Hi Steve. I've found the SSL trace information written into a USS file to be somewhat easier to use. You can turn on GSK_TRACE flags and specify a trace file using STDENV similar to the example below IF you specify the PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV") (the _S is crucial or the DD * input won't work):
//FTPS EXEC PGM=FTP,REGION=4M, // PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/ftp.linuxsite.com 21 -e') //STDENV DD * GSK_PROTOCOL_TLSV1_2=ON GSK_TRACE=0xFFFF GSK_TRACE_FILE=/tmp/gskfile.trc //* //SYSFTPD DD *,SYMBOLS=(JCLONLY) CLIENTERRCODES EXTENDED EPSV4 TRUE EXTENSIONS AUTH_TLS FWFRIENDLY TRUE KEYRING &KEYOWNR/&KEYRING PASSIVEIGNOREADDR TRUE SECUREIMPLICITZOS FALSE SECURE_FTP REQUIRED SECURE_MECHANISM TLS SECURE_DATACONN PRIVATE SECURE_CTRLCONN PRIVATE SECURE_HOSTNAME REQUIRED TLSMECHANISM FTP TLSRFCLEVEL RFC4217 //* TRACE //* DEBUG SEC //* You can also add other debugging or trace options to SYSFTPD //OUTPUT DD SYSOUT=* //INPUT DD *,SYMBOLS=(JCLONLY) ftpuid ftppwd etc QUIT //* The above step doesn't require AT-TLS changes or changes to your FTPDATA datasets, but I don't think the changes you've alreayd made there will prevent you from specifying the GSK options via STDENV. With the GSK_TRACE flags set, the SSL information will be written to the file you specify in GSK_TRACE_FILE. There is a USS utility named gsktrace that you will need to read the trace file and interpret it into something you can read. The format is gsktrace > gskfile.trc > gsk.out The gsktrace output will be pretty detailed, but you can usually find an error of some kind. These manuals, especially the first one, will probably help: SC14-7495-30 Cryptographic Services System Secure Sockets Layer Programming SC27-3651-30 IP Configuration Reference GC27-3652-30 IP Diagnosis Guide Wendell ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN