Configuring OpenSSH for SFTP connections to mft.bmc.com

Knowledge Article

Configuring OpenSSH for SFTP connections to mft.bmc.com
Customers unable to use the standard z/OS FTP client and TLS authentication for connections to mft.bmc.com can use the OMVS shell (or JCL which executes PGM=BPXBATCH) and the /bin/sftp command to connect securely to mft.bmc.com. This requires that OpenSSH is configured with a known hosts file that includes the hostname and IP addresses for the mft.bmc.com server along with the host keys. This procedure explains how to update the known hosts file to allow sftp connections to mft.bmc.com.
BMC AMI Enterprise Common Components
All BMC Compuware products.
BMC AMI Enterprise Common Components
All BMC Compuware products.
Can I use SFTP to connect to mft.bmc.com?
Customers who are unable to use the z/OS FTP client for TLS authenticated connections to mft.bmc.com can use the OMVS shell and the /bin/sftp command to connect securely to mft.bmc.com. This requires some configuration of the OpenSSH environment in the user's OMVS segment.

Reference the following IBM documentation: First you need to confirm that your TSO userid has a home directory, which is usually in either /home/tsoid or /u/tsoid:
  1. Use "TSO OMVS" to get to the unix shell;
  2. Enter "echo $HOME" to check your home path.
  3. If there is no home directory for your TSO userid, have your z/OS unix administrator create one for you.
Create a password file named askpass.sh in your home directory (or another directory used specifically for mft) with permissions 700:

Filename        Message          Type Permission
------------------------------------------------
askpass.sh                       File rwx------

Edit the file to include a hashbang on line 1 and an echo command followed by your BMC Support Central password on line 2:

/u/tsoid/askpass.sh
********************************* Top of Data **********************************
#!/bin/bash                                                                     
echo BMC_Support_Central_password
******************************** Bottom of Data ********************************

Create a file named ssh_knownhosts.list with permissions 700 and add the hostnames and IP addresses to it:

/u/tsoid/.ssh/knownhosts.list
********************************* Top of Data **********************************
mft.bmc.com                                                                     
198.147.194.181                                                                 
198.147.194.182                                                                 
198.175.230.239
******************************** Bottom of Data ********************************

Create a .ssh directory in your home directory with permissions 700:

Filename        Message          Type Permission
------------------------------------------------
.ssh                             Dir  rwx------

Copy /etc/ssh/ssh_config to a new file called /u/tsoid/.ssh/ssh_config.

Edit /u/tsoid/.ssh/ssh_config and insert these lines at the bottom of the file:

********************************* Top of Data **********************************
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,3des-cbc,aes256-gcm@openssh.com,aes128-gcm@openssh.com  
MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
******************************** Bottom of Data ********************************
 
Create a /u/tsoid/scankey.sh file with permissions 700:

Filename        Message          Type Permission
------------------------------------------------
scankey.sh                       File rwx------

Edit /u/tsoid/scankey.sh to include the following:
 
*************************************** Top of Data *****************************************
#!/bin/sh                                                                                    
###################                                                                          
# Script Variables                                                                           
###################                                                                          
echo Start_Time="$(date)"                                                                    
ssh-keyscan -t rsa,dsa,ecdsa -f /u/tsoid/.ssh/knownhosts.list > /u/tsoid/.ssh/known_hosts
************************************** Bottom of Data ***************************************

Execute the /u/tsoid/scankey.sh script to create the ssh_known_hosts file in your .ssh directory.
 
Create a /u/tsoid/tmp directory to hold files that are being copied from MVS to USS in the SFTP job; use permissions 700:

Filename        Message          Type Permission
------------------------------------------------
tmp                              Dir  rwx------
 
You can use "TSO OMVS" to get to a unix prompt and then use "sftp name@company.com@mft.bmc.com 990" to test a connection.

Once you confirm that you can login successfully, use the following sample JCL to test sending a file from your z/OS mainframe to mft.bmc.com.

//SFTP2MFT JOB CLASS=A,MSGCLASS=X,REGION=0M,NOTIFY=&SYSUID
/*JOBPARM SYSAFF=SYSNAME
//*------------------------------------------------------------------*
//*        This job uses SFTP to upload a z/OS dsn to mft.bmc.com    *
//*        SYSAFF above must be system with the user's OMVS segment. *
//*------------------------------------------------------------------*
// EXPORT SYMLIST=(TEMP,PATH,CMDS,CASE,SDSN,TDSN,MODE)
// SET TEMP='/u/tsoid/tmp/'       Temporary directory for file copy
// SET PATH='/u/tsoid/'           Directory containing sftpCmds file
// SET CMDS='sftpCmds'            File for unix and ftp commands
// SET USR='name@company.com'     BMC Support Central Userid
// SET DEST='mft.bmc.com'
// SET CASE='########'            BMC case number
// SET SDSN='HLQ.DATASET.NAME'    Mainframe dataset to send
// SET TDSN=C&CASE..&SDSN         Filename to create on mft.bmc.com
// SET MODE='ASCII'               ASCII/BINARY
//*------------------------------------------------------------------*
//*        OCOPY SFTP commands to USS file                           *
//*------------------------------------------------------------------*
//OCOPY    EXEC PGM=IKJEFT01,COND=(0,LT)
//SYSTSPRT DD   SYSOUT=*
//CMDSUSS  DD   PATH='&PATH.&CMDS',
//         PATHDISP=(KEEP,DELETE),
//         PATHOPTS=(OWRONLY,OCREAT),PATHMODE=(SIRWXU)
//CMDSMVS  DD *,SYMBOLS=JCLONLY
echo $0
# Change local directory
lcd &TEMP
!pwd
LLS -l &TDSN
# Remove existing dataset from local system.
!rm &TDSN
# Copy mainframe dataset to local USS
!cp "//'&SDSN'" &TDSN
LLS -l &TDSN
# Create directory on mft.bmc.com
mkdir Case_&CASE
cd Case_&CASE
&MODE
# Check location on mft.bmc.com
pwd
# Remove existing dataset from mft.bmc.com
rm &TDSN
# Copy local dataset to mft.bmc.com
put &TDSN
LS  -l &TDSN
# Remove dataset from local system.
!rm &TDSN
quit
/*
//SYSTSIN  DD *
OCOPY INDD(CMDSMVS) OUTDD(CMDSUSS) TEXT CONVERT(YES) PATHOPTS(USE)
/*
//*------------------------------------------------------------------*
//*        Execute commands using &USR and password in askpass.sh    *
//*        Use SYSTCPD DD below for an alternate TCP stack.          *
//*------------------------------------------------------------------*
//STEPNAME EXEC PGM=BPXBATCH,COND=(0,LT),
// PARM=('sh sftp -vvv &USR.@&DEST')
//*SYSTCPD DD   DISP=SHR,DSN=&TCPDATA
//SYSPRINT DD   SYSOUT=*
//STDIN    DD   PATH='&PATH.&CMDS'
//STDOUT   DD   SYSOUT=*
//STDERR   DD   SYSOUT=*
//STDENV   DD   *,SYMBOLS=JCLONLY
DISPLAY=FOO
SSH_ASKPASS=&PATH.askpass.sh
/*
//*------------------------------------------------------------------*
//*        DELETE SFTP CMD file                                      *
//*------------------------------------------------------------------*
//DELWORK  EXEC PGM=IEFBR14,COND=(0,LT)
//CMDSUSS  DD   PATHDISP=(DELETE,DELETE),PATH='&PATH.&CMDS'
BMC AMI Enterprise Common Components
All BMC Compuware products.
Attachment(s):