...this was on our old z/OS1.11
...please read Å as $ (this is one example how we see the word in Nordic countries)
...what actually is the system trying to do and where to write STDERR ???
Co:Z SFTP Server version: 2.3.0 (5.0p1) 2012-12-18
Copyright (C) Dovetailed Technologies, LLC. 2011. All rights reserved.
...
13.59.57 STC06365 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROU) NAME( FOOBAR MENAME ) 643
643 STDERR CL(DATASET ) VOL(*BLANK)
643 DEFINE - WARNING: RESOURCE NOT PROTECTED
13.59.57 STC06365 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROUP) NAME( FOOBAR MENAME ) 648
648 STDERR CL(DATASET ) VOL(Z1VO07)
648 WARNING: RESOURCE NOT PROTECTED
648 ACCESS INTENT(UPDATE ) ACCESS ALLOWED(UPDATE )
13.59.57 STC06365 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROUP) NAME( FOOBAR MENAME ) 649
649 STDERR CL(DATASET ) VOL(Z1VO07)
649 WARNING: RESOURCE NOT PROTECTED
649 ACCESS INTENT(ALTER ) ACCESS ALLOWED(ALTER )
...this was on our more new z/OS1.13, scripts close to same on both OS
BROWSE /SYSTEM/etc/ssh/1/sftp-server.sh
Command ===>
export _BPX_SHAREAS=YES
export _BPX_SPAWN_SCRIPT=YES
export _BPXK_JOBLOG=STDERR
Ä Fagu added
export _BPXK_SETIBMOPT_TRANSPORT=TCPZIN11
Ä RESOLVER trace will/may corrupt login (FOTS0843)
export RESOLVER_TRACE=STDERR
...
...RACF is not very happy, doesn't matter if using // or $HOME
BROWSE sftp-server.tcpip-1.zosusr1.171.095455.33555
Command ===>
************************************************** Top of Data *************
Co:Z SFTP Server version: 2.4.0 (5.0p1) 2013-06-10
Copyright (C) Dovetailed Technologies, LLC. 2008-2013. All rights reserved.
...
12.54.55 STC06352 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROUP) NAME( FOOBAR MENAME ) 165
165 STDERR CL(DATASET ) VOL(*BLANK)
165 DEFINE - WARNING: RESOURCE NOT PROTECTED
12.54.55 STC06352 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROUP ) NAME( FOOBAR MENAME ) 166
166 STDERR CL(DATASET ) VOL(Z1VO02)
166 WARNING: RESOURCE NOT PROTECTED
166 ACCESS INTENT(UPDATE ) ACCESS ALLOWED(UPDATE )
12.54.55 STC06352 ICH408I USER(ZOSUSR1 ) GROUP(ZOSGROUP) NAME( FOOBAR MENAME ) 167
167 STDERR CL(DATASET ) VOL(Z1VO02)
167 WARNING: RESOURCE NOT PROTECTED
167 ACCESS INTENT(ALTER ) ACCESS ALLOWED(ALTER )
12.54.55 STC06352 EZZ9302I UNABLE TO ACCESS TRACE FILE STDERR. - RC 0008000C
...after RACF permission to STDERR login is clean. but still no WTO, or where and what should be written to STCERR???
BROWSE sftp-server.tcpip-1.zosusr1.171.104307.33555 Line 00000000 Col 001 114
Command ===> Scroll ===> CSR
************************************************** Top of Data ***************************************************
Co:Z SFTP Server version: 2.4.0 (5.0p1) 2013-06-10
Copyright (C) Dovetailed Technologies, LLC. 2008-2013. All rights reserved.
ZosSettingsÝT¨: -> readConfiguration()
ZosSettingsÝT¨: -> processConfigurationFile(/u/zosusr1/.ssh/cozsftp_server_config)
ZosSettingsÝD¨: no configuration file (/u/zosusr1/.ssh/cozsftp_server_config) found.
