Progress??
Took me a little while to note the obvious error in this rule, supplied
sample.
TTLSRule Secure_Ftp_client
{
LocalPortRange 21
Direction Outbound
Local port may be anything - it's the remote port that I care about.
So change to RemotePortRange 21
Much different, though still bad, results. At least now it uses the rule.
>From the output
EZA1554I Connecting to: 10.6.0.10 port:
21.
SC4253 getNextReply: recv() failed - EDC8121I Connection reset.
(errno2=0x76650446)
EZA2590E recv error from getNextReply - EDC8121I Connection reset.
(errno2=0x76650446)
EZA1475I Connection with 10.6.0.10
terminated
CZ1434 ftpClose:
entered
>From the console
IEF403I MPFTP - STARTED - TIME=12.52.56
BPXF024I (TCPSTC) May 12 16:52:56 TTLS 67108902 : 12:52:56 TCPIP 275
EZD1286I TTLS Error GRPID: 0000000A ENVID: 00000004 CONNID: 00000000
LOCAL: **N/A** REMOTE: **N/A** JOBNAME: **N/A** USERID: MARPACE RULE:
**N/A** RC: 7 Environment Init 00000000
BPXF024I (TCPSTC) May 12 16:52:56 TTLS 67108902 : 12:52:56 TCPIP 276
EZD1286I TTLS Error GRPID: 0000000A ENVID: 00000004 CONNID: 00007703
LOCAL: 10.6.0.17..1052 REMOTE: 10.6.0.10..21 JOBNAME: MPFTP USERID:
MARPACE RULE: Secure_Ftp_client RC: 5006 Initial Handshake 00000000
00000000
IEF404I MPFTP - ENDED - TIME=12.52.56
On Mon, May 12, 2014 at 9:33 AM, Mark Pace <pacemainl...@gmail.com> wrote:
> I'm trying to make the AT-TLS stuff work, but I'm just as confused by this
> as the original stuff. The PAGENT setup seemed pretty straight forward.
> pagent.conf
> TTLSConfig /etc/pagent_TTLS.conf
>
> pagent_TTLS.conf
> # Common Production Group that all Rules use
> TTLSGroupAction grp_Production
> {
> TTLSEnabled On
> Trace 2 # Log Errors to syslogd
> }
>
>
> ###################################################################
> # #
> # FTP Specific Rules and Actions #
> # #
> ###################################################################
> # FTP data connections must use SecondaryMap
> # to access keyring and certificate under server's security context.
> # Do not define separate rules for FTP data connections.
> TTLSRule Secure_Ftp_client
> {
> LocalPortRange 21
> Direction Outbound
> TTLSGroupActionRef grp_Production
> TTLSEnvironmentActionRef Secure_Ftp_Client_Env
> }
>
> # Environment Shared by all secure FTP client connections.
> # each client must own their own key ring named Client_Ring
> TTLSEnvironmentAction Secure_Ftp_Client_Env
> {
> HandshakeRole Client
> TTLSKeyRingParms
> {
> Keyring Client_Ring
> }
> TTLSEnvironmentAdvancedParms
> {
> SecondaryMap On
> }
> }
>
> It appears that the correct configurations are loaded. - my only question
> being if INET is the correct name.
> EZZ8432I PAGENT INITIALIZATION COMPLETE
> EZD1289I TCPIP ICSF SERVICES ARE CURRENTLY AVAILABLE FOR AT-TLS GROUP
> grp_Production
> EZZ8771I PAGENT CONFIG POLICY PROCESSING COMPLETE FOR INET : TTLS
> EZD1586I PAGENT HAS INSTALLED ALL LOCAL POLICIES FOR INET
>
>
> Run the FTP and it fails saying there is now matching policy
>
> GU5349 ftpSetApplData:
> entered
> FC0254 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, sFTP=R, sCC=P,
> sDC=P
> FC2723 ftpAuthAttls: No AT-TLS policy matched
> connection
> EZA2897I Authentication negotiation
> failed
>
>
> On Sat, May 10, 2014 at 2:21 PM, Rob Schramm <rob.schr...@gmail.com>wrote:
>
>> Congrats.
