I have had our CSO department create the RACF digital certificate and key ring. Ran the saf-ssh-agent command to create the public key file. I FTP'd it to my Windows box, and then emailed it to the SA and it was added to the authorized_keys file for the userid that is specified in the PARM for COZLNCH program. When I run a batch job, it fails with the following messages.
FOTS1370 Host key verification failed.
CoZLauncherŽE: CoZAgent process (9804) ended with RC=255
CoZLauncherŽE: CoZAgent process (9804) ended, but no cozagent completion was recorded
CoZLauncherŽE: CoZLauncher ended with RC=102
z/OS is v2.1
Co:Z is 2.4.5
The permissions on the remote machine are:
drwx------ 9 m92228 dishmech 4096 Nov 12 14:19 m92228 <-- home directory
drwx------ 2 m92228 dishmech 4096 Nov 12 14:19 .ssh <-- obvious
What can I look at to diagnose the issue?
FOTS1370 using RACF Dig Cert
Re: FOTS1370 using RACF Dig Cert
Ok, forgot that I had to run once with ssh-options=-o StrictHostKeyChecking=no on each LPAR. Problem solved.
Re: FOTS1370 using RACF Dig Cert
Your error is happening early... you haven't even gotten to the stage where your RACF digital cert key comes into play.
The FOTS1370 means that the IBM ported tools client doesn't trust the host key provided by the remote server.
You can use this ssh option in your COZCFG DD to tell the ssh client to accept and store the remote host key (only if it doesn't have one):
There is a lot more that will need to happen to authenticate a connection. If the above doesn't fix it completely, you can turn on a trace so that we can see what is happening in two areas:
1) the IBM ported tools ssh client. To do this, add -vvv to the ssh-options in your COZCFG DD:
2) the Co:Z saf-ssh-agent which is used to provide the user key from RACF.
Add this line to your COZCFG DD to get Co:Z / saf-ssh-agent tracing:
Note: this won't trace or dump any private key material, but it will have userids, hostnames, etc.
Please email to us at info@dovetail.com and we'll take a look to see what phase of authentication is going wrong.
PS> There are slides and recordings for a two-part webinar at http://dovetail.com/webinars.html that cover the ssh authentication and z/OS specifics:
Part 1: IBM Ported Tools for z/OS: OpenSSH - Key Authentication
Part 2: IBM Ported Tools for z/OS: OpenSSH - Using Key Rings.
The FOTS1370 means that the IBM ported tools client doesn't trust the host key provided by the remote server.
You can use this ssh option in your COZCFG DD to tell the ssh client to accept and store the remote host key (only if it doesn't have one):
Code: Select all
ssh-options=-oStrictHostKeyChecking=no
1) the IBM ported tools ssh client. To do this, add -vvv to the ssh-options in your COZCFG DD:
Code: Select all
ssh-options=-oStrictHostKeyChecking=no -vvv
Add this line to your COZCFG DD to get Co:Z / saf-ssh-agent tracing:
Code: Select all
server-env-COZ_LOG=F,SafSshAgent=F
Note: this won't trace or dump any private key material, but it will have userids, hostnames, etc.
Please email to us at info@dovetail.com and we'll take a look to see what phase of authentication is going wrong.
PS> There are slides and recordings for a two-part webinar at http://dovetail.com/webinars.html that cover the ssh authentication and z/OS specifics:
Part 1: IBM Ported Tools for z/OS: OpenSSH - Key Authentication
Part 2: IBM Ported Tools for z/OS: OpenSSH - Using Key Rings.