ZosSettingsÝT¨: <- processConfigurationFile()
ZosSettingsÝT¨: -> processConfigurationFile(/etc/ssh/cozsftp_server_config)
ZosSettingsÝT¨: processConfigurationFile: Processing fixed: configuration file section
ZosSettingsÝT¨: processConfigurationFile: Processing default: configuration file section
ZosSettingsÝT¨: processConfigurationFile: Processing configuration file option: 'gdgnt'
ZosSettingsÝT¨: <- processConfigurationFile()
ZosSettingsÝT¨: <- readConfiguration()
ZosUtilÝT¨: -> zos_log_region_size()
ZosUtilÝD¨: region size requested = 55296K, Actual below/above limit = 11240K / 2085912K
ZosUtilÝT¨: <- zos_log_region_size()
Ý87.687¨ session opened for local user ZOSUSR1 from Ý?127.0.0.1?¨
13.43.08 STC06353 EZZ9302I UNABLE TO ACCESS TRACE FILE STDERR. - RC 0008000C
ZosExitInterfaceÝT¨: -> checkIP()
ZosExitInterfaceÝT¨: checkIP: unable to load CZCHKIP - EDC5239S Fetched module not found. (errno2=0xC4070044)
ZosExitInterfaceÝT¨: <- checkIP(true (module not found))
ZosExitInterfaceÝT¨: -> checkPwd()
ZosExitInterfaceÝT¨: checkPwd: unable to load CZCHKPWD - EDC5239S Fetched module not found. (errno2=0xC4070044)
ZosExitInterfaceÝT¨: <- checkPwd(true (module not found))
Ý89.050¨ debug3: Type: SSH2_FXP_INIT
...
...the WTO never writes anything, that was my main concern
...echo works, but we want problems written to SYSLOG or SYSLOGD (both running)
/usr/local/coz/bin/wto -r 11 -d 6 "COZSFTP001I cozsftp COZ_BIN ÅCOZ_BIN = /usr/local/coz/bin €"
echo "COZSFTP001I cozsftp COZ_BIN ÅCOZ_BIN = /usr/local/coz/bin €" >> /var/log/sshd/1/sftp-server.sh.log
EUID=0 /SYSTEM/etc/ssh/1/
Type Perm Changed-GMT-2DST Owner ------Size Filename
_ Dir 755 2013-06-19 17:02 BBMCAS 8192 .
_ Dir 755 2013-06-19 10:03 BBMCAS 8192 ..
_ File 755 2013-06-19 14:56 BBMCAS 390 cozsftp_debug
_ File 755 2012-09-11 11:07 BBMCAS 671 ftpd_banner
_ File 755 2013-06-19 17:29 BBMCAS 4809 sftp-server.sh
_ File 755 2013-06-19 17:02 BBMCAS 5698 sftp-server.sh.debug-version
_ File 600 2012-09-11 11:54 BBMCAS 668 ssh_host_dsa_key
_ File 644 2012-09-11 11:54 BBMCAS 603 ssh_host_dsa_key.pub
_ File 600 2012-09-11 11:54 BBMCAS 1675 ssh_host_rsa_key
_ File 644 2012-09-11 11:54 BBMCAS 395 ssh_host_rsa_key.pub
_ File 755 2012-09-11 11:14 BBMCAS 671 sshd_banner
_ File 600 2013-06-19 10:46 BBMCAS 5674 sshd_config
_ File 755 2012-09-11 11:15 BBMCAS 47 sshstop.sh
_ File 755 2013-06-19 16:04 BBMCAS 535 zOS-SSHD_startup.sh
EUID=0 /SYSTEM/etc/ssh/
Type Perm Changed-GMT-2DST Owner ------Size Filename
_ Dir 755 2013-06-19 10:03 BBMCAS 8192 .
_ Dir 755 2013-01-23 12:46 BBMCAS 8192 ..
_ Dir 755 2013-06-19 17:02 BBMCAS 8192 1
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 2
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 3
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 4
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 5
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 6
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 7
_ Dir 755 2012-09-11 15:20 BBMCAS 8192 8
_ File 755 2013-06-18 15:22 BBMCAS 1893 cozsftp_config
_ File 755 2013-06-18 15:22 BBMCAS 1888 cozsftp_server_config
_ File 750 2013-06-14 12:04 BBMCAS 1133 ibm-samples.text
_ File 644 2011-12-01 14:27 BBMCAS 126379 moduli
_ File 755 2013-06-20 12:53 BBMCAS 1489 sftp-server.rc
_ File 644 2013-06-19 10:35 BBMCAS 2965 ssh_config
_ File 644 2011-12-01 14:27 BBMCAS 5685 ssh_prng_cmds_use_crypto
_ File 644 2013-06-19 10:34 BBMCAS 1416 zos_ssh_config
_ File 600 2013-06-19 10:37 BBMCAS 1534 zos_sshd_config
...we invetigate how to run 1..8 different SSHD servers, because customers using same site have diffenent stacks and FW to isolate. TCPIP=1 or TCPIP=3 will do that, and some customization in option and script text
BROWSE SYS1.ZINPLEX.ZV1R13.PROCLIB(SSHD) - 01.09 Line 00000000 Col
Command ===> Scroll =
********************************* Top of Data *************************
//SSHD PROC TCPIP=
//SSHD EXEC PGM=BPXBATCH,REGION=0M,TIME=NOLIMIT,
// PARM='PGM /bin/sh -c /etc/ssh/&TCPIP./zOS-SSHD_startup.sh'
//CEEDUMP DD SYSOUT=*
//* STDIN and STDOUT are both defaulted to /dev/null
