One thing I just noticed as I was documenting this. I had changed my ftp server from using the GoDaddy assigned certificate to a self-signed certificate. I had send a copy of the .pem file to z/OS and added it to my keyring as Site certificate. - That is what worked.
So I went back to the GoDaddy certificate on the server, and I still have, what I thought was a good Certauth from GoDaddy on my key ring and now my error is - FC1003 authServer: secure_socket_init failed with rc = 417 (Self-signed certificate cannot be validated) So now I need to figure out how to get the Certauth working as I don't really want to have to send my self-signed out. Something to ponder next week. On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave <gib...@wsu.edu> wrote: > On looking at it, I think the > > TLSRFCLEVEL CCCNONOTIFY ; > And/or the > > EPSV4 TRUE > Are newish (in that they were what I had to put in to make it work the > last time it broke :) It tends to break when maintenance is put on Linux or > vsftp :) > > > -----Original Message----- > > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > > On Behalf Of Mark Pace > > Sent: Friday, May 09, 2014 1:00 PM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > WOAH, WOAH, WOAH, what the hell? I copied and pasted your FTP.DATA > > file > > into my FTP.DATA file and now it works. > > > > Now I just have to determine what was different on yours than every > iteration > > that I have been through so far. > > > > THANKS, I think. ;) > > > > > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave <gib...@wsu.edu> wrote: > > > > > Well, for what it is worth, I use the following in my userid.FTP.DATA > > > and successfully talk to vsftp with SSL Encryption: > > > TLSRFCLEVEL CCCNONOTIFY ; > > > EPSV4 TRUE > > > TLSMECHANISM FTP > > > SECURE_MECHANISM TLS > > > SECURE_FTP REQUIRED > > > SECURE_CTRLCONN CLEAR > > > SECURE_DATACONN PRIVATE > > > CIPHERSUITE SSL_NULL_MD5 ; 01 > > > CIPHERSUITE SSL_NULL_SHA ; 02 > > > CIPHERSUITE SSL_RC4_MD5_EX ; 03 > > > CIPHERSUITE SSL_RC4_MD5 ; 04 > > > CIPHERSUITE SSL_RC4_SHA ; 05 > > > CIPHERSUITE SSL_RC2_MD5_EX ; 06 > > > CIPHERSUITE SSL_DES_SHA ; 09 > > > CIPHERSUITE SSL_3DES_SHA ; 0A > > > > > > KEYRING FTPClientRing > > > > > > My RACF keyring has: > > > Ring: > > > >FTPClientRing< > > > Certificate Label Name Cert Owner USAGE DEFAULT > > > -------------------------------- ------------ -------- ------- > > > Thawte Premium Server CA CERTAUTH CERTAUTH NO > > > > > > thawte Primary Root CA CERTAUTH CERTAUTH NO > > > > > > Thawte Server CA CERTAUTH CERTAUTH NO > > > > > > Thawte DV SSL CA CERTAUTH CERTAUTH NO > > > > > > I did find it necessary to have the full chain in my keyring. > > > > > > I just use //MVSFTP EXEC PGM=FTP, > > > > > > I don't maintain the Linux server, so I can't quickly get the full > > > vsftp parm deck. I can ask for it. > > > > > > > -----Original Message----- > > > > From: IBM Mainframe Discussion List > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace > > > > Sent: Friday, May 09, 2014 10:58 AM > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > > > > > Sorry, confused, again. > > > > > > > > We currently do userid/password authentication - without SSL. > > > > > > > > > > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave <gib...@wsu.edu> wrote: > > > > > > > > > Well, if your are doing the SSL server stuff, then the password is > > > > > not flowing in the clear. On the other hand, my interpretation of > > > > > the vsftp parm I sent a few days ago is to NOT do certificate > > > > > based client authentication. > > > > > > > > > > > -----Original Message----- > > > > > > From: IBM Mainframe Discussion List > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace > > > > > > Sent: Friday, May 09, 2014 9:19 AM > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > > > > > > > > > Oh yes. We've been doing it that way for years. > > > > > > > > > > > > Trying to add the ability to secure the log in process. > > > > > > > > > > > > > > > > > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave <gib...@wsu.edu> > > > wrote: > > > > > > > > > > > > > I haven't used SSL client verification by certificate, so you > > > > > > > are past my knowledge. As an experiment, can you get a working > > > > > > > connection using userid/password authentication. > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: IBM Mainframe Discussion List > > > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace > > > > > > > > Sent: Friday, May 09, 2014 5:47 AM > > > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > > > > > > > > > > > > > I was able to get the Trace to work - after removing the -r > > > > > > > > TLS, that generated an error. > > > > > > > > *EZA2892I Secure port 21 does not allow the -a or -r start > > > > > > > > parameter > > > > > > > > * > > > > > > > > > > > > > > > > And from that trace it appears, to me, that the FTP server > > > > > > > > is not responding correctly to the z/OS client handshake. > > > > > > > > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello(): Sent > > > > > > > > V3 > > > > > > > > CLIENT- HELLO message > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello(): V3 > > > > > > > > CLIENT-HELLO message > > > > > > > > 00000000: 0100002b 0301536b ed23cf50 8d72c5f7 > > > > > > > > *...+..Sk.#.P.r..