COZsftp with RACF Zertifikates

[wolfgang]

Hello
did anyone use cozsft with -k <keyring in RACF> option to read the certificates from SAF-RACF Database for a Client.
I tried it to do but i can't get a result
I used following job an he can't find the key
1 J E S 2 J O B L O G -- S Y S T E M S Y S A -- N O D E W W X 1 M A S 1
0
16.15.54 JOB76170 ---- TUESDAY, 17 APR 2012 ----
16.15.54 JOB76170 IRR010I USERID UAQFZW IS ASSIGNED TO THIS JOB.
16.15.54 JOB76170 ICH70001I UAQFZW LAST ACCESS AT 16:08:30 ON TUESDAY, APRIL 17, 2012
16.15.54 JOB76170 $HASP373 UAQFZWF STARTED - INIT J - CLASS J - SYS SYSA
16.15.55 JOB76170 IEF403I UAQFZWF - STARTED - TIME=16.15.55
16.15.57 JOB76170 BPXP023I THREAD 1D141F0000000000, IN PROCESS 17301816, WAS 769
769 TERMINATED BY SIGNAL SIGKILL, SENT FROM THREAD
769 1D0D9D0000000001, IN PROCESS 67633448, UID 7512, IN JOB UAQFZWF.
16.16.02 JOB76170 - ---TIMINGS (MINS.)---
16.16.02 JOB76170 -JOBNAME. STEPNAME PROCSTEP .RCODE ..EXCP ......CPU ......SRB .CLOCK ..SERV
16.16.02 JOB76170 -UAQFZWF RUNSFTP 255 7359 .00 .00 .1 4244
16.16.02 JOB76170 IEF404I UAQFZWF - ENDED - TIME=16.16.02
16.16.02 JOB76170 -UAQFZWF ENDED. NAME=BVD CPUTIME(MINS.)= .00 DURATION= .1
16.16.02 JOB76170 $HASP395 UAQFZWF ENDED
0------ JES2 JOB STATISTICS ------
- 17 APR 2012 JOB EXECUTION DATE
- 86 CARDS READ
- 356 SYSOUT PRINT RECORDS
- 0 SYSOUT PUNCH RECORDS
- 15 SYSOUT SPOOL KBYTES
- 0.12 MINUTES EXECUTION TIME
1 //UAQFZWF JOB ,'BVD',MSGLEVEL=(1,1), JOB76170
// MSGCLASS=L,CLASS=J,NOTIFY=&SYSUID
//* USER=YFTPHVB,
//*------------------------------------------------------------------
//*KOM JOB SUBMITTED FROM UAQFZW.TSO.JCL(SFTPBZST)
//*KOM DOC:
//*------------------------------------------------------------------
//********************************HASX52A**03/30/10*13.07****$JES052***
//*------------------------------------------------------------------
//*
//*SFTP SSH VERSCHL}SSELUNG MIT ZERTIFIKAT
//*Filetransfer zur BZST (Bundeszentralamtes fuer Steuern)
//* verschl}sselt wird das file mit dem Fingerprint aus dem Bestand
//* Beide Dateien werden mit SFTP }bertragen
//*------------------------------------------------------------------
IEFC653I SUBSTITUTION JCL - ,'BVD',MSGLEVEL=(1,1),MSGCLASS=L,CLASS=J,NOTIFY=UAQFZW
2 //RUNSFTP EXEC PGM=COZBATCH
3 //STEPLIB DD DSN=SYBS.COZ.LOADLIB,DISP=SHR
4 //IN1F1 DD DISP=SHR,DSN=PRO.T3660.Z119.AUSWBP1(0)
5 //SYSTSPRT DD SYSOUT=*
//*STDOUT DD SYSOUT=*
6 //SYSPRINT DD SYSOUT=*
7 //STDIN DD *
ICH70001I UAQFZW LAST ACCESS AT 16:08:30 ON TUESDAY, APRIL 17, 2012
IEF236I ALLOC. FOR UAQFZWF RUNSFTP
IGD103I SMS ALLOCATED TO DDNAME STEPLIB
IGD103I SMS ALLOCATED TO DDNAME IN1F1
IEF237I JES2 ALLOCATED TO SYSTSPRT
IEF237I JES2 ALLOCATED TO SYSPRINT
IEF237I JES2 ALLOCATED TO STDIN
IEF237I JES2 ALLOCATED TO SYSOUT
BPXP023I THREAD 1D141F0000000000, IN PROCESS 17301816, WAS
TERMINATED BY SIGNAL SIGKILL, SENT FROM THREAD
1D0D9D0000000001, IN PROCESS 67633448, UID 7512, IN JOB UAQFZWF.
IEF285I UAQFZW.UAQFZWF.JOB76170.D0000104.? SYSOUT
IEF142I UAQFZWF RUNSFTP - STEP WAS EXECUTED - COND CODE 0255
IGD104I SYBS.COZ.LOADLIB RETAINED, DDNAME=STEPLIB
IGD104I PRO.T3660.Z119.AUSWBP1.G0011V00 RETAINED, DDNAME=IN1F1
IEF285I UAQFZW.UAQFZWF.JOB76170.D0000102.? SYSOUT
IEF285I UAQFZW.UAQFZWF.JOB76170.D0000103.? SYSOUT
IEF285I UAQFZW.UAQFZWF.JOB76170.D0000101.? SYSIN
*******************************************WVACTRT**03/02/11*12.33****$SMF006***
*--------------------------- IDENTIFICATION SECTION ---------------------------*
