=06 > > > CX0392 main: last_reply= err=10 > > > PC0945 setClientRC: entered > > > SC4019 getLastReply: entered > > > Std Return Code = 06000, Error Code = 00010 > > > CZ1354 ftpQuit: entered > > > CZ1434 ftpClose: entered > > > > > > Their server also seems to require use of the CCC subcommand to > > > clear the command channel. > > > So if you are using SECURE_CTRLCONN PRIVATE instead of > > > SECURE_CTRLCONN CLEAR, > > > it might cause a problem also. There is a client parameter setting > ftpccc="no" > > > to make the server > > > quit using CCC, but that seems to cause a problem also. > > > > > > Use of KEYRING *AUTH*/* should be sufficient for the FTPS portion of the > job. > > > > > > The server web site also uses root certificate "GeoTrust Global CA" > > > which has its share of > > > issues also. See: > > > https://urldefense.proofpoint.com/v2/url?u=http- > > > 3A__security.stackexchange.com_questions_53231_google-2Dcertificates > > > - > > > 2Dcorrect-2Dca_53271- > > > 2353271&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb- > > > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii-YrY-c2- > > > > IzeE0M17VgSPbY&s=Txk6MDp8o81j54Ojmpo1aZbHaoJxUawo1NHCS1JgDO0&e > > > = > > > Openssl s_client reports the server cert chain to be: > > > Certificate chain > > > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS > MACHINES > > > CORPORATION/CN=deliverycb-bld.dhe.ibm.com > > > i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > > > 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > > > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > > > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > > > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > > 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > > > > > -- > > > Donald J. > > > [email protected] > > > > > > On Thu, Mar 10, 2016, at 06:45 AM, Jousma, David wrote: > > > > I had to come up with some alternate FTP client parms to make it work. > > > Possibly the one you are getting stuck on is this. Change FtpSecur to > > > your > > > keyring name. this member happens to live in our SYS1.TCPPARMS dataset, > but > > > the member can be anywhere, just gotta point to wherever it lives in > > > your RECEIVE ORDER job. > > > > //CLIENT DD * > > > > <CLIENT > > > > javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes"> > > > > <FTPOPTIONS> > > > > -v -f "//'SYS1.TCPPARMS(FTPSECUR)'" > > > > </FTPOPTIONS> > > > > </CLIENT> > > > > /* > > > > > > > > EDIT SYS1.TCPPARMS(FTPSECUR) - 01.01 > > > > Columns 00001 > > > 00080 . > > > > Command ===> > > > > Scroll ===> CSR . > > > > 000642 ;CIPHERSUITE SSL_AES_256_SHA ; 35 > > > > . > > > > 000643 > > > > . > > > > 000644 KEYRING FtpSecur ; Name of the keyring for > > > > TLS . > > > > 000645 ; It can be the name of an > > > > HFS . > > > > 000646 ; file (name starts with /) > > > > or . > > > > 000647 ; a resource name in the > > > > security . > > > > 000648 ; product (e.g., RACF) > > > > . > > > > > > > > > > > > _________________________________________________________________ > > > > Dave Jousma > > > > Assistant Vice President, Mainframe Engineering > > > > [email protected] > > > > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 > > > > f > > > > 616.653.2717 > > > > > > > > -----Original Message----- > > > > From: IBM Mainframe Discussion List > > > > [mailto:[email protected]] On Behalf Of Gibney, David Allen > > > > Sent: Wednesday, March 09, 2016 7:47 PM > > > > To: [email protected] > > > > Subject: Re: (External):Re: IBM secure z/OS software delivery: > > > > Don't get locked > > > out! > > > > > > > > Repeating the earlier msg. > > > > Ok, so I am trying to use ATTLS for FTPS.. My RECEIVEORDER log goes: > > > > > /bin/ftp -e deliverycb-bld.dhe.ibm.com > > > > > > > > Using 'GIBNEY.FTP.DATA' for local site configuration parameters. > > > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for > > > > the control > > > con > > > > nection. > > > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for > > > > the data > > > connec > > > > tion. > > > > IBM FTP CS V1R13 > > > > FTP: using TCPIP > > > > FTP: EXIT has been set. > > > > Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages. > > > > Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21. > > > > 220-IBM's internal systems must only be used for conducting IBM's > > > > 220-business or for purposes authorized by IBM management. > > > > 220- > > > > 220-Use is subject to audit at any time by IBM management. > > > > 220- > > > > 220 dhebpcb01 secure FTP server ready. > > > > 15:19:59(000005BD.4) FC0255 ftpAuth: security values: mech=TLS, > > > tlsmech=ATTLS, s > > > > FTP=A, sCC=C, sDC=P > > > > 15:19:59(000005BD.4) FC2704 ftpAuthAttls: No AT-TLS policy matched > > > connection > > > > Authentication negotiation failed > > > > NAME (deliverycb-bld.dhe.ibm.com:GIBNEY): > > > > > > > > > S042242j > > > > >>> USER S042242j > > > > > > > > The Geotrust cert is in my keyring: > > > > RACDCERT ID(GIBNEY) listRING(FTPClientRing) > > > > > > > > Digital ring information for user GIBNEY: > > > > > > > > Ring: > > > > >FTPClientRing< > > > > Certificate Label Name Cert Owner USAGE DEFAULT > > > > -------------------------------- ------------ -------- ------- > > > > > > > > GeoTrust Global CA CERTAUTH CERTAUTH NO > > > > > > > > > -----Original Message----- > > > > > From: IBM Mainframe Discussion List > > > > > [mailto:[email protected]] On Behalf Of Jesse 1 Robinson > > > > > Sent: Wednesday, March 09, 2016 4:38 PM > > > > > To: [email protected] > > > > > Subject: Re: (External):Re: IBM secure z/OS software delivery: > > > > > Don't get locked out! > > > > > > > > > > > > > > > > > > > > . > > > > > . > > > > > . > > > > > J.O.Skip