Portal | Manuals | References | Downloads | Info | Programs | JCLs | Mainframe wiki | Quick Ref
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Profile Log in to check your private messages Log in
 
IBM's FTP not working with TLS encryption server

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> TSO/ISPF
View previous topic :: :: View next topic  
Author Message
sathyajes

New User


Joined: 02 Mar 2006
Posts: 29
Location: Chennai

PostPosted: Tue Aug 21, 2018 1:37 pm    Post subject: IBM's FTP not working with TLS encryption server
Reply with quote

Hello all
We are trying to send mainframe file into new server(using FTP-TLS, Passive Mode, Explicit TLS Encryption). FTP is failed with “Authentication negotiation failed”. It seems, not able to recognize the password. Could you please help us with this issue.

IP address
User name
password
CD testin
PUT 'source mainframe dataset' target_file.TXT
QUIT

Log:
EZA1736I FTP
EZY2640I Using dd:SYSFTPD=XXX.FTP.DATA for local site configuratio
EZA1450I IBM FTP CS V2R1
EZA1456I Connect to ?
EZA1736I nn.nnn.nnn.nnn
EZA1554I Connecting to: nn.nnn.nnn.nnn port: 21.
220 FTP server Ready
EZA2897I Authentication negotiation failed
EZA1459I NAME (nn.nnn.nnn.nnn:my user id):
EZA1701I >>> USER FTP user id
550 SSL/TLS required on the control channel
EZA1460I Command:
EZA1736I password
EZA1618I Unknown command: 'password'
EZA1619I For a list of the available commands, say HELP
EZA1460I Command:

We also override below FTP’s parameters thorough SYSFTPD. Still issue is coming. Please let us know if any additional parameter need to be added.
SECURE_MECHANISM TLS
SECURE_FTP ALLOWED
TLSRFCLEVEL CCCNONOTIFY
TLSMECHANISM FTP
SECURE_DATACONN PRIVATE
Back to top
View user's profile Send private message

vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1618
Location: Oregon

PostPosted: Tue Aug 21, 2018 1:52 pm    Post subject:
Reply with quote

The error you have is definitely not related to password.
You see that it says authentication negotiation failed. It means that before FTPS connection is established. The host and client must come to an agreement on how they are going to communicate (negotiation). Like the encryption algorithms or ciphers or macs or the like.

From your log You can see that the error occurred before you pass the password to server.

See if this link helps https://www-01.ibm.com/support/docview.wss?uid=swg21055396
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1618
Location: Oregon

PostPosted: Tue Aug 21, 2018 1:54 pm    Post subject:
Reply with quote

I'll see if I can find one of my jcl tomorrow
Show us the FTPS jcl you are using
Back to top
View user's profile Send private message
sathyajes

New User


Joined: 02 Mar 2006
Posts: 29
Location: Chennai

PostPosted: Tue Aug 21, 2018 3:00 pm    Post subject:
Reply with quote

Thanks Vasanth for your help. Below jcl that we are using
Code:

 //STEP1    EXEC PGM=FTP,REGION=1024K                 
 //SYSABEND DD SYSOUT=*                               
 //SYSPRINT DD SYSOUT=*                               
 //SYSFTPD DD DSN=AAAA.AAAAA.AAAA.FTP.DATA,DISP=SHR   
 //OUTPUT DD SYSOUT=*                                 
 //INPUT DD *                                         
 NN.NNN.NNN.NNN                                       
 USRE ID                                               
 PASSWORD                                             
 CD testing                                           
 PUT 'AAAA.AAAA.AAAAAAAA.AAAAAAA.DATA' XXXX.TXT       
 QUIT


Please learn to use the code tags soon. They are very easy - see below
Code:
[code]
Your
stuff
here
[/code]
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1618
Location: Oregon

PostPosted: Tue Aug 21, 2018 11:12 pm    Post subject:
Reply with quote

You are missing the keyring database name on your //SYSFTPD

Here is a sample FTPS SYSFTPD
Code:
//SYSFTPD  DD *                 
KEYRING FTPD/SECURE.FTP.KEYRING
SECURE_MECHANISM TLS           
SECURE_DATACONN PRIVATE         
SECUREIMPLICITZOS FALSE         
EPSV4 TRUE                     
FWFRIENDLY TRUE                 
SECURE_FTP REQUIRED             
CLIENTERRCODES EXTENDED         
LOGCLIENTERR TRUE               
CHKCONFIDENCE TRUE             
/*                             


See this link about setting up FTPS https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.gim3000/gim3116.htm