* JOBNAME UAQFZWF CPU IBM 002097 E26 *
* JOBID JOB76170 CPUID 0E3BC3 *
* JOBCLASS J OS z/OS 01.12.00 *
* PROCSTEPNAME SYSTEMID SYSA *
* STEPNAME RUNSFTP SYSPLEX WWX1 *
* STEPID 001 PGMRNAME BVD *
* PROGRAM COZBATCH USERID UAQFZW *
* WORKLOAD BATCH SERVICECLASS JESTESTP *
* STARTTIME 16:15:55.00 STARTDATE 17.04.2012 (2012.108) *
* ENDTIME 16:16:02.45 ENDDATE 17.04.2012 (2012.108) *
* DURATION 00:00:07.45 STORAGE(BELOW) 268K *
* COMPCODE 00FF STORAGE(ABOVE) 13.076K *
*--------------------------- DDNAME SECTION -----------------------------------*
* EXCP UNIT DD-NAME BLKSZ EXCP UNIT DD-NAME BLKSZ *
* 18 9227 STEPLIB 6144 22 9411 IN1F1 18400 *
* 0 0000 IN1F1 0 0 0000 SYSTSPRT 0 *
* 0 0000 SYSPRINT 0 0 0000 STDIN 0 *
* 0 0000 SYSOUT 0 *
*--------------------------- SUMMARY SECTION ----------------------------------*
* 40 EXCP DISK 0 EXCP TAPE *
* 63 SYSIN RECORDS 0 TAPE MOUNTS *
* 0,11 SEC CPU ZEIT (TCB) 0,00 SEC CPU ZEIT (SRB) *
* 0,00 SEC CPU ZEIT (AAP) 0,00 SEC CPU ZEIT (IIP) *
*******************************************WVACTRT**03/02/11*12.33****$SMF006***
IEF373I STEP/RUNSFTP /START 2012108.1615
IEF032I STEP/RUNSFTP /STOP 2012108.1616
CPU: 0 HR 00 MIN 00.11 SEC SRB: 0 HR 00 MIN 00.00 SEC
VIRT: 268K SYS: 348K EXT: 13076K SYS: 12848K
IEF375I JOB/UAQFZWF /START 2012108.1615
IEF033I JOB/UAQFZWF /STOP 2012108.1616
CPU: 0 HR 00 MIN 00.11 SEC SRB: 0 HR 00 MIN 00.00 SEC
CoZBatch[N]: Copyright (C) 2005-2009 Dovetailed Technologies LLC. All rights reserved.
CoZBatch[N]: version 2.0.1 2012-01-14
CoZBatch: executing progname=login-shell="-/bin/sh"
Path: /usr/lpp/skrb/bin:/usr/lpp/Printsrv/bin:/bin:/usr/lpp/java/J6.0/bin:/plex/product/ispf/bin:/usr/lpp/ldap/sbin:/usr
/sbin:/u/uaqfzw:.:/u/uaqfzw::/plex/opt/dovetail/coz/bin:/usr/lpp/cbclib/xlc/bin:/plex/opt/openssl/apps
NLSPATH :/usr/lpp/skrb/lib/nls/msg/%L/%N
/u/uaqfzw
clear old files
rm /u/uaqfzw/mybzst.file
rm /u/uaqfzw/mybzst.file.md5
clear old files --- END ---
move file from mvs to USS
fromdsn(DD:IN1F1)[N]: 473 records/378400 bytes read; 308360 bytes written in 0.045 seconds (6691.840 KBytes/sec).
move file from mvs to USS --- End ---
create fingerprint with certifikate
create fingerprint with certifikate --- End ---
transfer the files to BZST
Co:Z SFTP version: 2.0.1 (5.0p1) 2012-01-14
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
[56.572] debug3: connect_to_server arg=/bin/ssh
[56.573] debug3: connect_to_server arg=-oForwardX11 no
[56.573] debug3: connect_to_server arg=-oForwardAgent no
[56.573] debug3: connect_to_server arg=-oClearAllForwardings yes
[56.573] debug3: connect_to_server arg=-oBatchMode=yes
[56.573] debug3: connect_to_server arg=-oPasswordAuthentication=no
[56.573] debug3: connect_to_server arg=-oStrictHostkeyChecking=no
[56.573] debug3: connect_to_server arg=-v
[56.573] debug3: connect_to_server arg=-v
[56.573] debug3: connect_to_server arg=-v
[56.573] debug3: connect_to_server arg=-obatchmode yes
[56.573] debug3: connect_to_server arg=-lbz100061498
[56.573] debug3: connect_to_server arg=-oProtocol 2
[56.573] debug3: connect_to_server arg=-s
[56.573] debug3: connect_to_server arg=bzst-sftp
[56.573] debug3: connect_to_server arg=sftp
OpenSSH_5.0p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config

debug3: RNG is ready, skipping seeding

debug1: zsshSmfSetConnSmfStatus: SMF status is 0

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug2: ssh_connect: needpriv 0

debug1: Connecting to bzst-sftp [192.168.60.194] port 22.