//STDERR DD PATH='/var/log/sshd/&TCPIP./sshd.start.stderr',
// PATHOPTS=(OWRONLY,OCREAT,OAPPEND),PATHMODE=(SIRWXU,SIWGRP,SIWOTH)
******************************** Bottom of Data ***********************
BROWSE /SYSTEM/etc/ssh/1/zOS-SSHD_startup.sh Line 00000000 Col 001 080
Command ===> Scroll ===> CSR
********************************* Top of Data **********************************
Ä€ /bin/sh
Ä====================================================================
Ä Warning: running debug (-ddd) will terminate SSHD when PuTTY exits
Ä====================================================================
export _EDC_ADD_ERRNO2=1
export NLSPATH="ÅNLSPATH:/usr/lib/nls/msg/%L/%N.cat"
_BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -f /etc/ssh/1/sshd_config &
Ä _BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -ddd -f /etc/ssh/1/sshd_config &
sleep 5
******************************** Bottom of Data ********************************
RACF ICH408I: STDERR CL(DATASET ) ?????
Re: RACF ICH408I: STDERR CL(DATASET ) ?????
To me this would seem to indicate that you are trying to write to a MVS dataset named "STDERR". Perhaps the this must be lower case to be recognized as Unix stderr? I can't say for sure, but you should check with the IBM support center.
BTW: we don't recommend that you change sftp-server.sh. You can customize and add script commands to /etc/ssh/sftp-server.rc
See: http://dovetail.com/docs/sftp/config.ht ... ver_rc_all
I would also suggest that you are too late to export variables for the RESOLVE there anyway.
You should instead put this in the top-level shell script that starts SSHD.
BTW: we don't recommend that you change sftp-server.sh. You can customize and add script commands to /etc/ssh/sftp-server.rc
See: http://dovetail.com/docs/sftp/config.ht ... ver_rc_all
I would also suggest that you are too late to export variables for the RESOLVE there anyway.
You should instead put this in the top-level shell script that starts SSHD.
Re: RACF ICH408I: STDERR CL(DATASET ) ?????
...my original concern was to get user errors written to SYSLOG or SYSLOGD, but with normal operation no excessive written, except server logon/logoff information to the SYSLOGD.
...the "export SFTP_SERVER_OPTIONS="-e -l debug3" " debug3 is not production friendly
Do you have any customization examples for 8 SFTP-servers serving 8 different customer environments (=TCP/P-stacks)? Due to files default to some predefined paths and file names you can't easily handle a UNIX-software in MVS platform
I try to find a solution to run 8 different SFTP-servers (just like it is easily possible to have 8 IBM FTPS-stacks using port-21).
I find that Co:Z SFTP-server, as documented, is designed to be the only one and using only 1 TCP/IP-stack???
Using SSHDZN11...SSHDZN41...SSHDZN81 named sftp-servers operators and system programmers get an easy overview hove many SFTP-users running and what customer is the heavy sftp user. using only 1 SFTP-server you are bound to only 1 TCP/IP-stack, or one you randomly stick to. managing all users using different stacks could be a nightmare, but handling 8 servers is less work, that is what I hope? once a user is using ssh-server os sftp-server, the TCP/IP is solved
..this is your original example, and STDERR is in UPPERcase not lowerCASE
BROWSE /usr/local/coz/bin/sftp-server.sh
Command ===> https://****************
export _BPX_SHAREAS=YES
export _BPX_SPAWN_SCRIPT=YES
export _BPXK_JOBLOG=STDERR
...
...my customized "sftp-server.sh" script has the same UPPERcase as your example
...it's easy to test if some defs are moved to an earlier place like "zOS-SSHD_startup.sh" as you suggested
==> as I mentioned, if RACF is updated to permit userid to "STDERR", then we get rid of ICH408I, but no error msg written anyway as we should expect
BROWSE /SYSTEM/etc/ssh/1/sftp-server.sh
Command ===>
export _BPX_SHAREAS=YES
export _BPX_SPAWN_SCRIPT=YES
export _BPXK_JOBLOG=STDERR
Ä Fagu added
export _BPXK_SETIBMOPT_TRANSPORT=TCPlpar1
Ä RESOLVER trace will/may corrupt login (FOTS0843)
export RESOLVER_TRACE=STDERR
...
