Customers who are unable to use the z/OS FTP client for TLS authenticated connections to mft.bmc.com can use the OMVS shell and the /bin/sftp command to connect securely to mft.bmc.com. This requires some configuration of the OpenSSH environment in the user's OMVS segment.
Reference the following IBM documentation:
First you need to confirm that your TSO userid has a home directory, which is usually in either /home/tsoid or /u/tsoid:
- Use "TSO OMVS" to get to the unix shell;
- Enter "echo $HOME" to check your home path.
- If there is no home directory for your TSO userid, have your z/OS unix administrator create one for you.
Create a password file named askpass.sh in your home directory (or another directory used specifically for mft) with permissions 700:
Filename Message Type Permission
------------------------------------------------
askpass.sh File rwx------
Edit the file to include a hashbang on line 1 and an echo command followed by your BMC Support Central password on line 2:
/u/tsoid/askpass.sh
********************************* Top of Data **********************************
#!/bin/bash
echo BMC_Support_Central_password
******************************** Bottom of Data ********************************
Create a file named ssh_knownhosts.list with permissions 700 and add the hostnames and IP addresses to it:
/u/tsoid/.ssh/knownhosts.list
********************************* Top of Data **********************************
mft.bmc.com
198.147.194.181
198.147.194.182
198.175.230.239
******************************** Bottom of Data ********************************
Create a .ssh directory in your home directory with permissions 700:
Filename Message Type Permission
------------------------------------------------
.ssh Dir rwx------
Copy /etc/ssh/ssh_config to a new file called /u/tsoid/.ssh/ssh_config.
Edit /u/tsoid/.ssh/ssh_config and insert these lines at the bottom of the file:
********************************* Top of Data **********************************
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,admin@example.com,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
******************************** Bottom of Data ********************************
Create a /u/tsoid/scankey.sh file with permissions 700:
Filename Message Type Permission
------------------------------------------------
scankey.sh File rwx------
Edit /u/tsoid/scankey.sh to include the following:
*************************************** Top of Data *****************************************
#!/bin/sh
###################
# Script Variables
###################
echo Start_Time="$(date)"
ssh-keyscan -t rsa,dsa,ecdsa -f /u/tsoid/.ssh/knownhosts.list > /u/tsoid/.ssh/known_hosts
************************************** Bottom of Data ***************************************
Execute the /u/tsoid/scankey.sh script to create the ssh_known_hosts file in your .ssh directory.
Create a /u/tsoid/tmp directory to hold files that are being copied from MVS to USS in the SFTP job; use permissions 700:
Filename Message Type Permission
------------------------------------------------
tmp Dir rwx------
You can use "TSO OMVS" to get to a unix prompt and then use "sftp name@company.com@mft.bmc.com 990" to test a connection.
Once you confirm that you can login successfully, use the following sample JCL to test sending a file from your z/OS mainframe to mft.bmc.com.
//SFTP2MFT JOB CLASS=A,MSGCLASS=X,REGION=0M,NOTIFY=&SYSUID
/*JOBPARM SYSAFF=SYSNAME
//*------------------------------------------------------------------*
//* This job uses SFTP to upload a z/OS dsn to mft.bmc.com *
//* SYSAFF above must be system with the user's OMVS segment. *
//*------------------------------------------------------------------*
// EXPORT SYMLIST=(TEMP,PATH,CMDS,CASE,SDSN,TDSN,MODE)
// SET TEMP='/u/tsoid/tmp/' Temporary directory for file copy
// SET PATH='/u/tsoid/' Directory containing sftpCmds file
// SET CMDS='sftpCmds' File for unix and ftp commands
// SET USR='name@company.com' BMC Support Central Userid
// SET DEST='mft.bmc.com'
// SET CASE='########' BMC case number
// SET SDSN='HLQ.DATASET.NAME' Mainframe dataset to send
// SET TDSN=C&CASE..&SDSN Filename to create on mft.bmc.com
// SET MODE='ASCII' ASCII/BINARY
//*------------------------------------------------------------------*
//* OCOPY SFTP commands to USS file *
//*------------------------------------------------------------------*
//OCOPY EXEC PGM=IKJEFT01,COND=(0,LT)
//SYSTSPRT DD SYSOUT=*
//CMDSUSS DD PATH='&PATH.&CMDS',
// PATHDISP=(KEEP,DELETE),
// PATHOPTS=(OWRONLY,OCREAT),PATHMODE=(SIRWXU)
//CMDSMVS DD *,SYMBOLS=JCLONLY
echo $0
# Change local directory
lcd &TEMP
!pwd
LLS -l &TDSN
# Remove existing dataset from local system.
!rm &TDSN
# Copy mainframe dataset to local USS
!cp "//'&SDSN'" &TDSN
LLS -l &TDSN
# Create directory on mft.bmc.com
mkdir Case_&CASE
cd Case_&CASE
&MODE
# Check location on mft.bmc.com
pwd
# Remove existing dataset from mft.bmc.com
rm &TDSN
# Copy local dataset to mft.bmc.com
put &TDSN
LS -l &TDSN
# Remove dataset from local system.
!rm &TDSN
quit
/*
//SYSTSIN DD *
OCOPY INDD(CMDSMVS) OUTDD(CMDSUSS) TEXT CONVERT(YES) PATHOPTS(USE)
/*
//*------------------------------------------------------------------*
//* Execute commands using &USR and password in askpass.sh *
//* Use SYSTCPD DD below for an alternate TCP stack. *
//*------------------------------------------------------------------*
//STEPNAME EXEC PGM=BPXBATCH,COND=(0,LT),
// PARM=('sh sftp -vvv &USR.@&DEST')
//*SYSTCPD DD DISP=SHR,DSN=&TCPDATA
//SYSPRINT DD SYSOUT=*
//STDIN DD PATH='&PATH.&CMDS'
//STDOUT DD SYSOUT=*
//STDERR DD SYSOUT=*
//STDENV DD *,SYMBOLS=JCLONLY
DISPLAY=FOO
SSH_ASKPASS=&PATH.askpass.sh
/*
//*------------------------------------------------------------------*
//* DELETE SFTP CMD file *
//*------------------------------------------------------------------*
//DELWORK EXEC PGM=IEFBR14,COND=(0,LT)
//CMDSUSS DD PATHDISP=(DELETE,DELETE),PATH='&PATH.&CMDS'