>>
>> Of course the latest recommendations are to move away from TLS 1.0 because
>> of vulnerabilities.
>>
>> Rob Schramm
>> On May 9, 2014 4:48 PM, "Mark Pace" <pacemainl...@gmail.com> wrote:
>>
>> > One thing I just noticed as I was documenting this.
>> > I had changed my ftp server from using the GoDaddy assigned certificate
>> to
>> > a self-signed certificate. I had send a copy of the .pem file to z/OS
>> and
>> > added it to my keyring as Site certificate. - That is what worked.
>> >
>> > So I went back to the GoDaddy certificate on the server, and I still
>> have,
>> > what I thought was a good Certauth from GoDaddy on my key ring and now
>> my
>> > error is - FC1003 authServer: secure_socket_init failed with rc = 417
>> > (Self-signed certificate cannot be validated)
>> >
>> > So now I need to figure out how to get the Certauth working as I don't
>> > really want to have to send my self-signed out.
>> >
>> > Something to ponder next week.
>> >
>> >
>> > On Fri, May 9, 2014 at 4:09 PM, Gibney, Dave <gib...@wsu.edu> wrote:
>> >
>> > > On looking at it, I think the
>> > > > TLSRFCLEVEL CCCNONOTIFY ;
>> > > And/or the
>> > > > EPSV4 TRUE
>> > > Are newish (in that they were what I had to put in to make it work the
>> > > last time it broke :) It tends to break when maintenance is put on
>> Linux
>> > or
>> > > vsftp :)
>> > >
>> > > > -----Original Message-----
>> > > > From: IBM Mainframe Discussion List [mailto:
>> IBM-MAIN@LISTSERV.UA.EDU]
>> > > > On Behalf Of Mark Pace
>> > > > Sent: Friday, May 09, 2014 1:00 PM
>> > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > >
>> > > > WOAH, WOAH, WOAH, what the hell? I copied and pasted your
>> FTP.DATA
>> > > > file
>> > > > into my FTP.DATA file and now it works.
>> > > >
>> > > > Now I just have to determine what was different on yours than every
>> > > iteration
>> > > > that I have been through so far.
>> > > >
>> > > > THANKS, I think. ;)
>> > > >
>> > > >
>> > > > On Fri, May 9, 2014 at 2:28 PM, Gibney, Dave <gib...@wsu.edu>
>> wrote:
>> > > >
>> > > > > Well, for what it is worth, I use the following in my
>> userid.FTP.DATA
>> > > > > and successfully talk to vsftp with SSL Encryption:
>> > > > > TLSRFCLEVEL CCCNONOTIFY ;
>> > > > > EPSV4 TRUE
>> > > > > TLSMECHANISM FTP
>> > > > > SECURE_MECHANISM TLS
>> > > > > SECURE_FTP REQUIRED
>> > > > > SECURE_CTRLCONN CLEAR
>> > > > > SECURE_DATACONN PRIVATE
>> > > > > CIPHERSUITE SSL_NULL_MD5 ; 01
>> > > > > CIPHERSUITE SSL_NULL_SHA ; 02
>> > > > > CIPHERSUITE SSL_RC4_MD5_EX ; 03
>> > > > > CIPHERSUITE SSL_RC4_MD5 ; 04
>> > > > > CIPHERSUITE SSL_RC4_SHA ; 05
>> > > > > CIPHERSUITE SSL_RC2_MD5_EX ; 06
>> > > > > CIPHERSUITE SSL_DES_SHA ; 09
>> > > > > CIPHERSUITE SSL_3DES_SHA ; 0A
>> > > > >
>> > > > > KEYRING FTPClientRing
>> > > > >
>> > > > > My RACF keyring has:
>> > > > > Ring:
>> > > > > >FTPClientRing<
>> > > > > Certificate Label Name Cert Owner USAGE
>> DEFAULT
>> > > > > -------------------------------- ------------ --------
>> -------
>> > > > > Thawte Premium Server CA CERTAUTH CERTAUTH NO
>> > > > >
>> > > > > thawte Primary Root CA CERTAUTH CERTAUTH NO
>> > > > >
>> > > > > Thawte Server CA CERTAUTH CERTAUTH NO
>> > > > >
>> > > > > Thawte DV SSL CA CERTAUTH CERTAUTH NO
>> > > > >
>> > > > > I did find it necessary to have the full chain in my keyring.
