Vanguard Integrity Professionals - External - Public
What Michael is trying to tell you is that your confusing "sFTP" and "FTPs",
these are two very different protocols which have nothing to do with each other
(think beta vs vhs).
sFTP is "ftp tunneled though the SSH interface" and runs on TCP/22. Getting
that functional is a conversation covered in the USS books, check out the SSH
section.
FTPs is "plain old ftp, wrapped with digital certificates to make it secure"
(think http vs https) and this is done via PAGENT. Depending on how its
configured (e.g. insecure, implicit, explicit, passive) this can run on the
following ports; TCP20,TCP21,TCP990 and a range of user-specified ports. FYI,
this complexity is why PAGENT has the "ApplicationControlled" parm.
z/OS supports both sFTP and FTPs. Though, in z/OS, there are feature
differences between them...
Likewise, WinSCP supports both sFTP and FTPs, as do many other programs on
windows.
I would suggest picking one to work with (either sFTP or FTPs) and then ensure
that z/OS and WinSCP to use the one you selected. If your unclear on the
differences you probably want FTPs due to it's greater functionality (on z/OS).
Also as Michael indicated, if you are trying to debug issues with FTPs (ATTLS)
you must turn up trace and read the logs. There really is no other (practical)
way to troubleshoot ATTLS issues.
External - Public
Classified by dustin.ha...@go2vanguard.com on 2022.05.25 08:30:10
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Michael Babcock
Sent: Wednesday, 2022 May-25 08:19
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: AT-TLS & FTP troubles - cannot get very simple setup working
WARNING: This email originated outside of Vanguard.
DO NOT CLICK links or attachments unless you recognize the sender and know the
content is safe.
I don’t think you can use PAGENT for port 22 (not 100% sure on that). If
using port 22 configure SSHD.
Did you set the trace parm in PAGENT to 255? You will get much more info
in SYSLOG by doing that.
On Wed, May 25, 2022 at 10:05 AM Bob wrote:
> That's one I have changed back and forth 21 ... 22 ... 21 .. 22 ... 21
> &22. The config I started with had 21 in it, but the WinSCP references 22
> so I have been trying both ... without success. I changed it back to 21
> now. Still fails.
>
> I just added an ftp configuration parameter of FTPLOGGING TRUE and received
> this message:
>
> EZYFS51I ID=FTPD10 CONN fails Reason=3 Text=getpeername failed
>
> Now I'm trying to figure out what that is telling me.
>
> On Wed, May 25, 2022 at 8:46 AM Michael Babcock
> wrote:
>
> > I can SSH into z/OS USS but I don’t use pagent for port 22. You should
> > configure SSHD for that. Remove port 22 from PAGENT.
> >
> > On Wed, May 25, 2022 at 8:46 AM Bob wrote:
> >
> > > I am struggling to get AT-TLS and FTP working on my new z/OS 2.5 system
> > and
> > > I don’t know why. I’m sure I am
> > >
> > > missing something very simple, but I have spent a lot of time over the
> > last
> > > few weeks trying to figure it out
> > >
> > > and I cannot. Note that ftp without encryption does work and I have
> > > nothing else using PAGENT or AT-TLS.
> > >
> > >
> > >
> > > I originally started with a configuration created by z/OSMF Network
> > > Configuration Assistant, but after
> > >
> > > numerous attempts to get it working I have pared it down to the very
> > > minimum configuration below.
> > >
> > >
> > >
> > > I’m not even sure what info to share.
> > >
> > >
> > >
> > > When I try to connect using WinSCP I just get this:
> > >
> > >
> > >
> > > d:\>"c:\Program Files (x86)\WinSCP\WinSCP" /log=d:\WinSCP.log
> /loglevel=2
> > > testmvs
> > >
> > > Searching for host...
> > >
> > > Network error: Connection to "testmvs" refused.
> > >
> > > The server rejected SFTP connection, but it listens for FTP
> connections.
> > >
> > > Did you want to use FTP protocol instead of SFTP? Prefer using
> > encryption.
> > >
> > > winscp>
> > >
> > >
> > >
> > > And the WinSCP log doesn’t show much more:
> > >
> > >
> > >
> > > Looking up host "testmvs" for SSH connection
> > >
> > > Connecting to 10.80.63.94 port 22
> > >
> > > Failed to connect to 10.80.63.94: Network error: Connection refused
> > >
> > >
> > >
> > > And here are the related configuration files.
> > >
> > >
> > >
> > > Here’s the pagent.conf:
> > >
> > >
> > >
> > > LogLevel 511
> > >
> > > TcpImage TCPIP FLUSH
> > >
> > > TTLSConfig /etc/TTLSConfig.conf FLUSH
> > >
> > >
> > >
> > > And here is the TTLSConfig.conf:
> > >
> > >
> > >
> > > TTLSGroupAction ftp_server_group
> > >
> > > {
> > >
> > >TTLSEnabled On
> > >
> > >Trace 30
> > >
> > > }
> > >
> > > TTLSEnvironmentAction ftp_server_env
> > >
> > > {
> > >
> > >HandshakeRole Server
> > >
> > >TTLSCipherParmsRef ftp_server_ciphers
> > >
> > >TTLSKeyringParms
> > >
> > >{
> > >
> > > Keyring mtskeyring
> > >
> > >}
> > >
> > >