So, changing my rule to RemotePortRange did allow the AT-TLS negotiation to succeed, And now I get the same error as you do.
I am very new to AT-TLS with PAGENT. We have been using FTPS for many years, but I always had to turn it (in userid.FTP.DATA) for Shopz. KEYRING *AUTH*/* is new to me, not sure is was there in z/OS 1.7 when I first did SSL. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] > On Behalf Of Donald J. > Sent: Friday, March 11, 2016 10:13 AM > To: [email protected] > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get > locked > out! > > He is using TLSMECHANISM ATTLS. Yours uses TLSMECHANISM FTP (non- > Pagent). > He is getting the error because he has no PAGENT TTLSRule for Outbound Port > 21. > Suggest you turn on DEBUG ALL in your FTP.DATA file while debugging. > > It is working ok for me with TLSMECHANISM FTP. > I tried with ATTLS, but am getting a server error on the BINARY FTP > SUBCOMMAND. > Still looking in to that, but it is questionable if their FTPS server works > with > PAGENT ATTLS. > Can't imagine why they would install a server incompatible with PAGENT > though. > > >>> TYPE I > SC3261 getReply: entered > SC4327 getNextReply: entered with waitForData = TRUE > Connection with dispby-117.boulder.ibm.com terminated > SC4445 SETCEC code = 10 > CZ1434 ftpClose: entered > SC4067 inSession: entered > SC4145 setLoggedIn: entered > CT0282 binary: getReply failed. > PC1047 logClientErrMsg: entered > PC0945 setClientRC: entered > SC4019 getLastReply: entered > PC1015 setClientRC: std_rc=06000, rc_type=CEE, rc=1006 > SRECTIV3 FTP failed - Cmd = 6(binary) Reply = n/a EX CEE RC = 1006 > SC4019 getLastReply: entered > CX0389 main: RC=-0001 cmd_in_progress=06 > CX0392 main: last_reply= err=10 > PC0945 setClientRC: entered > SC4019 getLastReply: entered > Std Return Code = 06000, Error Code = 00010 > CZ1354 ftpQuit: entered > CZ1434 ftpClose: entered > > Their server also seems to require use of the CCC subcommand to clear the > command channel. > So if you are using SECURE_CTRLCONN PRIVATE instead of SECURE_CTRLCONN > CLEAR, > it might cause a problem also. There is a client parameter setting > ftpccc="no" > to make the server > quit using CCC, but that seems to cause a problem also. > > Use of KEYRING *AUTH*/* should be sufficient for the FTPS portion of the > job. > > The server web site also uses root certificate "GeoTrust Global CA" which has > its share of > issues also. See: > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__security.stackexchange.com_questions_53231_google-2Dcertificates- > 2Dcorrect-2Dca_53271- > 2353271&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8LdrrvxQb- > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii-YrY-c2- > IzeE0M17VgSPbY&s=Txk6MDp8o81j54Ojmpo1aZbHaoJxUawo1NHCS1JgDO0&e > = > Openssl s_client reports the server cert chain to be: > Certificate chain > 0 s:/C=US/ST=New York/L=Armonk/O=INTERNATIONAL BUSINESS MACHINES > CORPORATION/CN=deliverycb-bld.dhe.ibm.com > i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 > i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority > > -- > Donald J. > [email protected] > > On Thu, Mar 10, 2016, at 06:45 AM, Jousma, David wrote: > > I had to come up with some alternate FTP client parms to make it work. > Possibly the one you are getting stuck on is this. Change FtpSecur to your > keyring name. this member happens to live in our SYS1.TCPPARMS dataset, but > the member can be anywhere, just gotta point to wherever it lives in your > RECEIVE ORDER job. > > //CLIENT DD * > > <CLIENT > > javahome="/opt/fitb/java/Jre" classpath="/usr/lpp/smp/classes"> > > <FTPOPTIONS> > > -v -f "//'SYS1.TCPPARMS(FTPSECUR)'" > > </FTPOPTIONS> > > </CLIENT> > > /* > > > > EDIT SYS1.TCPPARMS(FTPSECUR) - 01.01 Columns > > 00001 > 00080 . > > Command ===> > > Scroll ===> CSR . > > 000642 ;CIPHERSUITE SSL_AES_256_SHA ; 35 > > . > > 000643 > > . > > 000644 KEYRING FtpSecur ; Name of the keyring for TLS > > . > > 000645 ; It can be the name of an HFS > > . > > 000646 ; file (name starts with /) or > > . > > 000647 ; a resource name in the > > security . > > 000648 ; product (e.g., RACF) > > . > > > > > _________________________________________________________________ > > Dave Jousma > > Assistant Vice President, Mainframe Engineering [email protected] > > 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f > > 616.653.2717 > > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:[email protected]] > > On Behalf Of Gibney, David Allen > > Sent: Wednesday, March 09, 2016 7:47 PM > > To: [email protected] > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't get > > locked > out! > > > > Repeating the earlier msg. > > Ok, so I am trying to use ATTLS for FTPS.. My RECEIVEORDER log goes: > > > /bin/ftp -e deliverycb-bld.dhe.ibm.com > > > > Using 'GIBNEY.FTP.DATA' for local site configuration parameters. > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the control > con > > nection. > > Using //'TCPIP.STANDARD.TCPXLBIN' for FTP translation tables for the data > connec > > tion. > > IBM FTP CS V1R13 > > FTP: using TCPIP > > FTP: EXIT has been set. > > Using catalog '/usr/lib/nls/msg/C/ftpdmsg.cat' for FTP messages. > > Connecting to: dispby-117.boulder.ibm.com 170.225.15.117 port: 21. > > 220-IBM's internal systems must only be used for conducting IBM's > > 220-business or for purposes authorized by IBM management. > > 220- > > 220-Use is subject to audit at any time by IBM management. > > 220- > > 220 dhebpcb01 secure FTP server ready. > > 15:19:59(000005BD.4) FC0255 ftpAuth: security values: mech=TLS, > tlsmech=ATTLS, s > > FTP=A, sCC=C, sDC=P > > 15:19:59(000005BD.4) FC2704 ftpAuthAttls: No AT-TLS policy matched > connection > > Authentication negotiation failed > > NAME (deliverycb-bld.dhe.ibm.com:GIBNEY): > > > > > S042242j > > >>> USER S042242j > > > > The Geotrust cert is in my keyring: > > RACDCERT ID(GIBNEY) listRING(FTPClientRing) > > > > Digital ring information for user GIBNEY: > > > > Ring: > > >FTPClientRing< > > Certificate Label Name Cert Owner USAGE DEFAULT > > -------------------------------- ------------ -------- ------- > > > > GeoTrust Global CA CERTAUTH CERTAUTH NO > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:[email protected]] On Behalf Of Jesse 1 Robinson > > > Sent: Wednesday, March 09, 2016 4:38 PM > > > To: [email protected] > > > Subject: Re: (External):Re: IBM secure z/OS software delivery: Don't > > > get locked out! > > > > > > > > > > > > . > > > . > > > . > > > J.O.Skip Robinson > > > Southern California Edison Company > > > Electric Dragon Team Paddler > > > SHARE MVS Program Co-Manager > > > 323-715-0595 Mobile > > > 626-302-7535 Office > > > [email protected] > > > > > > > > > -----Original Message----- > > > From: IBM Mainframe Discussion List > > > [mailto:[email protected]] On Behalf Of Gibney, David Allen > > > Sent: Wednesday, March 09, 2016 2:46 PM > > > To: [email protected] > > > Subject: (External):Re: IBM secure z/OS software delivery: Don't get > > > locked > out! > > > > > > AS noted in my reply a day or so ago, I am successfully submitting > > > the RECIEVEORDER securely (at least I think I am, it fails when the > > > certificate > > > expires:)) But, then when it fires up FTPS to retrieve the package, > > > the TLS (or AT- > > > TLS) handshake fails. > > > > > > > -----Original Message----- > > > > From: IBM Mainframe Discussion List > > > > [mailto:[email protected]] On Behalf Of Kurt Quackenbush > > > > Sent: Wednesday, March 09, 2016 2:38 PM > > > > To: [email protected] > > > > Subject: Re: IBM secure z/OS software delivery: Don't get locked out! > > > > > > > > > ... I'm only mildly concerned about the keyring name, as we use > > > > > a totally different name associated with SMP/E, not with Java. > > > > > That keyring works fine today. > > > > > > > > If you're already downloading securely, then you can continue to > > > > use your same keyring. My example in the article was simply that, > > > > an example, which uses the default Java truststore instead of a > > > > security manager > > > (RACF) keyring: > > > > > > > > <CLIENT > > > > downloadmethod=”https” > > > > downloadkeyring=”javatruststore” > > > > javahome="/usr/lpp/java/J6.0" > > > > > > > > > </CLIENT> > > > > > > > > I call this the "Fast Path" because for someone that is not > > > > already downloading securely, then using HTTPS with the Java > > > > truststore is the quickest and simplest choice because you don't > > > > need to mess around with keyrings or a security manager product at all. > > > > > > > > If anyone is interested, more details can be found here: > > > > https://urldefense.proofpoint.com/v2/url?u=http- > > > > 3A__www.ibm.com_support_knowledgecenter_SSLTBW- > > > > > > > > 5F2.2.0_com.ibm.zos.v2r1.gim3000_dsetups.htm&d=CwIDaQ&c=C3yme8gMkx > > > > g_ihJNXS06ZyWk4EJm8LdrrvxQb- > > > > > > > > Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=vkv4CpLe_hygd7rNmto_QCrcBflG_Y > > > > A6s0g2dvojUTE&s=K3EXMlACn-O47e9WLTyXIE2I_lbl- > 1mZlh3MS3oFSGo&e= > > > > > > > > Kurt Quackenbush -- IBM, SMP/E Development > > > > > > > > ------------------------------------------------------------------ > > > > -- > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to [email protected] with the message: INFO > > > > IBM-MAIN > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO > > > IBM-MAIN > > > > > > -------------------------------------------------------------------- > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO > > > IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > > > This e-mail transmission contains information that is confidential and may > > be > privileged. It is intended only for the addressee(s) named above. If you > receive > this e-mail in error, please do not read, copy or disseminate it in any > manner. If > you are not the intended recipient, any disclosure, copying, distribution or > use of > the contents of this information is prohibited. Please reply to the message > immediately by informing the sender that the message was misdirected. After > replying, please erase it from your computer system. Your assistance in > correcting this error is appreciated. > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to [email protected] with the message: INFO IBM-MAIN > > -- > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.fastmail.com&d=CwIFaQ&c=C3yme8gMkxg_ihJNXS06ZyWk4EJm8Ld > rrvxQb-Je7sw&r=u9g8rUevBoyCPAdo5sWE9w&m=aamFb_mypnk4GycjqtSii-YrY- > c2-IzeE0M17VgSPbY&s=xI6HFtbdhRVBZtt689xiCPVc6KzFJ0kpq0tP9k5SOrY&e= - > Access all of your messages and folders > wherever you are > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
