AutoSys Workload Automation

  • Private Community

  • 1.  Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 12, 2017 09:53 AM

    I am currently involved in a project that required an FTP Server to be set up on a ESP Agent on Windows.

    The FTP Client on the Mainframe is required to send files there using FTP/TLS.

    I successfully managed to get the connection to work using SSL Certificates, following all the instructions made by CA,

    however when using the ATTLS policy on the mainframe to use secure data connection (SECURE_DATACONN Private), the JCL Batch job fails with:

    EZA2904I Cannot set protection level to private
    EZA2906I Data connection protection is clear
    EZA2921I Unable to set data connection protection to required level private

    The transfer works only when the Secure_Dataconn is set to CLEAR.

    My question is if the ESP FTP Server can use such Secure data connection?



  • 2.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 14, 2017 07:43 PM

    Hi Piotr,

     

    Do you see these messages just ahead of "EZA2904I Cannot set protection level to private"?

    EZA1701I >>> PROT P
    530 Not logged in.

    ...

    EZA1735I Std Return Code = 10221, Error Code = 00017

     

    Could you please try to update the FTP.DATA parm file on the mainframe to set SECURE_LOGIN to REQUIRED? This will cause the FTP client to validate the SSL certs (With SECURE_LOGIN set to NO_CLIENT_AUTH,
     FTP server does not request the client certificate.)

     

    Thank you,

    Chandru



  • 3.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 15, 2017 04:58 AM

    Hello Chandru,

    Thanks for your answer.

    Yes, I am getting below messages right after the TSL/SSL handshake is successfull:

    EZA1701I >>> AUTH TLS
    234 AUTH command OK. Initializing SSL connection.
    (...)
    EZA2895I Authentication negotiation succeeded
    FC1969 setdlevel: entered
    FC2138 setpbsz: entered
    EZA1701I >>> PBSZ 0
    200 PBSZ command OK. Protection buffer size set to 0.
    EZA1701I >>> PROT P
    530 Not logged in.
    FC2092 SETCEC code = 17
    EZA2904I Cannot set protection level to private
    EZA2906I Data connection protection is clear
    EZA2921I Unable to set data connection protection to required level private
    CZ1436 ftpClose: entered
    EZA1701I >>> QUIT
    221 Goodbye.


    Coding of SECURE_LOGIN did not work, since as stated in IBM Knowledge Center 

    it needs EXTENSIONS TLS or EXTENSIONS AUTH and coding either of those statements result only in dismissing them:

    EZYFT76I EXTensions value AUTH not recognized (The same with TLS)

    or

    EZYFT47I Ignoring keyword "EXTENSIONS" - whan adding EXTENSIONS AUTH_TLS



  • 4.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 15, 2017 07:26 PM

    Hi Piotr,

    Have you tried AUTH_TLS for EXTENSIONS as stated [here]

     

    AUTH_TLS

    Specifies that TLS authentication is supported. The server supports receiving the AUTH command with the following values:

    • TLS: When the server successfully processes the AUTH TLS command and completes the handshake with the FTP client, the control connection is protected by TLS.
    • TLS-C: When the server successfully processes the AUTH TLS-C command and completes the handshake with the FTP client, the control connection is protected by TLS.
    • TLS-P: When the server successfully processes the AUTH TLS-P command and completes the handshake with the FTP client, the control connection is protected by TLS. The server also implicitly protects all data connections.
    • SSL: When the server successfully processes the AUTH SSL command and completes the handshake with the FTP client, the control connection is protected by TLS.The server also implicitly protects all data connections.

    Restriction: This parameter applies to the server only.

    Results:

    • This parameter also enables server support for the PROT and PBSZ commands.
    • Server support for TLS-secured sessions is affected by the TLSRFCLEVEL setting.

     

    Thank you,

    Chandru



  • 5.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 16, 2017 10:25 AM

    Hi Chandru,

    Yes, I tried but no matter which EXTENSIONS I add to the ftp.data I receive:

     

    EZYFT47I dd:SYSFTPD=(MY FTP DATA FILE) file, line 51: Ignoring keyword "keyword "EXTENSIONS".

    The same with SECURE_LOGIN Required:

    EZYFT47I dd:SYSFTPD=(MY FTP DATA FILE) file, line 55: Ignoring keyword "SECURE_LOGIN".

     

    I think that the fact I am using TLSMECHANISM ATTLS it is ignoring it.

    Here are some of my ftp data settings:

    SECURE_DATACONN Private                 
    SECURE_FTP Required
    EXTENSIONS AUTH_TLS
    SECURE_LOGIN Required         
    SECURE_MECHANISM TLS                    
    SECUREIMPlicitzos False               
    TLSMECHANISM  ATTLS

     

    I am getting the full TLS handshake still before this:

    220 Workload Automation Agent FTP server ready
    GU5348 ftpSetApplData: entered
    FC0272 ftpAuth: security values: mech=TLS, tlsmech=ATTLS, tlsreuse=N, sFTP=R, sCC=C, sDC=P
    FC2912 ftpAuthAttls: AT-TLS policy set as application controlled.
    FU2210 TTLSRule: FTP-Client-Port2021~1
    FU2216 TTLSGroupAction: gAct1~FTP-Client
    FU2222 TTLSEnvironmentAction: eAct1~FTP-Client
    FU2229 TTLSConnectionACtion: cAct1~FTP-Client
    EZA1701I >>> AUTH TLS
    234 AUTH command OK. Initializing SSL connection.
    FC3071 authServerAttls: Start Handshake
    FC3102 authServerAttls: FIPS140 not enabled
    FC3126 authServerAttls: Using TLSv1.2 protocol
    FC3137 authServerAttls: SSL cipher: 0035
    FU1925 getCtrlConnCertAttls: Request certificate, size 1701
    FU2523 getSessionIdAttls: Issuing SIOCTTLSCTL to get decoded AT-TLS Session ID
    EZA2895I Authentication negotiation succeeded

     

    Only after this I am getting the

     

    FC1969 setdlevel: entered
    FC2138 setpbsz: entered
    EZA1701I >>> PBSZ 0
    200 PBSZ command OK. Protection buffer size set to 0.
    EZA1701I >>> PROT P
    530 Not logged in.
    FC2092 SETCEC code = 17
    EZA2904I Cannot set protection level to private
    EZA2906I Data connection protection is clear
    EZA2921I Unable to set data connection protection to required level private



  • 6.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 16, 2017 08:00 PM

    Hi Piotr,

    Just noticed your Windows CA WA (ESP) System Agent is setup as FTP Server (ftp.noserver=false). Can you please confirm this?  And your Mainframe is the FTP client? I had had some success with using TLS (and certificates) when the CA WA System Agent is in FTP Client mode (ftp.noserver=true).

    The issue here could be the difference between the implicit FTPS and explicit FTPS.

    Robert McMurray - FTP Clients - Part 2: Explicit FTPS versus Implicit FTPS 

     

    Do you need the ESP Agent to operate in FTP server mode?

     

    Thank you,

    Chandru



  • 7.  Re: Can the ESP Workload Automation Agent FTP Server use secure data connection?

    Posted May 17, 2017 05:37 AM

    Hi Chandru,

    yes, the transfer has to be initiated by the mainframe as the FTP client, 

    I have already set up an ESP job that uses the Windows CA WA (ESP) System Agent as a client to connect to the Mainframe FTP Server via FTPS/TLS successfully.

    But the business need is to have a JCL based batch job to connect to the windows agent and send the files.

    All that's missing for me are the Ddata connection protection to required level private.