Re: Passing STDENV DD to FTP via SYSIN
On Fri, 11 Sep 2020 15:07:17 -0500, Wendell Lovewell wrote:
>...
>and while:
>//FTPXFER EXEC PGM=FTP,REGION=4M,
>//
>PARM=('ENVAR("GSK_PROTOCOL_TLSV1_2=ON","GSK_TRACE=0x","GSK_TRACE_FILE=/tmp/gskc.trc")/(EXIT')
>
>...is possible, it pushes the limits of the PARM value's max length.
>
PARMDD?
-- gil
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
Charles: Password is in the clear, just like it's always been. The main
security is controlled by directory permissions on the server--it's really a
"dump it here". They can't even see what they've uploaded. The download
directory (stuff from us) is read-only. Like I said, "kicking and screaming"...
Frank: //CEEOPTS is very close to what I was looking for!
//FTPXFER EXEC PGM=FTP,REGION=4M,
// PARM=('ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
...works great if all I want to do is force TLS 1.2. But there are a couple of
other environment variables that are really handy for debugging:
GSK_TRACE=0x and GSK_TRACE_FILE=/tmp/gskc.trc
and while:
//FTPXFER EXEC PGM=FTP,REGION=4M,
//
PARM=('ENVAR("GSK_PROTOCOL_TLSV1_2=ON","GSK_TRACE=0x","GSK_TRACE_FILE=/tmp/gskc.trc")/(EXIT')
...is possible, it pushes the limits of the PARM value's max length.
But I can add as many variables with CEEOPTS as I want:
//FTPXFER EXEC PGM=FTP,REGION=4M,PARM='(TIMEOUT 30 EXIT'
//CEEOPTS DD *
ENVAR("GSK_PROTOCOL_TLSV1_2=ON",
"GSK_TRACE=0x",
"GSK_TRACE_FILE=/tmp/gskb.trc")
//*
However, I did stumble across what a really wanted as I was closing out all the
web pages I had open for this.
https://www.ibm.com/support/knowledgecenter/SSLTBW_2.2.0/com.ibm.zos.v2r2.halz002/ip_env_var_used_by_tcpip_appls.htm
...is the page I'd overlooked. It explains that while _CEE_ENVFILE requires a
VB255 dataset, _CEE_ENVFILE_S isn't so picky. So:
//FTPXFER EXEC PGM=FTP,REGION=4M,
// PARM=('ENVAR("_CEE_ENVFILE_S=DD:STDENV")/(TIMEOUT 30 EXIT')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//* GSK_TRACE=0x
//* GSK_TRACE_FILE=/tmp/gskc.trc
//SYSFTPD DD *
...is really what I was looking for in the first place. I can leave the TRACE
vars commented, but if there is a problem they can easily be un-commented and
the /tmp/gskc.trc file can be used to see exactly what's going on under the
covers. (BTW, this trace appears to provide a lot more information than
processing a GSKSRVR/GSKWRTR trace with IPCS and "CTRACE COMP(GSKSRVR)
DDNAME(IPTRACE) FULL"--but it's probable that I just don't know what I'm doing
with IPCS.)
Anyway, thanks again to all!
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
You can also use the CEEOPTS DD. Something like this:
//CEEOPTS DD *
ENVAR("GSK_PROTOCOL_TLSV1_2=1")
[...any other LE options you wish to use...]
/*
We also use this method of specifying TLS 1.2, but I seem to recall the
"official" method is to use AT-TLS instead. At the time we wanted to start
using TLS 1.2 we didn't have PAGENT (and thus AT-TLS) set up, so we went this
way. So offhand I don't know how it should be configured using PAGENT/AT-TLS.
From: IBM Mainframe Discussion List on behalf of
Wendell Lovewell <01e9c0ee0673-dmarc-requ...@listserv.ua.edu>
Sent: Thursday, September 10, 2020 10:57 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Passing STDENV DD to FTP via SYSIN
Hey Charles, I took you seriously the first time. I appreciate your interest
in helping.
Bottom line, I'd like to come up with a job any z/OS customer could run,
without requiring changes to any of their system files (like FTPCDATA or AT-TLS
or RACF) that would allow them to transmit files to/from an FTP site using FTPS.
