I would like to confirm that coz-sftp can support SSH-RSA (SSH Version 2) keys in the Open SSH format?
I have read the cozsftp users guide and found Appendix-b where it is explained how to create the RSA key and export it to the target system.
Is there sample jcl of the coz-sftp batch job using the client cert for authorization? I may have missed it in the book but I did not see one.
Thanks
SFTP SSH-RSA
Re: SFTP SSH-RSA
Yes.
If you follow the steps here: http://www.dovetail.com/docs/sftp/auth. ... th-sshkeys (but choose -t rsa instead of -t dsa) you don't need to do anything special in your batch job; just issue
Please also note that you can use SAF digital certificates to store your private keys so that they are never on the filesystem http://www.dovetail.com/docs/sftp/auth.html#auth-racf. The RUNSFTPK member in the SAMPJCL PDS illustrates how to direct cozsftp to use the SAF digital certificate in batch. We recommend this approach.
I should mention that our next release (coming very soon) will include a set of sample shell scripts and examples that simplify the use of cozsftp in batch. The scripts can be configured via shell variables to choose an authentication method (SSH_ASKPASS, SAF Digital Certificate, or standard OpenSSH keys).
If you follow the steps here: http://www.dovetail.com/docs/sftp/auth. ... th-sshkeys (but choose -t rsa instead of -t dsa) you don't need to do anything special in your batch job; just issue
- cozsftp user@host
Please also note that you can use SAF digital certificates to store your private keys so that they are never on the filesystem http://www.dovetail.com/docs/sftp/auth.html#auth-racf. The RUNSFTPK member in the SAMPJCL PDS illustrates how to direct cozsftp to use the SAF digital certificate in batch. We recommend this approach.
I should mention that our next release (coming very soon) will include a set of sample shell scripts and examples that simplify the use of cozsftp in batch. The scripts can be configured via shell variables to choose an authentication method (SSH_ASKPASS, SAF Digital Certificate, or standard OpenSSH keys).
Re: SFTP SSH-RSA
We are going to go with the SAf approach, when using the extract command saf-ssh-agent -x -f cozuser_saf.pub MY-RING:MY-CERT I guessing that 'cozuser_saf.pub' is the extracted cert in ssh format?, MY-RING:MY-CERT is the input?, MY-CERT is the label name used on the cert? Tks for clarifying.
Re: SFTP SSH-RSA
That's correct. The resulting file should be stored in the remote system's authorized_keys file. Make sure you transfer this file as text.
Re: SFTP SSH-RSA
I am getting an error on the extract. The cert and ring are owned by user dp1001 which a user id that all of our production batch jobs run under. Why would saf-ssh-agent not be found here? thanks
ST1MAT is my tso id being used to set this up for dp1001, I should have full RACF authority on our system.
ST1MAT:/usr/lpp/coz/bin: >ls
catsearch fromdsn safauth
comparedsn genlines sftp-server
cozagent lookupccsid sftp-server.sh
cozclient lsjes showtrtab
cozserver pdsdir todsn
cozsftp read_passwd_dsn.sh tsocmd
dsn_profile relink-sftp-server.sh wto
dspipes saf-ssh-agent zsym
ST1MAT:/usr/lpp/coz/bin: >saf-ssh-agent -x -f dp1001_saf.pub SFTPSSHRING:PCH.SFT
P.RSA.CERTIFICATE
saf-ssh-agent: FSUM7351 not found
ST1MAT:/usr/lpp/coz/bin: >
ST1MAT is my tso id being used to set this up for dp1001, I should have full RACF authority on our system.
ST1MAT:/usr/lpp/coz/bin: >ls
catsearch fromdsn safauth
comparedsn genlines sftp-server
cozagent lookupccsid sftp-server.sh
cozclient lsjes showtrtab
cozserver pdsdir todsn
cozsftp read_passwd_dsn.sh tsocmd
dsn_profile relink-sftp-server.sh wto
dspipes saf-ssh-agent zsym
ST1MAT:/usr/lpp/coz/bin: >saf-ssh-agent -x -f dp1001_saf.pub SFTPSSHRING:PCH.SFT
P.RSA.CERTIFICATE
saf-ssh-agent: FSUM7351 not found
ST1MAT:/usr/lpp/coz/bin: >
Re: SFTP SSH-RSA
It is probably not in $PATH
you probably intended:
./saf-ssh-agent ....
you probably intended:
./saf-ssh-agent ....
Re: SFTP SSH-RSA
Got this process to work last week but now have to export a new cert for the same user and getting an error. Below is the command and the error, also the RACF display of the ring and cert, I have doubled checked the names in the RACF of the cert and the ring and they are good. Really appreciate any help. tks
RACF DISPLAY
Ring: SFTPSSHRING
Wellsfargo Prod Certificate ID(DP1001) PERSONAL YES
ST1MAT:/usr/lpp/coz/bin: >./saf-ssh-agent -x -f e5c0x7th_saf.pub DP1001/SFTPSSHR
ING:Wellsfargo Prod Certificate
SafSshAgentÝE¨: gsk_get_record_by_label(DP1001/SFTPSSHRING) error: Record not fo
und (0x0335300e)
RACF DISPLAY
Ring: SFTPSSHRING
Wellsfargo Prod Certificate ID(DP1001) PERSONAL YES
ST1MAT:/usr/lpp/coz/bin: >./saf-ssh-agent -x -f e5c0x7th_saf.pub DP1001/SFTPSSHR
ING:Wellsfargo Prod Certificate
SafSshAgentÝE¨: gsk_get_record_by_label(DP1001/SFTPSSHRING) error: Record not fo
und (0x0335300e)
Re: SFTP SSH-RSA
Got it, I had to add double quotes on the ring and key name.
./saf-ssh-agent -x -f e5c0x7th_saf.pub "DP1001/SFTPSSHRING:Wellsfargo Prod Certificate"
thanks
./saf-ssh-agent -x -f e5c0x7th_saf.pub "DP1001/SFTPSSHRING:Wellsfargo Prod Certificate"
thanks
Re: SFTP SSH-RSA
I am using job RUNSFTPK to run the Co:Z SFTP client with RACF certificate authentication. Can I use parameter saf-cert= To specify exactly what cert to use for authentication? Thanks Matt
Re: SFTP SSH-RSA
The reason I ask is because I have two different certs for the same user and ring, required for a test environment and production environment. The cert with default=yes works fine, the other cert has default=no and I can't connect. So can I specify which cert to use with cozbatch? Thanks Matt
Re: SFTP SSH-RSA
The syntax for a cert is: "userid/cert-name:label"
The userid/ is optional, defaulting to the current userid
The :label is also option, defaulting to the default label.
So, you can use the default label, but not the other one?
If it doesn't work, try to get a trace:
export COZ_LOG=F,SafSshAgent=F
The userid/ is optional, defaulting to the current userid
The :label is also option, defaulting to the default label.
So, you can use the default label, but not the other one?
If it doesn't work, try to get a trace:
export COZ_LOG=F,SafSshAgent=F