==> the RESOLVER is actually SFTP-server/SSH-users specific, the Customers surely have their own DNS-servers defined in TCPPARM(TCPDATA)
BROWSE ...lpar.TCPPARM(TCPDATA) - 01. Line 00000042 Col
Command ===> Scroll =
; Resolver will cache all dns-servers, and answer in following order:
; - First: XXXXX internal production DNS server
;
NameServer ...35
NameServer ...4
NsPortAddr 53
ResolveVia UDP
ResolverTimeout 5
ResolverUdpRetries 1
;;;;;; SortList 128.32.42.0/24 128.32.42.0/255.255.0.0 9.0.0.0
;
; DNS LOCAL IS DEFAULT
Lookup LOCAL DNS
;
..the earlier place
BROWSE /SYSTEM/etc/ssh/1/zOS-SSHD_startup.sh Line 00000000 Col 001 080
Command ===> Scroll ===> CSR
********************************* Top of Data **********************************
Ä€ /bin/sh
Ä start the ssh daemon
Ä nohup /usr/sbin/sshd -f /etc/ssh/sshd_config &
Ä====================================================================
Ä Warning: running debug (-ddd) will terminate SSHD when PuTTY exits
Ä====================================================================
export _EDC_ADD_ERRNO2=1
export NLSPATH="ÅNLSPATH:/usr/lib/nls/msg/%L/%N.cat"
_BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -f /etc/ssh/1/sshd_config &
Ä _BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -ddd -f /etc/ssh/1/sshd_config &
sleep 5
******************************** Bottom of Data ********************************
...because "_BPXK_SETIBMOPT_TRANSPORT=" doesn't work as expected (too late???), the SFTP-server for wanted TCP/IP-stack is "forced" by "ListenAddress ..."
BROWSE /SYSTEM/etc/ssh/1/sshd_config
Command ===>
Ä Fagu: You must use the IP address the daemon runs under
Ä No propagate of resolv.conf _BPXK_SETIBMOPT_TRANSPORT=TCPZINxx
ListenAddress 10.10.10.73
...
and it works as wanted. This way there can be 8 SFTP-stacks serving 8 different customer networks with default ports.
...the "export SFTP_SERVER_OPTIONS="-e -l debug3" " debug3 is not production friendly
Do you have any customization examples for 8 SFTP-servers serving 8 different customer environments (=TCP/P-stacks)? Due to files default to some predefined paths and file names you can't easily handle a UNIX-software in MVS platform
I try to find a solution to run 8 different SFTP-servers (just like it is easily possible to have 8 IBM FTPS-stacks using port-21).
I find that Co:Z SFTP-server, as documented, is designed to be the only one and using only 1 TCP/IP-stack???
Using SSHDZN11...SSHDZN41...SSHDZN81 named sftp-servers operators and system programmers get an easy overview hove many SFTP-users running and what customer is the heavy sftp user. using only 1 SFTP-server you are bound to only 1 TCP/IP-stack, or one you randomly stick to. managing all users using different stacks could be a nightmare, but handling 8 servers is less work, that is what I hope? once a user is using ssh-server os sftp-server, the TCP/IP is solved
..this is your original example, and STDERR is in UPPERcase not lowerCASE
BROWSE /usr/local/coz/bin/sftp-server.sh
Command ===> https://****************
export _BPX_SHAREAS=YES
export _BPX_SPAWN_SCRIPT=YES
export _BPXK_JOBLOG=STDERR
...
...my customized "sftp-server.sh" script has the same UPPERcase as your example
...it's easy to test if some defs are moved to an earlier place like "zOS-SSHD_startup.sh" as you suggested
==> as I mentioned, if RACF is updated to permit userid to "STDERR", then we get rid of ICH408I, but no error msg written anyway as we should expect
BROWSE /SYSTEM/etc/ssh/1/sftp-server.sh
Command ===>
export _BPX_SHAREAS=YES
export _BPX_SPAWN_SCRIPT=YES
export _BPXK_JOBLOG=STDERR
Ä Fagu added
export _BPXK_SETIBMOPT_TRANSPORT=TCPlpar1
Ä RESOLVER trace will/may corrupt login (FOTS0843)
export RESOLVER_TRACE=STDERR
...
