Re: AT-TLS & FTP troubles - cannot get very simple setup working

Wed, 25 May 2022 08:05:42 -0700 

That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
&22.  The config I started with had 21 in it, but the WinSCP references 22
so I have been trying both ... without success.  I changed it back to 21
now. Still fails.

I just added an ftp configuration parameter of FTPLOGGING TRUE and received
this message:

EZYFS51I ID=FTPD100000 CONN   fails  Reason=3 Text=getpeername failed

Now I'm trying to figure out what that is telling me.

On Wed, May 25, 2022 at 8:46 AM Michael Babcock <bigironp...@gmail.com>
wrote:

> I can SSH into z/OS USS but I don’t use pagent for port 22.  You should
> configure SSHD for that.   Remove port 22 from PAGENT.
>
> On Wed, May 25, 2022 at 8:46 AM Bob <mvs...@gmail.com> wrote:
>
> > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> and
> > I don’t know why. I’m sure I am
> >
> > missing something very simple, but I have spent a lot of time over the
> last
> > few weeks trying to figure it out
> >
> > and I cannot.  Note that ftp without encryption does work and I have
> > nothing else using PAGENT or AT-TLS.
> >
> >
> >
> > I originally started with a configuration created by z/OSMF Network
> > Configuration Assistant, but after
> >
> > numerous attempts to get it working I have pared it down to the very
> > minimum configuration below.
> >
> >
> >
> > I’m not even sure what info to share.
> >
> >
> >
> > When I try to connect using WinSCP I just get this:
> >
> >
> >
> > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log /loglevel=2
> > testmvs
> >
> > Searching for host...
> >
> > Network error: Connection to "testmvs" refused.
> >
> > The server rejected SFTP connection, but it listens for FTP connections.
> >
> > Did you want to use FTP protocol instead of SFTP? Prefer using
> encryption.
> >
> > winscp>
> >
> >
> >
> > And the WinSCP log doesn’t show much more:
> >
> >
> >
> > Looking up host "testmvs" for SSH connection
> >
> > Connecting to 10.80.63.94 port 22
> >
> > Failed to connect to 10.80.63.94: Network error: Connection refused
> >
> >
> >
> > And here are the related configuration files.
> >
> >
> >
> > Here’s the pagent.conf:
> >
> >
> >
> > LogLevel   511
> >
> > TcpImage   TCPIP FLUSH
> >
> > TTLSConfig /etc/TTLSConfig.conf FLUSH
> >
> >
> >
> > And here is the TTLSConfig.conf:
> >
> >
> >
> > TTLSGroupAction       ftp_server_group
> >
> > {
> >
> >    TTLSEnabled On
> >
> >    Trace 30
> >
> > }
> >
> > TTLSEnvironmentAction ftp_server_env
> >
> > {
> >
> >    HandshakeRole      Server
> >
> >    TTLSCipherParmsRef ftp_server_ciphers
> >
> >    TTLSKeyringParms
> >
> >    {
> >
> >       Keyring mtskeyring
> >
> >    }
> >
> >    TTLSEnvironmentAdvancedParms
> >
> >    {
> >
> >       ApplicationControlled On
> >
> >       SecondaryMap          On
> >
> >       TLSv1.2               On
> >
> >       TLSv1.3               On
> >
> >    }
> >
> > }
> >
> > TTLSCipherParms       ftp_server_ciphers
> >
> > {
> >
> >    V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> >
> >    V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> >
> >    V3CipherSuites TLS_RSA_WITH_NULL_SHA
> >
> > }
> >
> > TTLSRule              ftp_server_rule
> >
> > {
> >
> >    LocalPortRange           21-22
> >
> >    Direction                Inbound
> >
> >    TTLSGroupActionRef       ftp_server_group
> >
> >    TTLSEnvironmentActionRef ftp_server_env
> >
> > }
> >
> >
> >
> > Here is a ‘netstat ttls group’ command:
> >
> >
> >
> > MVS TCP/IP NETSTAT CS V2R5       TCPIP Name: TCPIP           13:14:46
> >
> > TTLSGrpAction                             Group ID           Conns
> >
> > ----------------------------------------  -----------------  -----
> >
> > ftp_server_group                          00000003               0
> >
> >
> >
> > Does that Conns=0 mean anything?
> >
> >
> >
> > Let me know if there is some other info that might help.
> >
> >
> >
> > Thank you VERY MUCH for any  suggestions you can offer.
> >
> >
> >
> > Bob Lamerand
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
> --
> Michael Babcock
> OneMain Financial
> z/OS Systems Programmer, Lead
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to