>> > > > >
>> > > > > I just use //MVSFTP EXEC PGM=FTP,
>> > > > >
>> > > > > I don't maintain the Linux server, so I can't quickly get the full
>> > > > > vsftp parm deck. I can ask for it.
>> > > > >
>> > > > > > -----Original Message-----
>> > > > > > From: IBM Mainframe Discussion List
>> > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
>> > > > > > Sent: Friday, May 09, 2014 10:58 AM
>> > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > > > >
>> > > > > > Sorry, confused, again.
>> > > > > >
>> > > > > > We currently do userid/password authentication - without SSL.
>> > > > > >
>> > > > > >
>> > > > > > On Fri, May 9, 2014 at 1:42 PM, Gibney, Dave <gib...@wsu.edu>
>> > wrote:
>> > > > > >
>> > > > > > > Well, if your are doing the SSL server stuff, then the
>> password
>> > is
>> > > > > > > not flowing in the clear. On the other hand, my
>> interpretation of
>> > > > > > > the vsftp parm I sent a few days ago is to NOT do certificate
>> > > > > > > based client authentication.
>> > > > > > >
>> > > > > > > > -----Original Message-----
>> > > > > > > > From: IBM Mainframe Discussion List
>> > > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark Pace
>> > > > > > > > Sent: Friday, May 09, 2014 9:19 AM
>> > > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > > > > > >
>> > > > > > > > Oh yes. We've been doing it that way for years.
>> > > > > > > >
>> > > > > > > > Trying to add the ability to secure the log in process.
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > On Fri, May 9, 2014 at 11:42 AM, Gibney, Dave <
>> gib...@wsu.edu>
>> > > > > wrote:
>> > > > > > > >
>> > > > > > > > > I haven't used SSL client verification by certificate, so
>> you
>> > > > > > > > > are past my knowledge. As an experiment, can you get a
>> > working
>> > > > > > > > > connection using userid/password authentication.
>> > > > > > > > >
>> > > > > > > > > > -----Original Message-----
>> > > > > > > > > > From: IBM Mainframe Discussion List
>> > > > > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark
>> Pace
>> > > > > > > > > > Sent: Friday, May 09, 2014 5:47 AM
>> > > > > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > > > > > > > >
>> > > > > > > > > > I was able to get the Trace to work - after removing
>> the -r
>> > > > > > > > > > TLS, that generated an error.
>> > > > > > > > > > *EZA2892I Secure port 21 does not allow the -a or -r
>> start
>> > > > > > > > > > parameter
>> > > > > > > > > > *
>> > > > > > > > > >
>> > > > > > > > > > And from that trace it appears, to me, that the FTP
>> server
>> > > > > > > > > > is not responding correctly to the z/OS client
>> handshake.
>> > > > > > > > > >
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO send_v3_client_hello():
>> Sent
>> > > > > > > > > > V3
>> > > > > > > > > > CLIENT- HELLO message
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII send_v3_client_hello():
>> V3
>> > > > > > > > > > CLIENT-HELLO message
>> > > > > > > > > > 00000000: 0100002b 0301536b ed23cf50 8d72c5f7
>> > > > > > > > > > *...+..Sk.#.P.r..*
>> > > > > > > > > > 00000010: 201c1c84 2fef8ce6 3228c3b3 8de37177
>> *
>> > > > > > > > > > .../...2(....qw*
>> > > > > > > > > > 00000020: a3e6e150 a3c50000 0400ff00 050100
>> > > > > > > > > > *...P...........