I've pretty much given up on that--I can't find a way to do it without
installing certificates used by the FTP server into their RACF/ACF2/Top Secret
databases. And even with the certificates in RACF, the only way I've gotten it
to work is force FTP to use TLS 1.2 by setting the "GSK_PROTOCOL_TLSV1_2"
environment variable to "ON" per this URL:
https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12
That page does say for FTP the STDENV dataset should be RECFM=VB. (I did try
various combinations of DD *,DCB=(...), including DCB=(RECFM=VB), but JES
didn't seem to allow that.) Gil might be on to something with the temporary
datasets not being available to spawned processes, but I've cataloged the
IEBGENER'd file and the job still fails like it doesn't find the
"GSK_PROTOCOL_TLSV1_2=ON" variable.
---
I'm not sure how to close this out, but as I've been typing this, I did figure
out how to get around the STDENV problem. I'm going to go ahead and leave what
I've said so far in case someone else comes across this in the future, but
here's a work-around:
What I was trying to do was:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//*
Where the 'ENVAR("_CEE_ENVFILE=DD:STDENV") is telling LE to look for
environment variables in the STDENV DD. The STDENV file wasn't being found,
but all it has is one variable name and value. So it occurred to me that I
could just put the variable and value in the PARM:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
Turns out, it works!
Thanks for all your help.
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
OK.
I am going to *guess* that if it all works unless the client supports only TLS
1.1 then it is the server that is refusing anything less than 1.2. I guess you
have no control over that.
By the way TLSRFCLEVEL CCCNONOTIFY is a slight security exposure that some may
balk at.
No, there is no way "around certificates." Certificates are utterly fundamental
to TLS.
What about the password? Are you going to put that into INPUT in clear text?
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Wendell Lovewell
Sent: Friday, September 11, 2020 9:05 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Passing STDENV DD to FTP via SYSIN
Hey Charles,
No nuclear secrets here. I've been pulled kicking & screaming into adding this
level of security anyway.
I'm shooting for the absolute easiest way to give any z/OS and z/VSE customer
the ability to upload a file to a server that requires a secured connection. I
don't see a way around the certificates, but at least I have been able to set
up a single job a RACF admin could run to set up a keyring they can use. But I
couldn't find a combination of parameters that would get SSL or TLS 1.1 working
with this particular server (that I don't control).
I used the info from that URL because one of the last things I want to do is
require customers to set up a TLS policy just to upload a file. By forcing TLS
1.2 and these other SYSFTPD parameters, I think I can at least keep away from
having to get into any (other than RACF) system-type files:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRINGTCPIP/MACK.FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAMEREQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
//*
//INPUT DD *
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
Hey Charles,
No nuclear secrets here. I've been pulled kicking & screaming into adding this
level of security anyway.
I'm shooting for the absolute easiest way to give any z/OS and z/VSE customer
the ability to upload a file to a server that requires a secured connection. I
don't see a way around the certificates, but at least I have been able to set
up a single job a RACF admin could run to set up a keyring they can use. But I
couldn't find a combination of parameters that would get SSL or TLS 1.1 working
with this particular server (that I don't control).
I used the info from that URL because one of the last things I want to do is
require customers to set up a TLS policy just to upload a file. By forcing TLS
1.2 and these other SYSFTPD parameters, I think I can at least keep away from
having to get into any (other than RACF) system-type files:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRINGTCPIP/MACK.FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAMEREQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
//*
//INPUT DD *
(Normal, non-FTPS commands still go here)
(Bernd, you were spot-on. I answered my own question the same way about
midnight last night.)
I'm just glad it works!
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
Okay, so the answer to my question "what are you trying to do that
PARM/SYSFTPD/INPUT does not solve?" is "force FTP to use TLS 1.2, because that
is the only variant that seems to work no matter what their RACF/ACF2/TSS
configuration is." Is that right?
> without installing certificates used by the FTP server into their
> RACF/ACF2/Top Secret databases
That is not a condition that you can necessarily solve. The CA that signed your
server certificate -- their CA certificate MUST be installed and trusted at the
customer site or TLS will not work, and there is no CA certificate that you can
be absolutely certain is installed. That is just how TLS works, and the
management of which CAs to trust it totally up to customer management. I think
DigiCert is your best bet, but it is not a sure thing.
An alternative to certificates in RACF/ACF2/TSS you might look into a gskkyman
database, but I am not sure you would want to go that route.
>From the link you provided I guess you want to use the "native" FTP/SystemSSL
>interface rather than AT-TLS. I'm not sure exactly why. I think much of the
>point of AT-TLS is getting users out of the TLS configuration business and
>letting the magic of AT-TLS handle it.
Are you saying you cannot get TLS 1.1 to work? Or are you saying that you or
your customers have a security or compliance requirement for TLS 1.2? Or do you
just want to be latest and greatest? TLS 1.1 is last year's movie but it is not
considered not secure, at least if you are not sending nuclear secrets.
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Wendell Lovewell
Sent: Thursday, September 10, 2020 9:58 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Passing STDENV DD to FTP via SYSIN
Hey Charles, I took you seriously the first time. I appreciate your interest
in helping.
Bottom line, I'd like to come up with a job any z/OS customer could run,
without requiring changes to any of their system files (like FTPCDATA or AT-TLS
or RACF) that would allow them to transmit files to/from an FTP site using
FTPS.
I've pretty much given up on that--I can't find a way to do it without
installing certificates used by the FTP server into their RACF/ACF2/Top Secret
databases. And even with the certificates in RACF, the only way I've gotten it
to work is force FTP to use TLS 1.2 by setting the "GSK_PROTOCOL_TLSV1_2"
environment variable to "ON" per this URL:
https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12
That page does say for FTP the STDENV dataset should be RECFM=VB. (I did try
various combinations of DD *,DCB=(...), including DCB=(RECFM=VB), but JES
didn't seem to allow that.) Gil might be on to something with the temporary
datasets not being available to spawned processes, but I've cataloged the
IEBGENER'd file and the job still fails like it doesn't find the
"GSK_PROTOCOL_TLSV1_2=ON" variable.
---
I'm not sure how to close this out, but as I've been typing this, I did figure
out how to get around the STDENV problem. I'm going to go ahead and leave what
I've said so far in case someone else comes across this in the future, but
here's a work-around:
What I was trying to do was:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//*
Where the 'ENVAR("_CEE_ENVFILE=DD:STDENV") is telling LE to look for
environment variables in the STDENV DD. The STDENV file wasn't being found,
but all it has is one variable name and value. So it occurred to me that I
could just put the variable and value in the PARM:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
After some thinking:
the problem is: the parameters you are specifying are LE runtime
parameters,
so the question is, if FTP uses standard LE services and the LE runtime
(then it will work),
or if FTP is built using other techniques ... then it will not and all
the parameters before
the slash will probably be ignored ... in the best case.
Kind regards
Bernd
Am 11.09.2020 um 08:47 schrieb Bernd Oppolzer:
IMO, you can also set the environment variables directly as follows:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
// PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
no need to use a file like STDENV.
Kind regards
Bernd
Am 10.09.2020 um 23:58 schrieb Wendell Lovewell:
Hello,
I'm setting up a batch job to access our FTP server using FTPS and
TLS 1.2. (Forgive me if that nomenclature is less than perfect.)
I've imported certficates, built a keyring, and come up with a
combination of FTP client parameters that will allow me to connect to
the server and upload a file:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
// PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//OUTPUT DD SYSOUT=*
//STDENV DD DISP=SHR,DSN=WRL1.FTPS.STDENV
//*
//* //STDENV DD *
//* GSK_PROTOCOL_TLSV1_2=ON
//*
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4 TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING TCPIP/FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECURE_CTRLCONN PRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
/*
//INPUT DD *
I'm trying to make this as self-contained as possible, and would like
to supply the variables via SYSIN rather than require the PS file
named on the un-commented version of the STDENV DD. BPXBATCH is the
only program I can find documented that says "//STDENV DD *" is
supported. FTP, at least with the PARM I'm using, seems to ignore it.
Is it possible to supply STDENV to FTP via SYSIN?
I hate to admit it, but I thought "Ok, I'll just IEBGENER the
variable(s) into a VB LRECL=255 BLKSIZE=27998 file (like the one that
works), and use that. But strangely, I can't get that to work
either--even though SUPERC confirms the files match.
TIA,
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
Oppolzer-Informatik
Dipl. Inf. Bernd Oppolzer
Bärenhofstraße 23
70771 Leinfelden-Echterdingen
—
Tel.: +49 711 7949591
priv.: +49 711 7949590
mobil: +49 151 75005359
eMail: bernd.oppol...@t-online.de
Web: http://bernd-oppolzer.de/job.htm
—
Für Umsatzsteuerzwecke:
SteuerNr.: 97 076 / 29921
USt-ID-Nr.: DE 147 700 393
—
Oppolzer-Informatik 1983 - 2020
37years of experience in computer science**
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
IMO, you can also set the environment variables directly as follows:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
no need to use a file like STDENV.
Kind regards
Bernd
Am 10.09.2020 um 23:58 schrieb Wendell Lovewell:
Hello,
I'm setting up a batch job to access our FTP server using FTPS and TLS 1.2.
(Forgive me if that nomenclature is less than perfect.)
I've imported certficates, built a keyring, and come up with a combination of
FTP client parameters that will allow me to connect to the server and upload a
file:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//OUTPUT DD SYSOUT=*
//STDENV DD DISP=SHR,DSN=WRL1.FTPS.STDENV
//*
//* //STDENV DD *
//* GSK_PROTOCOL_TLSV1_2=ON
//*
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING TCPIP/FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
/*
//INPUTDD *
I'm trying to make this as self-contained as possible, and would like to supply the
variables via SYSIN rather than require the PS file named on the un-commented version of
the STDENV DD. BPXBATCH is the only program I can find documented that says
"//STDENV DD *" is supported. FTP, at least with the PARM I'm using, seems to
ignore it.
Is it possible to supply STDENV to FTP via SYSIN?
I hate to admit it, but I thought "Ok, I'll just IEBGENER the variable(s) into
a VB LRECL=255 BLKSIZE=27998 file (like the one that works), and use that. But
strangely, I can't get that to work either--even though SUPERC confirms the files
match.
TIA,
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
Oppolzer-Informatik
Dipl. Inf. Bernd Oppolzer
Bärenhofstraße 23
70771 Leinfelden-Echterdingen
—
Tel.: +49 711 7949591
priv.: +49 711 7949590
mobil: +49 151 75005359
eMail: bernd.oppol...@t-online.de
Web: http://bernd-oppolzer.de/job.htm
—
Für Umsatzsteuerzwecke:
SteuerNr.: 97 076 / 29921
USt-ID-Nr.: DE 147 700 393
—
Oppolzer-Informatik 1983 - 2020
37years of experience in computer science**
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
Hey Charles, I took you seriously the first time. I appreciate your interest
in helping.
Bottom line, I'd like to come up with a job any z/OS customer could run,
without requiring changes to any of their system files (like FTPCDATA or AT-TLS
or RACF) that would allow them to transmit files to/from an FTP site using
FTPS.
I've pretty much given up on that--I can't find a way to do it without
installing certificates used by the FTP server into their RACF/ACF2/Top Secret
databases. And even with the certificates in RACF, the only way I've gotten it
to work is force FTP to use TLS 1.2 by setting the "GSK_PROTOCOL_TLSV1_2"
environment variable to "ON" per this URL:
https://www.ibm.com/support/pages/zos-communications-server-tls-needed-implement-tls-v12
That page does say for FTP the STDENV dataset should be RECFM=VB. (I did try
various combinations of DD *,DCB=(...), including DCB=(RECFM=VB), but JES
didn't seem to allow that.) Gil might be on to something with the temporary
datasets not being available to spawned processes, but I've cataloged the
IEBGENER'd file and the job still fails like it doesn't find the
"GSK_PROTOCOL_TLSV1_2=ON" variable.