KEYRING
This statement defines the key ring that contains the Certificate Authority certificate to be used during the TLS handshake. You can use the same key ring for both HTTPS and FTPS operations. Specify the name of the keyring defined in Creating key rings on the KEYRING statement. However, IBM's secure FTP server uses a server certificate signed by a different certificate authority. Therefore, you must add the GeoTrust Global CA certificate to your keyring.
Download to your work station the GeoTrust Global CA root certificate (Root 2 - GeoTrust Global CA) from the GeoTrust website at https://www.geotrust.com/resources/root-certificates/index.html.
Upload the CA certificate to your z/OS system. There are many methods to transfer files from your workstation to your z/OS system. For example, you can upload the certificate file with Personal Communications 3270 or use TCP/IP FTP. The important things to remember are the certificate file must be uploaded to z/OS as Start of changetextEnd of change data, the certificate file must be stored in a sequential data set, and the sequential data set must have RECFM=VB and LRECL>=256.
After you have stored the certificate in a sequential data set, add it to your RACF® database using the following RACF command:
RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('GeoTrust Global CA') TRUST
where ca-cert.dataset.name is the name of the sequential data set used to store the certificate received from the GeoTrust web site.
Connect the GeoTrust CA certificate to the key ring using the following RACF command:
RACDCERT ID(userid) CONNECT( CERTAUTH RING(keyringname) +
LABEL('GeoTrust Global CA') USAGE(CERTAUTH) )
where keyringname is the name for the key ring you choose to use for secure FTP operations. This can be the same keyring you use for HTTPS operations and defined in Creating key rings.
Back to top
View user's profile Send private message
sathyajes

New User


Joined: 02 Mar 2006
Posts: 29
Location: Chennai

PostPosted: Wed Aug 22, 2018 1:41 pm    Post subject:
Reply with quote

Thanks Vasanth, I have tried all possible ways, same error throwing. I have provided keyring value that is used for ordinary FTP.

It seems issue with firewall settings.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1618
Location: Oregon

PostPosted: Wed Aug 22, 2018 2:15 pm    Post subject:
Reply with quote

Did you follow the steps mentioned to create the keyring?
It is definitely not firewall issue as you can see from your log
220 FTP server ready.
This means that you are able to get through the firewall and able to talk to the server and back.
Not a firewall thing.
Back to top
View user's profile Send private message
vasanthz

Global Moderator


Joined: 28 Aug 2007
Posts: 1618
Location: Oregon

PostPosted: Wed Aug 22, 2018 2:18 pm    Post subject:
Reply with quote

Btw. Are you performing ftps to ibm or to some other internal server.
Back to top
View user's profile Send private message
sathyajes

New User


Joined: 02 Mar 2006
Posts: 29
Location: Chennai

PostPosted: Wed Aug 22, 2018 2:36 pm    Post subject:
Reply with quote

vasanthz wrote:
Did you follow the steps mentioned to create the keyring?
It is definitely not firewall issue as you can see from your log
220 FTP server ready.
This means that you are able to get through the firewall and able to talk to the server and back.
Not a firewall thing.



No, am from application development team, creating keyring value looks like mainframe admin team has to do. I will contact admin for this.
Back to top
View user's profile Send private message
sathyajes

New User


Joined: 02 Mar 2006
Posts: 29
Location: Chennai

PostPosted: Wed Aug 22, 2018 2:37 pm    Post subject:
Reply with quote

vasanthz wrote:
Btw. Are you performing ftps to ibm or to some other internal server.


we are connection IBM internal server to external server which has new feature called SSL/TLS encryption.
Back to top
View user's profile Send private message
Nic Clouston

Global Moderator


Joined: 10 May 2007
Posts: 2098
Location: UK

PostPosted: Wed Aug 22, 2018 2:57 pm    Post subject: Reply to: IBM's FTP not working with TLS encryption server
Reply with quote

Quote:
same error throwing

No. errors are not 'thrown' on the mainframe.
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> TSO/ISPF All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts What is the purpose of z/OS dataset e... vasanthz All Other Mainframe Topics 3 Fri Aug 31, 2018 12:56 am
No new posts SDSF - SJ command not working properly mistah kurtz IBM Tools 5 Tue Jun 26, 2018 2:33 pm
No new posts IBM HTTP web server - redirect http t... vasanthz All Other Mainframe Topics 5 Thu May 17, 2018 12:32 am
No new posts Defining SSL Port in TCPIP for DB2 Se... Yolanda Harvey TSO/ISPF 1 Wed Mar 28, 2018 7:33 pm
No new posts Migrating Java application from JVM p... danik56 CICS 0 Sat Dec 23, 2017 1:42 pm

Facebook
Back to Top
 
Job Vacancies | Forum Rules | Bookmarks | Subscriptions | FAQ | Polls | Contact Us