would an SSL trace help here ?
not the same 'type' of connection, I had an issue with inbound
connections to CICS and DB2 that was self inflicted, the AT-TLS add on
required I failed to order and the connections were using some default,
I was able to find this by performing an SSL trace and providing that
INFO to IBM support.
Carmen 'grasping' :)
On 5/25/2022 8:46 AM, Bob wrote:
I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system and
I don’t know why. I’m sure I am
missing something very simple, but I have spent a lot of time over the last
few weeks trying to figure it out
and I cannot. Note that ftp without encryption does work and I have
nothing else using PAGENT or AT-TLS.
I originally started with a configuration created by z/OSMF Network
Configuration Assistant, but after
numerous attempts to get it working I have pared it down to the very
minimum configuration below.
I’m not even sure what info to share.
When I try to connect using WinSCP I just get this:
d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
testmvs
Searching for host...
Network error: Connection to "testmvs" refused.
The server rejected SFTP connection, but it listens for FTP connections.
Did you want to use FTP protocol instead of SFTP? Prefer using encryption.
winscp>
And the WinSCP log doesn’t show much more:
Looking up host "testmvs" for SSH connection
Connecting to 10.80.63.94 port 22
Failed to connect to 10.80.63.94: Network error: Connection refused
And here are the related configuration files.
Here’s the pagent.conf:
LogLevel 511
TcpImage TCPIP FLUSH
TTLSConfig /etc/TTLSConfig.conf FLUSH
And here is the TTLSConfig.conf:
TTLSGroupAction ftp_server_group
{
TTLSEnabled On
Trace 30
}
TTLSEnvironmentAction ftp_server_env
{
HandshakeRole Server
TTLSCipherParmsRef ftp_server_ciphers
TTLSKeyringParms
{
Keyring mtskeyring
}
TTLSEnvironmentAdvancedParms
{
ApplicationControlled On
SecondaryMap On
TLSv1.2 On
TLSv1.3 On
}
}
TTLSCipherParms ftp_server_ciphers
{
V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
V3CipherSuites TLS_RSA_WITH_NULL_SHA
}
TTLSRule ftp_server_rule
{
LocalPortRange 21-22
Direction Inbound
TTLSGroupActionRef ftp_server_group
TTLSEnvironmentActionRef ftp_server_env
}
Here is a ‘netstat ttls group’ command:
MVS TCP/IP NETSTAT CS V2R5 TCPIP Name: TCPIP 13:14:46
TTLSGrpAction Group ID Conns
---------------------------------------- ----------------- -----
ftp_server_group 00000003 0
Does that Conns=0 mean anything?
Let me know if there is some other info that might help.
Thank you VERY MUCH for any suggestions you can offer.
Bob Lamerand
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email tolists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
/I am not bound to win, but I am bound to be true. I am not bound to
succeed, but I am bound to live by the light that I have. I must stand
with anybody that stands right, and stand with him while he is right,
and part with him when he goes wrong. *Abraham Lincoln*/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
