Announcement

**Scott Klement** · October 13, 2014, 07:07 AM

Re: TCPFTP SSL tips

Can you provide more information about what happens when it fails? What error message you get, etc?

And, if *SECURE *IMPLICIT works, why don't you want to use that?

Are you certain that *SECURE *IMPLICIT isn't what you're expected to use?

**Huddy** · November 7, 2014, 05:17 AM

Re: TCPFTP SSL tips

Hello,

Ok i have a secure ftp connection working between our two LPARs but i also need secure connections between the iSeries and a windows and Unix server.

if i connect using *SSL on port 21 i get an error saying that AUTH TLS not supported

If i use port 990 the session hangs until it times out.

According to our server guys, windows IIS sever doesn't support SFTP and neither does the UNIX.

So my question is, how do i establish a secure FTP to these servers?

Thanks

**Scott Klement** · November 7, 2014, 09:46 AM

Re: TCPFTP SSL tips

How did using FTP over SSL become a requirement in your project if, apparently, none of the servers you are connecting to support it?

I don't like FTP over SSL. It is not as secure as some alternatives, and it is very difficult to use through a firewall or NAT gateway. So, I would consider using sftp (the ftp-like interface to ssh) or secure web services, or similar instead of FTP over SSL.

But, if you REALLY like the FTP over SSL idea, it should be possible to find/buy FTP over SSL server software for either Windows or Unix.

**Huddy** · November 10, 2014, 05:00 AM

Re: TCPFTP SSL tips

Hi Scott. Thanks for replying

Long story but all our windows / UNIX servers are in house on a network which is behind a secure firewall.

Our iSeries machines where also once in house so secure FTP was never an issue but these have since been outsourced to IBM. Given these are now external, audit have requested that any FTP to our server ring must be secure.

My guess is that the firewall is blocking the secure link but it works fine for normal FTP.

**Huddy** · January 14, 2015, 06:24 AM

Re: TCPFTP SSL tips

Sorry for re-bumping this, can i just confirm.. to use SFTP over SSH i need third party software and that iSeries doesn't support this natively?

**DeadManWalks** · January 14, 2015, 07:21 AM

Re: TCPFTP SSL tips

I use Sftp from our 400 to several banks. The setup is straight forward.

**Scott Klement** · January 14, 2015, 07:33 AM

Re: TCPFTP SSL tips

IBM provides the OpenSSH toolset with the operating system.

**jj_dahlheimer** · January 14, 2015, 07:46 AM

Re: TCPFTP SSL tips

Scott has an excellent presentation on this, helped me get it all set up. http://scottklement.com/presentation...%20IBM%20i.pdf

**Huddy** · January 14, 2015, 08:05 AM

Re: TCPFTP SSL tips

Nice one thanks

**Scott Klement** · January 14, 2015, 09:35 AM

Re: TCPFTP SSL tips

you might like this page, too.

OpenSSH on i

http://www.scottklement.com/openssh/

**Huddy** · January 16, 2015, 02:48 AM

Re: TCPFTP SSL tips

I followed your guide yesterday but must admit i'm having a few problems trying to send a file from the iSeries to a Unix server. testing via putty, it doesn't seem to see the iSeries library. Am i right in assuming that the files have to be copied to a directory on the iSeries? Also the CL programs i have run but don't seems to be working. Unlike standard ftp which i am able to view a member for the log, i don't appear to have the same thing.

I was wondering if any one has any existing code and scripts to show as a simple working example of transferring a file from the iSeries to another target..

thanks

edit.. if i use the PASE..

form our Unix server to iSeries

scp /opt/fids/input/ibis/jaynetest.txt hudson@"1.999.999.99":/QSYS.LIB/PHLIB.LIB/TEST.FILE

i get

scp: /QSYS.LIB/PHLIB.LIB/TEST.FILE: Permission denied

odd because PHLIB has *PUBLIC *ALL permissons

if i attempt to grab a file from the iSeries on to the UNIX server

scp hudson@"1.999.999.99":/QSYS.LIB/PHLIB.LIB/TMP50P.FILE /opt/fids/input/ibis/tmp50p.txt

i get

scp: /QSYS.LIB/PHLIB.LIB/TMP50P.FILE: not a regular file

**Scott Klement** · January 16, 2015, 10:31 AM

Re: TCPFTP SSL tips

Bear in mind that OpenSSH is Unix software, and you are connecting to a Unix machine as well. So it's unlikely to work with stuff that only exists on IBM i, such as physical files.

