Release Notes for SSH Tectia Server 5.4.0 for IBM z/OS 12 April 2007 (C) 2007 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 1.1 The SSH Tectia Client/Server Solution 1.2 SSH Tectia Server 5.4 for IBM z/OS 2. CD Contents 2.1 Binaries 2.2 Documentation 3. Key New Features in Version 5.4 4. Bug Fixes 5. Known Issues 6. Further Information ******************************************************************** NOTE ******************************************************************** Please read the license agreement located in the CD-ROM root before installing the software. Should you have any questions, please contact ssh.sales@ssh.com or your sales representative. ******************************************************************** The _BPX_SHAREAS functionality of client applications has been changed in version 5.4.0. In previous versions, the _BPX_SHAREAS variable was set to MUST, but in version 5.4.0, it is by default set to NO. When upgrading to 5.4.0, ensure that the SSHENV and other environment files are updated to contain _BPX_SHAREAS=NO ******************************************************************** Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for instructions on installing and removing the software. 1. About This Release 1.1 The SSH Tectia Client/Server Solution The SSH Tectia client/server solution is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of four product modules: * SSH Tectia Server * SSH Tectia Server for IBM z/OS * SSH Tectia Client * SSH Tectia Connector The product modules are expandable with the following add-on packs: * EFT Expansion Pack for SSH Tectia Server * EFT Expansion Pack for SSH Tectia Client * Tunneling Expansion Pack for SSH Tectia Server SSH Tectia Server provides secure terminal, secure file transfer, and tunneling server functionality for system administrators and other users of SSH Tectia Client. SSH Tectia Server with EFT Expansion Pack provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Client with EFT Expansion Pack provides client-side SFTP (Secure File Transfer Protocol) APIs, GUI, and command-line tools for securing non-interactive and automated file transfers. SSH Tectia Client with EFT Expansion Pack has been specifically designed for use with SSH Tectia Server with EFT Expansion Pack, enabling secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Server with Tunneling Expansion Pack provides tunneling server functionality for users of SSH Tectia Connector and secure terminal and secure file transfer functionality for users of SSH Tectia Client. SSH Tectia Connector is designed to work exclusively with SSH Tectia Server with Tunneling Expansion Pack and SSH Tectia Server for IBM z/OS to provide completely transparent secure application connectivity without any user intervention. SSH Tectia Server for IBM z/OS includes the key functionality of the server-side EFT Expansion Pack and server-side Tunneling Expansion Pack. 1.2 SSH Tectia Server 5.4 for IBM z/OS SSH Tectia Server 5.4 for IBM z/OS is a client/server solution designed for securing IBM z/OS mainframe connectivity. It provides transparent application tunneling for users of SSH Tectia Connector, and secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts. SSH Tectia Server 5.4 for IBM z/OS provides secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. For supporting secure file transfers between IBM z/OS systems, and between IBM z/OS and distributed hosts, SSH Tectia Server 5.4 for IBM z/OS provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack, or other Secure Shell clients, to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. File transfer client applications provide support for direct secure file transfers to and from the MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL. A profile setup can be utilized for significant improvement of the usability and user experience. Profiles for different host and file types can be defined at server and/or user level. The default profile also supports profile-defined ASCII-EBCDIC translation when using the SSH Tectia Client GUI drag-and-drop functionality. In addition, SSH Tectia Server 5.4 for IBM z/OS allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server for IBM z/OS combines the SSH secure system administration functionality with transparent application tunneling for TN3270 users through SSH Tectia Connector, the client software that is completely transparent to the user and enables secure application connectivity without any user intervention. More information on the key features in SSH Tectia Server 5.4 for IBM z/OS can be found in Section 3 and in the Administrator Manual. 2. CD Contents Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for details on installation packages and step-by-step instructions on how to install the product into the IBM z/OS environment. 2.1 Binaries The latest binaries are version 5.4.0. install/zos/ Installation package for IBM z/OS. 2.2 Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaServer_zOS_ProductDescription.pdf, doc/SSHTectiaServer_zOS_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaServer_zOS_AdminManual.pdf, doc/SSHTectiaServer_zOS_AdminManual_html/index.html Administrator Manual for SSH Tectia Server for IBM z/OS in PDF and HTML formats. doc/SSHTectiaServer_zOS_Quickstart.pdf, doc/SSHTectiaServer_zOS_Quickstart_html/index.html Quick Start Guide for SSH Tectia Server for IBM z/OS in PDF and HTML formats. 3. Key New Features in Version 5.4 Version 5.4 of SSH Tectia Server for IBM z/OS contains the following new features and enhancements: * Support for Generation Data Groups (GDG) - SSH Tectia Server for IBM z/OS now supports handling and transferring GDG-format datasets. * Support for System Management Facility (SMF) - Login and file transfer information can now be collected and stored as SMF type 119 records. * OpenSSH key format support - SSH Tectia Server for IBM z/OS now supports the legacy OpenSSH public-key format used by IBM Ported Tools, eliminating the need for manual key conversions in multi-vendor Secure Shell environments. The OpenSSH key format is supported in both client and server modules. * Non-hashed remote server host keys - A new configuration option in the client module can be used to select between plaintext hostkey format and hashed hostkey format for storing remote host keys. * FTP compatibility mode for 'put' and 'get' commands - The 'put' and 'get' commands of sftp2 can now be configured to work similar to FTP. * Exact byte count information of transferred file - File transfer clients now print out the exact byte count of transferred file which can be used, for example, in post processing to verify the file transfer jobs. * Improved sftp2 error codes in batch processing - sftp2 now prints out possible error codes after each file transfer step enabling easier error checking on large batch processes. * Utility for automated distribution and setup of server host keys and user public keys - Can be run from command line and from JCL - Examples for easy automated storing of server host keys - Examples for automated ways for setting up public-key user authentication * Documentation enhancements - A new Quick Start Guide contains instructions for getting the system up and running, setting up server and user authentications for non-interactive file transfers, and configuring file transfers using JCL. - File transfer example JCL procedure and REXX functions are provided for easier JCL execution. - New chapters and examples for remote command and job execution, and securing TCP applications using Secure Shell tunneling. 4. Bug Fixes The following SSH Tectia Server 5.3.0 for IBM z/OS bugs were fixed In Version 5.4.0: - sshd2 goes to CPU loop. If the TCPIP stack is stopped while the SSH Tectia server is running the server used to enter a tight CPU loop. Now sshd2 exits cleanly when the TCP/IP stack is stopped. Further, a new sshd2_config option ListenerRetryInterval has been implemented to make it possible for sshd2 to be more persistent: when the TCP/IP stack is shut down, sshd2 can keep on polling for a new listener at specified intervals. - File transfer server loops if ftadv string has misconfigured line delimiter options. On previous versions, file transfer server looped if line delimiter conversion options were entered only partially, for example: ftadv contained J, but no I. Now server reports an error and does not loop. - MAN pages under TSO ISH are not formatted correctly. Man pages can be now viewed correctly also from TSO ISH. - Some SAMPLIB examples use IKJEFT01, but IKJEFT1A should be used instead. Now all the examples use IKJEFT1A. - sftp2 exit values are missing from man pages and documentation. Exit values are now added to man pages and documentation. - Dataset listing fails if the defined qualifier contains migrated or archived datasets. Dataset listing now works even if the defined qualifier contains migrated/archived datasets. - sftp2 sget --overwrite=no gives RC 0 when trying to overwriting a file that already exists. Now the command line client returns exit code 1. When running from JCL, the return code is 256. - ftp's default value is "--overwrite=no", but Tectia sget default is "--overwrite=yes". Now SSH_SFTP_OVERWRITE environment variable can be set to define default overwrite action. - Sftp2 and scp2 clients do not report error if mainframe-to-mainframe file transfer fails. Now unsuccesful mainframe-to-mainframe file transfers are reported correctly. - SftpSysLogFacility is ignored. Now the syslog facility used by file transfer server (sft-server-g3) can be set with SftpSysLogFacility configuration variable in sshd2 configuration. - setup.sh does not set /usr/lpp/ssh2/ access rights correctly. Now the installation procedure forces /usr/lpp/ssh2/ access rights to 755. - ssh2, sftp2, and scp2 cannot use password from dataset. Now the client applications can read password information also from sequential dataset or dataset member. - Server pid file is world-writable. Now