|
View previous topic :: View next topic
|
| Author |
Message |
sathyajes
New User
Joined: 02 Mar 2006
Posts: 35
Location: Chennai
|
|
|
|
Hello all
We are trying to send mainframe file into new server(using FTP-TLS, Passive Mode, Explicit TLS Encryption). FTP is failed with “Authentication negotiation failed”. It seems, not able to recognize the password. Could you please help us with this issue.
IP address
User name
password
CD testin
PUT 'source mainframe dataset' target_file.TXT
QUIT
Log:
EZA1736I FTP
EZY2640I Using dd:SYSFTPD=XXX.FTP.DATA for local site configuratio
EZA1450I IBM FTP CS V2R1
EZA1456I Connect to ?
EZA1736I nn.nnn.nnn.nnn
EZA1554I Connecting to: nn.nnn.nnn.nnn port: 21.
220 FTP server Ready
EZA2897I Authentication negotiation failed
EZA1459I NAME (nn.nnn.nnn.nnn:my user id):
EZA1701I >>> USER FTP user id
550 SSL/TLS required on the control channel
EZA1460I Command:
EZA1736I password
EZA1618I Unknown command: 'password'
EZA1619I For a list of the available commands, say HELP
EZA1460I Command:
We also override below FTP’s parameters thorough SYSFTPD. Still issue is coming. Please let us know if any additional parameter need to be added.
SECURE_MECHANISM TLS
SECURE_FTP ALLOWED
TLSRFCLEVEL CCCNONOTIFY
TLSMECHANISM FTP
SECURE_DATACONN PRIVATE |
|
| Back to top |
|
 |
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
The error you have is definitely not related to password.
You see that it says authentication negotiation failed. It means that before FTPS connection is established. The host and client must come to an agreement on how they are going to communicate (negotiation). Like the encryption algorithms or ciphers or macs or the like.
From your log You can see that the error occurred before you pass the password to server.
See if this link helps www-01.ibm.com/support/docview.wss?uid=swg21055396 |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
I'll see if I can find one of my jcl tomorrow
Show us the FTPS jcl you are using |
|
| Back to top |
|
|
sathyajes
New User
Joined: 02 Mar 2006
Posts: 35
Location: Chennai
|
|
|
|
Thanks Vasanth for your help. Below jcl that we are using
| Code: |
//STEP1 EXEC PGM=FTP,REGION=1024K
//SYSABEND DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSFTPD DD DSN=AAAA.AAAAA.AAAA.FTP.DATA,DISP=SHR
//OUTPUT DD SYSOUT=*
//INPUT DD *
NN.NNN.NNN.NNN
USRE ID
PASSWORD
CD testing
PUT 'AAAA.AAAA.AAAAAAAA.AAAAAAA.DATA' XXXX.TXT
QUIT
|
Please learn to use the code tags soon. They are very easy - see below
| Code: |
[code]
Your
stuff
here
[/code] |
|
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
You are missing the keyring database name on your //SYSFTPD
Here is a sample FTPS SYSFTPD
| Code: |
//SYSFTPD DD *
KEYRING FTPD/SECURE.FTP.KEYRING
SECURE_MECHANISM TLS
SECURE_DATACONN PRIVATE
SECUREIMPLICITZOS FALSE
EPSV4 TRUE
FWFRIENDLY TRUE
SECURE_FTP REQUIRED
CLIENTERRCODES EXTENDED
LOGCLIENTERR TRUE
CHKCONFIDENCE TRUE
/* |
See this link about setting up FTPS www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.gim3000/gim3116.htm
KEYRING
This statement defines the key ring that contains the Certificate Authority certificate to be used during the TLS handshake. You can use the same key ring for both HTTPS and FTPS operations. Specify the name of the keyring defined in Creating key rings on the KEYRING statement. However, IBM's secure FTP server uses a server certificate signed by a different certificate authority. Therefore, you must add the GeoTrust Global CA certificate to your keyring.
Download to your work station the GeoTrust Global CA root certificate (Root 2 - GeoTrust Global CA) from the GeoTrust website at www.geotrust.com/resources/root-certificates/index.html.
Upload the CA certificate to your z/OS system. There are many methods to transfer files from your workstation to your z/OS system. For example, you can upload the certificate file with Personal Communications 3270 or use TCP/IP FTP. The important things to remember are the certificate file must be uploaded to z/OS as Start of changetextEnd of change data, the certificate file must be stored in a sequential data set, and the sequential data set must have RECFM=VB and LRECL>=256.
After you have stored the certificate in a sequential data set, add it to your RACF® database using the following RACF command:
RACDCERT CERTAUTH ADD('ca-cert.dataset.name') +
WITHLABEL('GeoTrust Global CA') TRUST
where ca-cert.dataset.name is the name of the sequential data set used to store the certificate received from the GeoTrust web site.
Connect the GeoTrust CA certificate to the key ring using the following RACF command:
RACDCERT ID(userid) CONNECT( CERTAUTH RING(keyringname) +
LABEL('GeoTrust Global CA') USAGE(CERTAUTH) )
where keyringname is the name for the key ring you choose to use for secure FTP operations. This can be the same keyring you use for HTTPS operations and defined in Creating key rings. |
|
| Back to top |
|
|
sathyajes
New User
Joined: 02 Mar 2006
Posts: 35
Location: Chennai
|
|
|
|
Thanks Vasanth, I have tried all possible ways, same error throwing. I have provided keyring value that is used for ordinary FTP.
It seems issue with firewall settings. |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
Did you follow the steps mentioned to create the keyring?
It is definitely not firewall issue as you can see from your log
220 FTP server ready.
This means that you are able to get through the firewall and able to talk to the server and back.
Not a firewall thing. |
|
| Back to top |
|
|
vasanthz
Global Moderator
Joined: 28 Aug 2007
Posts: 1742
Location: Tirupur, India
|
|
|
|
| Btw. Are you performing ftps to ibm or to some other internal server. |
|
| Back to top |
|
|
sathyajes
New User
Joined: 02 Mar 2006
Posts: 35
Location: Chennai
|
|
|
|
| vasanthz wrote: |
Did you follow the steps mentioned to create the keyring?
It is definitely not firewall issue as you can see from your log
220 FTP server ready.
This means that you are able to get through the firewall and able to talk to the server and back.
Not a firewall thing. |
No, am from application development team, creating keyring value looks like mainframe admin team has to do. I will contact admin for this. |
|
| Back to top |
|
|
sathyajes
New User
Joined: 02 Mar 2006
Posts: 35
Location: Chennai
|
|
|
|
| vasanthz wrote: |
| Btw. Are you performing ftps to ibm or to some other internal server. |
we are connection IBM internal server to external server which has new feature called SSL/TLS encryption. |
|
| Back to top |
|
|
Nic Clouston
Global Moderator
Joined: 10 May 2007
Posts: 2455
Location: Hampshire, UK
|
|
|
|
| Quote: |
| same error throwing |
No. errors are not 'thrown' on the mainframe. |
|
| Back to top |
|
|
|
|