OpenSSH is different software from the IBM FTP client, of course, and it will work a little bit differently. One of the interesting things about the IBM FTP client (that is different from any other FTP client that I've ever seen in my life) is that it will automatically convert physical file members to/from stream files during transfer. It will also do ascii/ebcdic conversion automatically under some circumstances. No other tools that I'm aware of will do these things.

So it's different. Not a big deal to learn to do something new, is it?

First of all, if you do want to try to send/receive directly to a physical file, you will need to specify the member. It simply won't work otherwise... keep in mind that the IFS thinks of *FILE objects as "directories", and inside those directories are the actual data objects, the members. So if you do try to go directly to a PF, you'll need to do something like /QSYS.LIB/PHLIB.LIB/TMP50P.FILE/TMP50P.MBR (assuming the member name is the same as the file name).

But, personally, I would recommend that you convert the file to a stream file before sending it, and convert from a stream file to a PF again when receiving it. Most likely, the Unix box is not storing the data in EBCDIC and in a database format, but rather it's most likely in a stream file format. Now, I'm just assuming that, here... but that's been my expeience with Unix.

So before sending via SSH, use something like CPYTOSTMF, CPYTOIMPF or Qshell's Rfile to convert the file to a stream file.

And after receiving, use CPYFRMSTMF, or CPYFRMIMPF or QShell's Rfile to convert back to a PF.

**Huddy** · January 20, 2015, 02:40 AM

Re: TCPFTP SSL tips

Thank you for the advice.. I'm always looking at learning new skills. Unfortunately, the legacy system i help support is rather old and whilst the core of it still functions as it should.. The problem is that it's left me behind over the years.

Anyway, i was beginning to think that the SFTP was looking specially for IFS so will try your tips above over the next few days.

My apologies for coming over rather "punchy".. that wasn't my intention.. merely frustration. The program i had create said it completed yet clearly didn't. I was just trying to locate a trace or log

one other question regarding you program examples.... when and where to you specify the target system user password if this is a batch process?

thanks

**Huddy** · January 21, 2015, 05:06 AM

Re: TCPFTP SSL tips

Hi,

So here's what ive done so far: trying to send a file from the iseries to the UNIX box...

I copied the iSeries file using CPYTOSTMF:

> CPYTOSTMF FROMMBR('/QSYS.LIB/PHLIB.LIB/TMPTEST.FILE/TMPTEST.MBR') TOSTMF(
test) STMFOPT(*ADD)
Object copied.

Although this said it copied to phlib, i can't see no object??

I then created the following CLP base on you guide. I have replaced the string gen with an rpg prgram as 1. it's easier and 2. this will be generated from file attributes as some point so start as i mean to go on.

Code:

         PGM                                                        
         DCL        VAR(&CMD) TYPE(*CHAR) LEN(200)                  
                                                                    
         CALL       PGM(PHLIB/FREE11G) PARM(&CMD)                   
                                                                    
         ADDENVVAR  ENVVAR(QIBM_QSH_CMD_OUTPUT) VALUE(NONE) +       
                      REPLACE(*YES)                                 
         ADDENVVAR  ENVVAR(QIBM_QSH_CMD_ESCAPE_MSG) VALUE(Y) +      
                      REPLACE(*YES)                                 
         QSH        CMD(&CMD)                                       
         MONMSG     MSGID(QSH0000) EXEC(DO)                         
         SNDMSG     MSG('FILE TRANSFER FAILED!') TOUSR(HUDSON)      
         ENDDO                                                      
         ENDPGM

Code:

/free                                                                 
  £string = 'PATH=$PATH:/QOPENSYS/USR/BIN && SCP ' +                  
            '/test ' +               
           'username@1.999.999.999:/opt/fids/input/ibis/test.txt';    
 *inlr = *on;                                                         
 Return;

when run from a command line i get the following in the job log:

call phlib/testsftp1
Environment variable added.
Environment variable added.
Command ended normally with exit status 127.

but i also get this

From . . . : HUDSON 21/01/15 10:51:31
FILE TRANSFER FAILED!

Any ideas what i'm doing wrong.. Thanks

Announcement

TCPFTP SSL tips

TCPFTP SSL tips

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment