Ed,
Does the root CA certificate on the bottom of the server chain have the "Trust"
attribute set (or in a trusted location)?
Is it presenting its server chain properly?
OPENSSL is your friend here. It's free to download. Use "openssl s_client
-connect 192.168.10.193:21 -showcerts"
Harry
Call me if you want (718) 403-6703. I'm a friend of Tim Gregerson
________________________________
From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> on behalf of Ed
Jaffe <edja...@phoenixsoftware.com>
Sent: Thursday, December 29, 2022 6:00 PM
To: IBM-MAIN@LISTSERV.UA.EDU <IBM-MAIN@LISTSERV.UA.EDU>
Subject: z/OS FTP Server Cert Trouble
TCPIP/TLS Cert Mavens,
We have FTPS via AT-TLS working great from z/OS FTP clients to IBM
secure FTP servers and to our secure public FTP server outside the firewall.
We have a wildcard certificate for our servers inside the firewall, but
have so far been unable to establish working FTPS connections from z/OS
FTP clients to the server. The cert is on both the client's keyring and
the server's keyring -- as are the two other CERTAUTH certs in the chain.
A return code '6' is 'Keylabel Not Found' but doesn't mention which
label it is looking for. How do we trace/discover that?
Also what do the three long numbers after "Initial handshake" mean? We
can't find that documented.
Apologies for posting system log format. I suspect many of you log your
syslogd messages elsewhere...
IEF403I FTPSDIRL - STARTED - TIME=14.16.07
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 247
EZD1281I TTLS Map CONNID: 00021556 LOCAL: 192.168.10.193..38789
REMOTE: 192.168.10.193..21 JOBNAME: FTPSDIRL USERID: EDJXADM TYPE:
OutBound STATUS: Appl Control RULE: PSI_FTP-Client~1 ACTIONS: gAct1
eAct1~FTP_Clients cAct1~FTP_Clients ..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 248
EZD1281I TTLS Map CONNID: 00021557 LOCAL: ::FFFF:192.168.10.193..2
1 REMOTE: ::FFFF:192.168.10.193..38789 JOBNAME: FTPD1 USERID: TCPIP
TYPE: InBound STATUS: Appl Control RULE: PSI_FTP-Server~2 ACTIONS:
gAct1 eAct2~FTP_Server cAct2~FTP_Server ..
EZD1287I TTLS Error RC: 6 Initial Handshake 249
LOCAL: ::FFFF:192.168.10.193..21
REMOTE: ::FFFF:192.168.10.193..38789
JOBNAME: FTPD1 RULE: PSI_FTP-Server~2
USERID: TCPIP GRPID: 0000000A ENVID: 00000010 CONNID: 00021557
EZD1287I TTLS Error RC: 438 Initial Handshake 250
LOCAL: 192.168.10.193..38789
REMOTE: 192.168.10.193..21
JOBNAME: FTPSDIRL RULE: PSI_FTP-Client~1
USERID: EDJXADM GRPID: 0000000A ENVID: 0000000F CONNID: 00021556
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 251
EZD1283I TTLS Event GRPID: 0000000A ENVID: 00000010 CONNID:
00021557 RC: 6 Initial Handshake 0000000000000000 0000005279A22390
0000000000000000 ..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 252
EZD1286I TTLS Error GRPID: 0000000A ENVID: 00000010 CONNID:
00021557 LOCAL: ::FFFF:192.168.10.193..21 REMOTE: ::FFFF:192.168.10.19
3..38789 JOBNAME: FTPD1 USERID: TCPIP RULE: PSI_FTP-Server~2 RC:
6 Initial Handshake 0000000000000000 0000005279A22390 0000000000000000
..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 253
EZD1286I TTLS Error GRPID: 0000000A ENVID: 00000010 CONNID:
00021557 LOCAL: ::FFFF:192.168.10.193..21 REMOTE: ::FFFF:192.168.10.19
3..38789 JOBNAME: FTPD1 USERID: TCPIP RULE: PSI_FTP-Server~2 RC:
6 Initial Handshake 0000000000000000 0000005279A22390 0000000000000000
..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 254
EZD1283I TTLS Event GRPID: 0000000A ENVID: 0000000F CONNID:
00021556 RC: 438 Initial Handshake 0000000000000000 0000005279A22F90
0000000000000000 ..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 255
EZD1286I TTLS Error GRPID: 0000000A ENVID: 0000000F CONNID:
00021556 LOCAL: 192.168.10.193..38789 REMOTE: 192.168.10.193..21
JOBNAME: FTPSDIRL USERID: EDJXADM RULE: PSI_FTP-Client~1 RC: 438
Initial Handshake 0000000000000000 0000005279A22F90 0000000000000000
..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 TTLS[33751922]: 14:16:07 TCPIP 256
EZD1286I TTLS Error GRPID: 0000000A ENVID: 0000000F CONNID:
00021556 LOCAL: 192.168.10.193..38789 REMOTE: 192.168.10.193..21
JOBNAME: FTPSDIRL USERID: EDJXADM RULE: PSI_FTP-Client~1 RC: 438
Initial Handshake 0000000000000000 0000005279A22F90 0000000000000000
..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 ftps[197497]: EZYFT96I TLS 257
handshake failed ..
BPXF024I (OMVS) Dec 29 14:16:07 mvs60 ftps[197497]: EZYFT96I TLS 258
handshake failed ..
Thanks,
--
Phoenix Software International
Edward E. Jaffe
831 Parkview Drive North
El Segundo, CA 90245
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.phoenixsoftware.com%2F&data=05%7C01%7C%7Cd0510cd6e4ed48bac43f08dae9f09e46%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638079516938463801%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T8MqHTpMe1DMyba%2B74uTCQqsLhSDekZFqW8ynZmibZ4%3D&reserved=0
--------------------------------------------------------------------------------
This e-mail message, including any attachments, appended messages and the
information contained therein, is for the sole use of the intended
recipient(s). If you are not an intended recipient or have otherwise
received this email message in error, any use, dissemination, distribution,
review, storage or copying of this e-mail message and the information
contained therein is strictly prohibited. If you are not an intended
recipient, please contact the sender by reply e-mail and destroy all copies
of this email message and do not otherwise utilize or retain this email
message or any or all of the information contained therein. Although this
email message and any attachments or appended messages are believed to be
free of any virus or other defect that might affect any computer system into
which it is received and opened, it is the responsibility of the recipient
to ensure that it is virus free and no responsibility is accepted by the
sender for any loss or damage arising in any way from its opening or use.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