==> the RESOLVER is actually SFTP-server/SSH-users specific, the Customers surely have their own DNS-servers defined in TCPPARM(TCPDATA)
BROWSE ...lpar.TCPPARM(TCPDATA) - 01. Line 00000042 Col
Command ===> Scroll =
; Resolver will cache all dns-servers, and answer in following order:
; - First: XXXXX internal production DNS server
;
NameServer ...35
NameServer ...4
NsPortAddr 53
ResolveVia UDP
ResolverTimeout 5
ResolverUdpRetries 1
;;;;;; SortList 128.32.42.0/24 128.32.42.0/255.255.0.0 9.0.0.0
;
; DNS LOCAL IS DEFAULT
Lookup LOCAL DNS
;
..the earlier place
BROWSE /SYSTEM/etc/ssh/1/zOS-SSHD_startup.sh Line 00000000 Col 001 080
Command ===> Scroll ===> CSR
********************************* Top of Data **********************************
Ä€ /bin/sh
Ä start the ssh daemon
Ä nohup /usr/sbin/sshd -f /etc/ssh/sshd_config &
Ä====================================================================
Ä Warning: running debug (-ddd) will terminate SSHD when PuTTY exits
Ä====================================================================
export _EDC_ADD_ERRNO2=1
export NLSPATH="ÅNLSPATH:/usr/lib/nls/msg/%L/%N.cat"
_BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -f /etc/ssh/1/sshd_config &
Ä _BPX_JOBNAME='SSHDZN11' nohup /usr/sbin/sshd -ddd -f /etc/ssh/1/sshd_config &
sleep 5
******************************** Bottom of Data ********************************
...because "_BPXK_SETIBMOPT_TRANSPORT=" doesn't work as expected (too late???), the SFTP-server for wanted TCP/IP-stack is "forced" by "ListenAddress ..."
BROWSE /SYSTEM/etc/ssh/1/sshd_config
Command ===>
Ä Fagu: You must use the IP address the daemon runs under
Ä No propagate of resolv.conf _BPXK_SETIBMOPT_TRANSPORT=TCPZINxx
ListenAddress 10.10.10.73
...
and it works as wanted. This way there can be 8 SFTP-stacks serving 8 different customer networks with default ports.
Re: RACF ICH408I: STDERR CL(DATASET ) ?????
I don't understand what you are asking. We recommend that you configure user logs to be written to a session log file (one for each session). By default these will be created in the /tmp directory...my original concern was to get user errors written to SYSLOG or SYSLOGD, but with normal operation no excessive written, except server logon/logoff information to the SYSLOGD.
...the "export SFTP_SERVER_OPTIONS="-e -l debug3" " debug3 is not production friendly
Again, I don't understand the question. Co:Z SFTP server does not run on a stack. It is started by IBM Ported Tools SSHD, which runs on a stack. What files are you referring to?Do you have any customization examples for 8 SFTP-servers serving 8 different customer environments (=TCP/P-stacks)? Due to files default to some predefined paths and file names you can't easily handle a UNIX-software in MVS platform
_BPXK_JOBLOG is documented to support either "stderr" or "STDERR". I do not know what RESOLVER_TRACE supports. The IBM documentation doesn't say, and the error that you are getting to me indicates that the resolver is trying to open a DATASET named STDERR. This is why I asked you to open a problem with IBM...this is your original example, and STDERR is in UPPERcase not lowerCASE
I suggest that you set up a testing environment and get IBM Ported Tools SSHD to work on multiple stacks without using CO:Z SFTP server (use the IBM Provided sftp server). If this works then you should be able to change /etc/ssh/sshd_config to point the sftp subsystem to Co:Z SFTP and it should be the same.
Re: RACF ICH408I: STDERR CL(DATASET ) ?????
...closing this question, some notes however. all this has its root course why WTO from Co:Z script was not logged anywhere
RACF problem with STDERR (or stderr) just disappear when STDERR ==> 2
export _BPXK_JOBLOG=2
Ä _BPXK_JOBLOG is documented to support either "stderr" or "STDERR"
==> didn't contact IBM, behaving somewhat strange, but do not have time to further check, dovetailed example script worked with errors for me
...where I talked about 8 SFTP I ment SSHD, that is solved with standard IBM daemon. using customer/user specific TCPIP address can be managed in .profile as example, sorry for being confusing
RACF problem with STDERR (or stderr) just disappear when STDERR ==> 2
export _BPXK_JOBLOG=2
Ä _BPXK_JOBLOG is documented to support either "stderr" or "STDERR"
==> didn't contact IBM, behaving somewhat strange, but do not have time to further check, dovetailed example script worked with errors for me
...where I talked about 8 SFTP I ment SSHD, that is solved with standard IBM daemon. using customer/user specific TCPIP address can be managed in .profile as example, sorry for being confusing