debug1: Connection established.

debug3: zsshGetpw: passwd name=UAQFZW, uid=7512, gid=0, dir=/u/uaqfzw, shell=/bin/sh

debug1: identity file /u/uaqfzw/.ssh/id_rsa type -1

debug1: identity file /u/uaqfzw/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1

debug1: match: OpenSSH_5.5p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.0

debug2: fd 4 setting O_NONBLOCK

debug3: RNG is ready, skipping seeding

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1
4-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast1
28-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast1
28-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1
4-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast1
28-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast1
28-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-ctr hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 157/256

debug2: bits set: 499/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug3: check_host_in_hostfile: filename /u/uaqfzw/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 14

debug3: check_host_in_hostfile: filename /u/uaqfzw/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 14

debug1: Host 'bzst-sftp' is known and matches the RSA host key.

debug1: Found key in /u/uaqfzw/.ssh/known_hosts:14

debug2: bits set: 517/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: (1D4A7670)

debug2: key: /u/uaqfzw/.ssh/id_rsa (0)

debug2: key: /u/uaqfzw/.ssh/id_dsa (0)

debug3: input_userauth_banner

Willkommen beim ZIVIT

Datenschutzerklaerung:
Bei jeder Nutzung dieses Angebotes werden vom
Zentrum fuer Informationsverarbeitung und
Informationstechnik (ZIVIT) im Auftrag des
Bundeszentralamtes fuer Steuern (BZSt) folgende
Daten in einer Protokolldatei gespeichert:

* Kennung der Sendestelle
* IP-Adresse
* Dateiname
* Datum und Uhrzeit der Transaktion
* uebertragenes Datenvolumen

Die gespeicherten Daten werden nur zur
Betriebsfuehrung und zur Analyse des
Zugriffsverhaltens der Nutzer verwendet.
Eine Weitergabe an Dritte, zu kommerziellen
oder nichtkommerziellen Zwecken, findet
nicht statt.
Die IP-Adresse wird nur bei Angriffen auf
die Infrastruktur des ZIVIT ausgewertet.
Die missbraeuchliche Nutzung dieses
Dienstes wird strafrechtlich verfolgt.

Copyright ZIVIT
debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred:

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering public key:

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey

debug1: Trying private key: /u/uaqfzw/.ssh/id_rsa

debug3: no such identity: /u/uaqfzw/.ssh/id_rsa

debug1: Trying private key: /u/uaqfzw/.ssh/id_dsa

debug3: no such identity: /u/uaqfzw/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

debug3: __catgets: NLS setup complete (1), using message catalog openssh.cat

FOTS1373 Permission denied (publickey).

[57.430] Connection closed
CoZBatch: returning rc=exitcode=255

[dovetail]

Please enable tracing for the Co:Z SAF SSH Agent by including this line before the cozsftp command:

export COZ_LOG=T,SafSshAgent=F

(this is case sensitive).
This won't print any private key material, but you still might consider the trace data somewhat sensitive, so you can email it to info@dovetail.com and we will take a look.

[dovetail]

According to your trace, the Co:Z SafSshAgent is seeing your RACF key OK.

It appears that the remote server is not accepting this key, probably because it does not have the public key registered properly.

The steps for setting up a SAF/RACF public key are here: http://dovetail.com/docs/coz/auth.html#auth-racf

To double check:

1) export a copy of the public key from RACF:

Code: Select all

saf-ssh-agent -x -f myracfkey.pub   MY-RING:MY-CERT

2) look at the public key. It is a text file and should look something like this (it is actually a single line):

Code: Select all

>cat myracfkey.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDVY8BGdcuKEwUbGnGNWAOGa4sAB6a1m4nKiPUMY7Apr7DkVHPKtqJdqQdLC9dTDnFDrrjOzxY6sW2NMA2E48FnP/86bkKRceQg4tpxlX2P7VA5b7xO8VA5LzinTIWVbsoC+JSwqIcKxAN9nsMJ72431fp6y+2
KgD8ifNys7hJv0Q== CN=Kirk Wolf,OU=Development,O=Dovetailed Technologies,C=US

3) I assume that the remote SSH server is running OpenSSH (other products might be slightly different). Verify that you have the following files and permissions:

$HOME/.ssh permission: 700
$HOME/authorized_keys permission 600

(where $HOME is the home directory of the userid that you are trying to use on the remote server)

4) Verify that you have added the above public key line (ssh-rsa ...) to the authorized_keys file