>> > > > > > > > > > *
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record():
>> > > > > > > > > > Calling write routine for 52 bytes
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_write_v3_record(): 52
>> > > > > > > > > > bytes written
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record():
>> > Calling
>> > > > > > > > > > read routine for 5 bytes
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 INFO gsk_read_v3_record(): 5
>> > bytes
>> > > > > > > > > > received
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR gsk_read_v3_record():
>> > > > > > > > > > Content Type
>> > > > > > > > > > 50 is not supported
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ASCII gsk_read_v3_record():
>> SSL
>> > > > > > > > > > record
>> > > > > > > > header
>> > > > > > > > > > 00000000: 3232302d 57
>> > > *220-W
>> > > > > > > > > > *
>> > > > > > > > > > 05/08/2014-16:46:27 Thd-0 ERROR
>> gsk_secure_socket_init():
>> > > > > > > > > > SSL V3 client handshake failed with 10.6.0.15[21]
>> > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > > On Wed, May 7, 2014 at 4:03 PM, Gibney, Dave
>> > > > > > > > > > <gib...@wsu.edu>
>> > > > > > > > wrote:
>> > > > > > > > > >
>> > > > > > > > > > > Add this to the FTP Client job parms:
>> > > > > > > > > > > //
>> > > > > > > > > >
>> > > > > > > >
>> > > > > >
>> > > > PARM=('ENVAR("GSK_TRACE=0XFFFF","GSK_TRACE_FILE=/tmp/gskwix.trc")',
>> > > > > > > > > > > // '/-r TLS (TRACE EXIT')
>> > > > > > > > > > >
>> > > > > > > > > > > There is a formatted documented with gsktrace. Should
>> get
>> > > > > > > > > > > you to the exact error when you format gskwix.trc
>> > > > > > > > > > >
>> > > > > > > > > > > > -----Original Message-----
>> > > > > > > > > > > > From: IBM Mainframe Discussion List
>> > > > > > > > > > > > [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Mark
>> > Post
>> > > > > > > > > > > > Sent: Wednesday, May 07, 2014 12:55 PM
>> > > > > > > > > > > > To: IBM-MAIN@LISTSERV.UA.EDU
>> > > > > > > > > > > > Subject: Re: z/OS FTPS Client & Linux FTP server
>> > > > > > > > > > > >
>> > > > > > > > > > > > Mark,
>> > > > > > > > > > > >
>> > > > > > > > > > > > This may be yet another case where running strace or
>> > > > > > > > > > > > ltrace on the server side will give you some insight
>> > > > > > > > > > > > into what is going on. If you don't
>> > > > > > > > > > > want to go
>> > > > > > > > > > > > down that road, i would say it's time to open up a
>> PMR
>> > > > > > > > > > > > with
>> > > > > IBM.
