I am trying to set up SFTP between two mainframe systems, let's call them SYS1 and SYS2.
On SYS2, I have setup SSHD as per the ported tools manual, and it is up and running and listening on port 22. Co:Z 1.9 is also installed and configured.
On SYS1, Co:Z 1.9 is implemented and already being used to sftp to remote linux systems, using the password-in-a-dataset technique and is working fine. I have not yet set up SSHD here as am only going from SYS1 to SYS2 at this stage.
On SYS1, I have created id_dsa and id_rsa keypairs using ssh_keygen, and copied the public keys to SYS2's authorized_keys file as per instructions.
When I run a Co:Z SFTP job, with my password in a dataset, I get message FOTS2205 Connection timed out during banner exchange. With debugging on, I get messages like this:
debug3: Not a RSA1 key file /lvg/users/bbspdb/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
With straight SFTP (and SSH) I get the same debugging messages and FOTS1337 ssh_exchange_identification: read: EDC8121I Connection reset..
Where might I be going wrong here? I've been battling with this on and off for the last 2 weeks and getting v frustrated!
sFTP failing between two mainframes
Re: sFTP failing between two mainframes
Your problem is in the ssh connection, and since Co:Z SFTP uses IBM Ported Tools for its ssh connection it makes sense that the failure symptoms match.
1) Does password authentication work from SYS1 to SYS2?
2) Can you login to SYS2 using *any* sftp client (like PuTTY), or does only the SYS1 connection have issues?
3) What messages are you getting in SYS2's syslogd file? (Ported Tools OpenSSH logs into the syslogd daemon, and syslogd.conf determines where messages go.)
1) Does password authentication work from SYS1 to SYS2?
2) Can you login to SYS2 using *any* sftp client (like PuTTY), or does only the SYS1 connection have issues?
3) What messages are you getting in SYS2's syslogd file? (Ported Tools OpenSSH logs into the syslogd daemon, and syslogd.conf determines where messages go.)
Re: sFTP failing between two mainframes
Hi thanks for your reply
1) I don't know . .. this is the only attempt I have made at password authentication. What else could I use? Open to suggestions...
2) Unfortunately I am not able to connect to either mainframe systems apart from normal 3270 access using Rumba. The network prevents access via putty etc.
3) SYS2's syslog contains messages like this :
13 Mar 2012 03:00:22 Log file initialised and ready for use
Mar 13 03:00:20 UKPMVS1 FSUM1221 syslogd: last message repeated 5 times
Mar 14 03:00:22 UKPMVS1 syslogd: FSUM1220 syslogd: restart
Mar 14 03:00:52 UKPMVS1 syslogd: FSUM1203 bind: EDC5111I Permission denied. Errno/Rsn=111/74637246
Mar 14 03:01:22 UKPMVS1 syslogd: FSUM1203 bind: EDC5111I Permission denied. Errno/Rsn=111/74637246
Mar 14 03:03:22 UKPMVS1 FSUM1221 syslogd: last message repeated 4 times
Mar 14 03:13:22 UKPMVS1 FSUM1221 syslogd: last message repeated 20 times
Mar 14 03:23:22 UKPMVS1 FSUM1221 syslogd: last message repeated 20 times
etc etc every 10 minutes throughout the day.
1) I don't know . .. this is the only attempt I have made at password authentication. What else could I use? Open to suggestions...
2) Unfortunately I am not able to connect to either mainframe systems apart from normal 3270 access using Rumba. The network prevents access via putty etc.
3) SYS2's syslog contains messages like this :
13 Mar 2012 03:00:22 Log file initialised and ready for use
Mar 13 03:00:20 UKPMVS1 FSUM1221 syslogd: last message repeated 5 times
Mar 14 03:00:22 UKPMVS1 syslogd: FSUM1220 syslogd: restart
Mar 14 03:00:52 UKPMVS1 syslogd: FSUM1203 bind: EDC5111I Permission denied. Errno/Rsn=111/74637246
Mar 14 03:01:22 UKPMVS1 syslogd: FSUM1203 bind: EDC5111I Permission denied. Errno/Rsn=111/74637246
Mar 14 03:03:22 UKPMVS1 FSUM1221 syslogd: last message repeated 4 times
Mar 14 03:13:22 UKPMVS1 FSUM1221 syslogd: last message repeated 20 times
Mar 14 03:23:22 UKPMVS1 FSUM1221 syslogd: last message repeated 20 times
etc etc every 10 minutes throughout the day.
Re: sFTP failing between two mainframes
Just to confirm: you are unable to connect to Ported Tools OpenSSH on SYS2 with *any* ssh client, is that correct?
Getting a working ssh connection to IBM Ported Tools OpenSSH is a prerequisite for getting sftp to work.
If this is the case, you should review the Ported Tools OpenSSH User's Guide for installation/customization/trouble shooting tips. You can verify that Ported Tools OpenSSH is working properly by using an ssh client, such as PuTTY, to login to a z/OS Unix shell.
Ported Tools OpenSSH is supported by IBM, so you might be able to open an ETR for assistance.
If you are interested in purchasing a commercial support contract for Co:Z SFTP, we will assist you with customizing and troubleshooting IBM Ported Tools OpenSSH.
Getting a working ssh connection to IBM Ported Tools OpenSSH is a prerequisite for getting sftp to work.
If this is the case, you should review the Ported Tools OpenSSH User's Guide for installation/customization/trouble shooting tips. You can verify that Ported Tools OpenSSH is working properly by using an ssh client, such as PuTTY, to login to a z/OS Unix shell.
Ported Tools OpenSSH is supported by IBM, so you might be able to open an ETR for assistance.
If you are interested in purchasing a commercial support contract for Co:Z SFTP, we will assist you with customizing and troubleshooting IBM Ported Tools OpenSSH.
Re: sFTP failing between two mainframes
Yes that's correct, though this is primarily because the firewalls prevent any outside access to this custiomer's system so the only access I have is from another mainframe system on the same network.
I'll take your advice and talk to IBM, thanks for your help.
I should probably upgrade to ported tool 2.0 (and Co:Z 2.0.1 while I'm at it ) so that I am at current levels
I'll take your advice and talk to IBM, thanks for your help.
I should probably upgrade to ported tool 2.0 (and Co:Z 2.0.1 while I'm at it ) so that I am at current levels
Re: sFTP failing between two mainframes
OK, now that I have a decent level of debugging set up, I can see what is wrong! For anyone googling for similar issues and arriving here....
1) ~/.ssh/authorized_keys must be spelt that way, not the English spelling (authorised)! Oops.
2) I then had the host public key in authorized_keys, rather than the user-specific public key.
I can now sftp to the mainframe. Issue solved. Thanks for your help!
1) ~/.ssh/authorized_keys must be spelt that way, not the English spelling (authorised)! Oops.
2) I then had the host public key in authorized_keys, rather than the user-specific public key.
I can now sftp to the mainframe. Issue solved. Thanks for your help!