---
I'm not sure how to close this out, but as I've been typing this, I did figure
out how to get around the STDENV problem. I'm going to go ahead and leave what
I've said so far in case someone else comes across this in the future, but
here's a work-around:
What I was trying to do was:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//STDENV DD *
GSK_PROTOCOL_TLSV1_2=ON
//*
Where the 'ENVAR("_CEE_ENVFILE=DD:STDENV") is telling LE to look for
environment variables in the STDENV DD. The STDENV file wasn't being found,
but all it has is one variable name and value. So it occurred to me that I
could just put the variable and value in the PARM:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("GSK_PROTOCOL_TLSV1_2=ON")/(EXIT')
Turns out, it works!
Thanks for all your help.
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
And I mean that second paragraph as a serious question : tell me and I will try
to help; not as sarcasm. CharlesSent from a mobile; please excuse the brevity.
Original message From: Charles Mills Date:
9/10/20 3:27 PM (GMT-08:00) To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Passing
STDENV DD to FTP via SYSIN I have considerable experience in hacking FTP into
doing unnatural acts but not enough of a UNIX person to be totally up-to-speed
on using environment variables.What is it that you are trying to get FTP to do
that PARM= + SYSFTPD DD * + INPUT DD * will not accomplish?Charles-Original
Message-From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Wendell LovewellSent: Thursday,
September 10, 2020 2:59 PMTo: ibm-m...@listserv.ua.EDUSubject: Passing STDENV
DD to FTP via SYSINHello,I'm setting up a batch job to access our FTP server
using FTPS and TLS 1.2. (Forgive me if that nomenclature is less than
perfect.)I've imported certficates, built a keyring, and come up with a
combination of FTP client parameters that will allow me to connect to the
server and upload a file://FTPXFER EXEC PGM=FTP,REGION=4292K,//
PARM=('POSIX(ON) ALL31(ON)',//
'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')//OUTPUT DD SYSOUT=*//STDENV DD
DISP=SHR,DSN=WRL1.FTPS.STDENV//*//* //STDENV DD *//*
GSK_PROTOCOL_TLSV1_2=ON//*//SYSFTPD DD *CLIENTERRCODES EXTENDEDEPSV4
TRUEEXTENSIONS AUTH_TLSFWFRIENDLY
TRUEKEYRING TCPIP/FTP.KEYRINGPASSIVEIGNOREADDR
TRUESECUREIMPLICITZOS FALSESECURE_FTP REQUIREDSECURE_MECHANISM
TLSSECURE_DATACONN PRIVATESECURE_CTRLCONN PRIVATESECURE_HOSTNAME
REQUIREDTLSMECHANISM FTPTLSRFCLEVEL CCCNONOTIFY/*//INPUT
DD *I'm trying to make this as self-contained as possible, and would like to
supply the variables via SYSIN rather than require the PS file named on the
un-commented version of the STDENV DD. BPXBATCH is the only program I can find
documented that says "//STDENV DD *" is supported. FTP, at least with the PARM
I'm using, seems to ignore
it.--For
IBM-MAIN subscribe / signoff / archive access instructions,send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
Consistent with your comment about BPXBATCH, I suspect you will need to run FTP
(via PARM= input) under BPXBATCH (via EXEC PGM=), and then the //STDENV DD
will be read.
HTH,
Mike
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Wendell Lovewell
Sent: Thursday, September 10, 2020 5:59 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Passing STDENV DD to FTP via SYSIN
Caution! This message was sent from outside your organization.
Hello,
I'm setting up a batch job to access our FTP server using FTPS and TLS 1.2.
(Forgive me if that nomenclature is less than perfect.)
I've imported certficates, built a keyring, and come up with a combination of
FTP client parameters that will allow me to connect to the server and upload a
file:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//OUTPUT DD SYSOUT=*
//STDENV DD DISP=SHR,DSN=WRL1.FTPS.STDENV
//*
//* //STDENV DD *
//* GSK_PROTOCOL_TLSV1_2=ON
//*
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING TCPIP/FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
/*
//INPUTDD *
I'm trying to make this as self-contained as possible, and would like to supply
the variables via SYSIN rather than require the PS file named on the
un-commented version of the STDENV DD. BPXBATCH is the only program I can find
documented that says "//STDENV DD *" is supported. FTP, at least with the PARM
I'm using, seems to ignore it.
Is it possible to supply STDENV to FTP via SYSIN?
I hate to admit it, but I thought "Ok, I'll just IEBGENER the variable(s) into
a VB LRECL=255 BLKSIZE=27998 file (like the one that works), and use that. But
strangely, I can't get that to work either--even though SUPERC confirms the
files match.
TIA,
Wendell
--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to
lists...@listserv.ua.edu with the message: INFO IBM-MAIN
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
On Thu, 10 Sep 2020 16:58:52 -0500, Wendell Lovewell wrote:
>...
>//FTPXFER EXEC PGM=FTP,REGION=4292K,
>//PARM=('POSIX(ON) ALL31(ON)',
>// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
>
>I'm trying to make this as self-contained as possible, and would like to
>supply the variables via SYSIN rather than require the PS file named on the
>un-commented version of the STDENV DD. BPXBATCH is the only program I can
>find documented that says "//STDENV DD *" is supported. FTP, at least with
>the PARM I'm using, seems to ignore it.
>
>Is it possible to supply STDENV to FTP via SYSIN?
>
Is it possible that the PGM=FTP job step task does a DYNALLOC INFO
of STDENV to extract the pathname or DSN of STDENV and passes
that to a forked child? A SYSIN might not be available to that child.
>I hate to admit it, but I thought "Ok, I'll just IEBGENER the variable(s) into
>a VB LRECL=255 BLKSIZE=27998 file (like the one that works), and use that.
>But strangely, I can't get that to work either--even though SUPERC confirms
>the files match.
>
Are you using a LRECL=255 SYSIN? That's possible if you avoid
TSO SUBMIT.
Likewise, a temporary data set might be unavailable to a child
process. If not temporary, there's the chore of cleaning it up
at job end. Perhaps DISP=(NEW,DELETE,DELETE). Must the
DSN be catalogued? That might require SMS.
Oops. Would a child address space encounter an ENQ conflict with
its own parent?
-- gil
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Passing STDENV DD to FTP via SYSIN
I have considerable experience in hacking FTP into doing unnatural acts but not
enough of a UNIX person to be totally up-to-speed on using environment
variables.
What is it that you are trying to get FTP to do that PARM= + SYSFTPD DD * +
INPUT DD * will not accomplish?
Charles
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Wendell Lovewell
Sent: Thursday, September 10, 2020 2:59 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Passing STDENV DD to FTP via SYSIN
Hello,
I'm setting up a batch job to access our FTP server using FTPS and TLS 1.2.
(Forgive me if that nomenclature is less than perfect.)
I've imported certficates, built a keyring, and come up with a combination of
FTP client parameters that will allow me to connect to the server and upload a
file:
//FTPXFER EXEC PGM=FTP,REGION=4292K,
//PARM=('POSIX(ON) ALL31(ON)',
// 'ENVAR("_CEE_ENVFILE=DD:STDENV")/(EXIT')
//OUTPUT DD SYSOUT=*
//STDENV DD DISP=SHR,DSN=WRL1.FTPS.STDENV
//*
//* //STDENV DD *
//* GSK_PROTOCOL_TLSV1_2=ON
//*
//SYSFTPD DD *
CLIENTERRCODES EXTENDED
EPSV4TRUE
EXTENSIONS AUTH_TLS
FWFRIENDLY TRUE
KEYRING TCPIP/FTP.KEYRING
PASSIVEIGNOREADDR TRUE
SECUREIMPLICITZOS FALSE
SECURE_FTP REQUIRED
SECURE_MECHANISM TLS
SECURE_DATACONNPRIVATE
SECURE_CTRLCONNPRIVATE
SECURE_HOSTNAME REQUIRED
TLSMECHANISM FTP
TLSRFCLEVEL CCCNONOTIFY
/*
//INPUTDD *
I'm trying to make this as self-contained as possible, and would like to supply
the variables via SYSIN rather than require the PS file named on the
un-commented version of the STDENV DD. BPXBATCH is the only program I can find
documented that says "//STDENV DD *" is supported. FTP, at least with the PARM
I'm using, seems to ignore it.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