>> > > > > > > > > > > >
>> > > > > > > > > > > >
>> > > > > > > > > > > > Mark Post
>> > > > > > > > > > > >
>> > > > > > > > > > > >
>> > --------------------------------------------------------
>> > > > > > > > > > > > ----
>> > > > > > > > > > > > ----
>> > > > > > > > > > > > ---
>> > > > > > > > > > -
>> > > > > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > > > > > > instructions, send
>> > > > > > > > > > > email to
>> > > > > > > > > > > > lists...@listserv.ua.edu with the message: INFO
>> > IBM-MAIN
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > ----------------------------------------------------------
>> > > > > > > > > > > ----
>> > > > > > > > > > > ----
>> > > > > > > > > > > ---
>> > > > > > > > > > -
>> > > > > > > > > > > For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > > > > > instructions, send email to
>> lists...@listserv.ua.eduwith
>> > > > > > > > > > > the
>> > > > > > > > > > > message: INFO IBM-MAIN
>> > > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > > > --
>> > > > > > > > > > The postings on this site are my own and don’t
>> necessarily
>> > > > > > > > > > represent Mainline’s positions or opinions
>> > > > > > > > > >
>> > > > > > > > > > Mark D Pace
>> > > > > > > > > > Senior Systems Engineer
>> > > > > > > > > > Mainline Information Systems
>> > > > > > > > > >
>> > > > > > > > > >
>> > ------------------------------------------------------------
>> > > > > > > > > > ----
>> > > > > > > > > > ----
>> > > > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > > > > instructions, send email to lists...@listserv.ua.eduwith
>> > > > > > > > > > the
>> > > > > > > > > > message: INFO IBM-MAIN
>> > > > > > > > >
>> > > > > > > > >
>> > --------------------------------------------------------------
>> > > > > > > > > ----
>> > > > > > > > > ---- For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > > > instructions, send email to lists...@listserv.ua.edu with
>> > the
>> > > > > > > > > message: INFO IBM-MAIN
>> > > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > --
>> > > > > > > > The postings on this site are my own and don’t necessarily
>> > > > > > > > represent Mainline’s positions or opinions
>> > > > > > > >
>> > > > > > > > Mark D Pace
>> > > > > > > > Senior Systems Engineer
>> > > > > > > > Mainline Information Systems
>> > > > > > > >
>> > > > > > > >
>> > ----------------------------------------------------------------
>> > > > > > > > ----
>> > > > > > > > -- For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > > instructions, send
>> > > > > > > email to
>> > > > > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > > > > > >
>> > > > > > >
>> > ------------------------------------------------------------------
>> > > > > > > ---- For IBM-MAIN subscribe / signoff / archive access
>> > > > > > > instructions, send email to lists...@listserv.ua.edu with the
>> > > > > > > message: INFO IBM-MAIN
>> > > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > --
>> > > > > > The postings on this site are my own and don’t necessarily
>> > represent
>> > > > > > Mainline’s positions or opinions
>> > > > > >
>> > > > > > Mark D Pace
>> > > > > > Senior Systems Engineer
>> > > > > > Mainline Information Systems
>> > > > > >
>> > > > > >
>> > --------------------------------------------------------------------
>> > > > > > -- For IBM-MAIN subscribe / signoff / archive access
>> instructions,
>> > > > > > send
>> > > > > email to
>> > > > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > > > >
>> > > > >
>> > ----------------------------------------------------------------------
>> > > > > For IBM-MAIN subscribe / signoff / archive access instructions,
>> send
>> > > > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > > --
>> > > > The postings on this site are my own and don’t necessarily represent
>> > > > Mainline’s positions or opinions
>> > > >
>> > > > Mark D Pace
>> > > > Senior Systems Engineer
>> > > > Mainline Information Systems
>> > > >
>> > > >
>> ----------------------------------------------------------------------
>> > > > For IBM-MAIN subscribe / signoff / archive access instructions, send
>> > > email to
>> > > > lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> > >
>> > > ----------------------------------------------------------------------
>> > > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > > send email to lists...@listserv.ua.edu with the message: INFO
>> IBM-MAIN
>> > >
>> >
>> >
>> >
>> > --
>> > The postings on this site are my own and don’t necessarily represent
>> > Mainline’s positions or opinions
>> >
>> > Mark D Pace
>> > Senior Systems Engineer
>> > Mainline Information Systems
>> >
>> > ----------------------------------------------------------------------
>> > For IBM-MAIN subscribe / signoff / archive access instructions,
>> > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>> >
>>
>> ----------------------------------------------------------------------
>> For IBM-MAIN subscribe / signoff / archive access instructions,
>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>>
>
>
>
> --
> The postings on this site are my own and don’t necessarily represent
> Mainline’s positions or opinions
>
> Mark D Pace
> Senior Systems Engineer
> Mainline Information Systems
>
>
>
>
--
The postings on this site are my own and don’t necessarily represent
Mainline’s positions or opinions
Mark D Pace
Senior Systems Engineer
Mainline Information Systems
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