Robinson > > > > > Southern California Edison Company Electric Dragon Team Paddler > > > > > SHARE MVS Program Co-Manager > > > > > 323-715-0595 Mobile > > > > > 626-302-7535 Office > > > > > [email protected] > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: IBM Mainframe Discussion List > > > > > [mailto:[email protected]] On Behalf Of Gibney, David > > > > > Allen > > > > > Sent: Wednesday, March 09, 2016 2:46 PM > > > > > To: [email protected] > > > > > Subject: (External):Re: IBM secure z/OS software delivery: Don't > > > > > get locked > > > out! > > > > > > > > > > AS noted in my reply a day or so ago, I am successfully > > > > > submitting the RECIEVEORDER securely (at least I think I am, it > > > > > fails when the certificate > > > > > expires:)) But, then when it fires up FTPS to retrieve the > > > > > package, the TLS (or AT- > > > > > TLS) handshake fails. > > > > > > > > > > > -----Original Message----- > > > > > > From: IBM Mainframe Discussion List > > > > > > [mailto:[email protected]] On Behalf Of Kurt > > > > > > Quackenbush > > > > > > Sent: Wednesday, March 09, 2016 2:38 PM > > > > > > To: [email protected] > > > > > > Subject: Re: IBM secure z/OS software delivery: Don't get locked > > > > > > out! > > > > > > > > > > > > > ... I'm only mildly concerned about the keyring name, as we > > > > > > > use a totally different name associated with SMP/E, not with Java. > > > > > > > That keyring works fine today. > > > > > > > > > > > > If you're already downloading securely, then you can continue > > > > > > to use your same keyring. My example in the article was > > > > > > simply that, an example, which uses the default Java > > > > > > truststore instead of a security manager > > > > > (RACF) keyring: > > > > > > > > > > > > <CLIENT > > > > > > downloadmethod=”https” > > > > > > downloadkeyring=”javatruststore” > > > > > > javahome="/usr/lpp/java/J6.0" > > > > > > > > > > > > > </CLIENT> > > > > > > > > > > > > I call this the "Fast Path" because for someone that is not > > > > > > already downloading securely, then using HTTPS with the Java > > > > > > truststore is the quickest and simplest choice because you > > > > > > don't need to mess around with keyrings or a security manager > > > > > > product > at all. > > > > > > > > > > > > If anyone is interested, more details can be found here: > > > > > > https://urldefense.proofpoint.com/v2/url?u=http- > > > > > > 3A__www.ibm.com_support_knowledgecenter_SSLTBW- > > > > > > > > > > > > > > > 5F2.2.0_com.ibm.zos.v2r1.gim3000_dsetups.htm&d=CwIDaQ&c=C3yme8gMkx > > > > > > g_ihJNXS06ZyWk4EJm8LdrrvxQb- > > > > > > > > > > > > > > > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=vkv4CpLe_hygd7rNmto_QCrcBflG_Y > > > > > > A6s0g2dvojUTE&s=K3EXMlACn-O47e9WLTyXIE2I_lbl- > > > 1mZlh3MS3oFSGo&e= > > > > > > > > > > > > Kurt Quackenbush -- IBM, SMP/E Development > > > > > > > > > > > > -------------------------------------------------------------- > > > > > > ---- > > > > > > -- > > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > > instructions, send email to [email protected] with the > > > > > > message: INFO IBM-MAIN > > > > > > > > > > ---------------------------------------------------------------- > > > > > ---- > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > instructions, send email to [email protected] with the > > > > > message: INFO IBM-MAIN > > > > > > > > > > ---------------------------------------------------------------- > > > > > ---- > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > instructions, send email to [email protected] with the > > > > > message: INFO IBM-MAIN > > > > > > > > ------------------------------------------------------------------ > > > > ---- For IBM-MAIN subscribe / signoff / archive access > > > > instructions, send email to [email protected] with the > > > > message: INFO IBM-MAIN > > > > > > > > This e-mail transmission contains information that is confidential > > > > and may be > > > privileged. It is intended only for the addressee(s) named above. If you > receive > > > this e-mail in error, please do not read, copy or disseminate it in > > > any manner. If you are not the intended recipient, any disclosure, > > > copying, distribution or use of the contents of this information is > > > prohibited. Please reply to the message immediately by informing the > > > sender that the message was misdirected. After replying, please > > > erase it from your computer system. Your assistance in correcting this > > > error > is appreciated. > > > > > > > > > > > > ------------------------------------------------------------------ > > > > ---- For IBM-MAIN subscribe / signoff / archive access > > > > instructions, send email to [email protected] with the > > > > message: INFO IBM-MAIN > > > > > > -- > > > https://urldefense.proofpoint.com/v2/url?u=http- > > > > 3A__www.fastmail.com&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ld > > > rrvxQb-Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii- > YrY- > > > c2- > IzeE0M17VgSPbY&s=xI6HFtbdhRVBZtt689xiCPVc6KzFJ0kpq0tP9k5SOrY&e= > > > - Access all of your messages and folders > > > wherever you are > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO > > > IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > -- > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.fastmail.com&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ld > rrvxQb-Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=jY2HvnCDdDK- > OcAePOjvydiIVVIDqZlPClE5OUjMhcg&s=4P7QVDlisTdTo0kuXqqEiCUaT1i_XrW7A > 5_3EkySuY0&e= - A no graphics, no pop-ups email service > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