* > > > > > > > > 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177 * > > > > > > > > .../...2(....qw* > > > > > > > > 00000020: a3e6e150 a3c50000 0400ff00 050100 > > > > > > > > *...P........... > > > > > > > > * > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): > > > > > > > > Calling write routine for 52 bytes > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52 > > > > > > > > bytes written > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): Calling > > > > > > > > read routine for 5 bytes > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5 bytes > > > > > > > > received > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record(): > > > > > > > > Content Type > > > > > > > > 50 is not supported > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record(): SSL > > > > > > > > record > > > > > > header > > > > > > > > 00000000: 3232302d 57 > *220-W > > > > > > > > * > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_secure_socket_init(): > > > > > > > > SSL V3 client handshake failed with 10.6.0.15[21] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave > > > > > > > > <gib...@wsu.edu> > > > > > > wrote: > > > > > > > > > > > > > > > > > Add this to the FTP Client job parms: > > > > > > > > > // > > > > > > > > > > > > > > > > > > > > PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")', > > > > > > > > > // '/-r TLS (TRACE EXIT') > > > > > > > > > > > > > > > > > > There is a formatted documented with gsktrace. Should get > > > > > > > > > you to the exact error when you format gskwix.trc > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > > > From: IBM Mainframe Discussion List > > > > > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Post > > > > > > > > > > Sent: Wednesday, May 07, 2014 12:55 PM > > > > > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU > > > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server > > > > > > > > > > > > > > > > > > > > Mark, > > > > > > > > > > > > > > > > > > > > This may be yet another case where running strace or > > > > > > > > > > ltrace on the server side will give you some insight > > > > > > > > > > into what is going on. If you don't > > > > > > > > > want to go > > > > > > > > > > down that road, i would say it's time to open up a PMR > > > > > > > > > > with > > > IBM. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Mark Post > > > > > > > > > > > > > > > > > > > > -------------------------------------------------------- > > > > > > > > > > ---- > > > > > > > > > > ---- > > > > > > > > > > --- > > > > > > > > - > > > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > > > > > > instructions, send > > > > > > > > > email to > > > > > > > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > > > > > > > > > > ---------------------------------------------------------- > > > > > > > > > ---- > > > > > > > > > ---- > > > > > > > > > --- > > > > > > > > - > > > > > > > > > For IBM-MAIN subscribe / signoff / archive access > > > > > > > > > instructions, send email to lists...@listserv.ua.edu with > > > > > > > > > the > > > > > > > > > message: INFO IBM-MAIN > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > The postings on this site are my own and don’t necessarily > > > > > > > > represent Mainline’s positions or opinions > > > > > > > > > > > > > > > > Mark D Pace > > > > > > > > Senior Systems Engineer > > > > > > > > Mainline Information Systems > > > > > > > > > > > > > > > > ------------------------------------------------------------ > > > > > > > > ---- > > > > > > > > ---- > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > > > > instructions, send email to lists...@listserv.ua.edu with > > > > > > > > the > > > > > > > > message: INFO IBM-MAIN > > > > > > > > > > > > > > -------------------------------------------------------------- > > > > > > > ---- > > > > > > > ---- For IBM-MAIN subscribe / signoff / archive access > > > > > > > instructions, send email to lists...@listserv.ua.edu with the > > > > > > > message: INFO IBM-MAIN > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > The postings on this site are my own and don’t necessarily > > > > > > represent Mainline’s positions or opinions > > > > > > > > > > > > Mark D Pace > > > > > > Senior Systems Engineer > > > > > > Mainline Information Systems > > > > > > > > > > > > ---------------------------------------------------------------- > > > > > > ---- > > > > > > -- For IBM-MAIN subscribe / signoff / archive access > > > > > > instructions, send > > > > > email to > > > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > > ------------------------------------------------------------------ > > > > > ---- For IBM-MAIN subscribe / signoff / archive access > > > > > instructions, send email to lists...@listserv.ua.edu with the > > > > > message: INFO IBM-MAIN > > > > > > > > > > > > > > > > > > > > > -- > > > > The postings on this site are my own and don’t necessarily represent > > > > Mainline’s positions or opinions > > > > > > > > Mark D Pace > > > > Senior Systems Engineer > > > > Mainline Information Systems > > > > > > > > -------------------------------------------------------------------- > > > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send > > > email to > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > > > > > > > > -- > > The postings on this site are my own and don’t necessarily represent > > Mainline’s positions or opinions > > > > Mark D Pace > > Senior Systems Engineer > > Mainline Information Systems > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- The postings on this site are my own and don’t necessarily represent Mainline’s positions or opinions Mark D Pace Senior Systems Engineer Mainline Information Systems ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
