I don’t think you can use PAGENT for port 22 (not 100% sure on that). If
using port 22 configure SSHD.
Did you set the trace parm in PAGENT to 255? You will get much more info
in SYSLOG by doing that.
On Wed, May 25, 2022 at 10:05 AM Bob <mvs...@gmail.com> wrote:
> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22. The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success. I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD100000 CONN fails Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock <bigironp...@gmail.com>
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22. You should
> > configure SSHD for that. Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob <mvs...@gmail.com> wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot. Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel 511
> > >
> > > TcpImage TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction ftp_server_group
> > >
> > > {
> > >
> > > TTLSEnabled On
> > >
> > > Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > > HandshakeRole Server
> > >
> > > TTLSCipherParmsRef ftp_server_ciphers
> > >
> > > TTLSKeyringParms
> > >
> > > {
> > >
> > > Keyring mtskeyring
> > >
> > > }
> > >
> > > TTLSEnvironmentAdvancedParms
> > >
> > > {
> > >
> > > ApplicationControlled On
> > >
> > > SecondaryMap On
> > >
> > > TLSv1.2 On
> > >
> > > TLSv1.3 On
> > >
> > > }
> > >
> > > }
> > >
> > > TTLSCipherParms ftp_server_ciphers
> > >
> > > {
> > >
> > > V3CipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
> > >
> > > V3CipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > >
> > > V3CipherSuites TLS_RSA_WITH_NULL_SHA
> > >
> > > }
> > >
> > > TTLSRule ftp_server_rule
> > >
> > > {
> > >
> > > LocalPortRange 21-22
> > >
> > > Direction Inbound
> > >
> > > TTLSGroupActionRef ftp_server_group
> > >
> > > TTLSEnvironmentActionRef ftp_server_env
> > >
> > > }
> > >
> > >
> > >
> > > Here is a ‘netstat ttls group’ command:
> > >
> > >
> > >
> > > MVS TCP/IP NETSTAT CS V2R5 TCPIP Name: TCPIP 13:14:46
> > >
> > > TTLSGrpAction Group ID Conns
> > >
> > > ---------------------------------------- ----------------- -----
> > >
> > > ftp_server_group 00000003 0
> > >
> > >
> > >
> > > Does that Conns=0 mean anything?
> > >
> > >
> > >
> > > Let me know if there is some other info that might help.
> > >
> > >
> > >
> > > Thank you VERY MUCH for any suggestions you can offer.
> > >
> > >
> > >
> > > Bob Lamerand
> > >
> > > ----------------------------------------------------------------------
> > > For IBM-MAIN subscribe / signoff / archive access instructions,
> > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> > >
> > --
> > Michael Babcock
> > OneMain Financial
> > z/OS Systems Programmer, Lead
> >
> > ----------------------------------------------------------------------
> > For IBM-MAIN subscribe / signoff / archive access instructions,
> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
> >
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
--
Michael Babcock
OneMain Financial
z/OS Systems Programmer, Lead
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