the server pid access rights are set correctly. - Server creates world-writable directories. On some z/OS installations the server could be run as a started task with an empty umask, which caused some created HFS files to have insecure (world-writable) permissions. If upgrading to this release, you must verify that the environment file used by your sshd2 started task script (originally called SSHENV in the SAMPLES directory) contains an appropriate _BPX_BATCH_UMASK declaration. - Dataset listing fails if catalog entries are in volumes that are not mounted. Now the dataset listing works even when the catalog entries are in unmounted volumes. - sshd2 is not stopped during uninstall. Now the uninstallation procedure shuts down the master server process. Existing connections are not disconnected. - Wrong exit code when transferring new datasets. This behavior was caused by _BPX_SHAREAS=MUST environment variable that was required when DD cards were used to address the dataset on scp2 or sftp2 commands. Now the functionality of client applications is fixed to work correctly on _BPX_SHAREAS=NO and the value _BPX_SHAREAS=NO must be used on all cases. Default SSHENV environment variable file now sets the _BPX_SHAREAS variable to NO. On previous versions _BPX_SHAREAS was set as MUST. When _BPX_SHAREAS is set to NO, BPXBATSL should be used instead of BPXBATCH. BPXBATSL is mandatory if datasets are referred using DD cards. - Changing _BPX_SHAREAS variable has some unknown effects to file transfers. The functionality of client applications is now fixed to work correctly on _BPX_SHAREAS=NO and the value _BPX_SHAREAS=NO must be used on all cases. For compatibility reasons client applications also work using _BXP_SHAREAS=MUST, but it is recommended to change it to NO. Default SSHENV environment variable file now sets the _BPX_SHAREAS variable to NO. On previous versions _BPX_SHAREAS was set as MUST. When _BPX_SHAREAS is set to NO, BPXBATSL should be used instead of BPXBATCH. BPXBATSL is mandatory if datasets are referred using DD cards. - Key distribution tool update. The former sample script ssh-userkeygendist2.sh is promoted to a supported tool and is now installed as /usr/lpp/ssh2/bin/ssh-keydist2. - FTP comments ( ; ) are not handled as comments on SFTP. Now lines beginning with ; or # are handled as comments and ignored. 5. Known issues The following issues are currently known in SSH Tectia Server 5.4.0 for IBM z/OS: - On some occasions, SSH Tectia 4.x series and OpenSSH clients do not report errors if a file transfer to Mainframe server fails. Client informs that the transfer was OK, but in reality the transfer might have failed. This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but SSH Tectia 4.x and OpenSSH clients ignore the return value of the close operation. SSH Tectia 5.x Clients reports the error correctly. - ssh2, sftp2, and scp2 clients fail to exit gracefully when exited (Ctrl-C) during authentication. This happens only on /bin/sh shell. Use tcsh or bash shells instead of /bin/sh. - Some interrupt signals from 'ssh2', 'scp2', and 'sftp2' are written in ASCII to the terminal. - If password on command line is used, process listing shows the password as part of the running process. Use either public-key authentication or use password in file. - When browsing MVS datasets in the SSH Tectia Client SFTP Windows GUI, dataset sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes). - In SSH Tectia Server 5.4 for IBM z/OS, dataset listing is only provided by the SFTP server. The 'sftp2' file transfer client application does not have this feature. In order to list local datasets in z/OS using the sftp2 client, connect to the local SFTP server. After the local connection, local datasets can be listed using a local command, e.g. 'lls'. For example: sftp2 username@remote_host sftp> lopen localhost sftp> lcd /__USER1. sftp> lls - FTP tunneling cannot be used on interactive sh shell. Use other shells like tcsh or bash, or use non-interactive sessions for FTP tunneling. - If files are transferred in binary mode, sft-server-g3 does not set the file tag (binary/EBCDIC/ASCII). - One-shot tunneling client forked to background does not exit if it fails to open its listener. If TCP tunneling is used, ensure that every job has a unique TCP port assigned. - Multiple files cannot be transferred in parallel into a PDS. If an sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy. This happens with third-party and older SSH Tectia (4.x, 5.1) clients. In SSH Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly. When using third-party and older SSH Tectia clients, a workaround is to use PDSE datasets. - Empty datasets cannot be read when referred to by DD names. - DD cards do not work with the sftp '-B' option with HFS files. sftp2 does not accept HFS batch files if addressed by using DD card. HFS batch files can be used by entering the path of the batch file directly to the sftp2 command. Alternatively MVS datasets can be used, either by entering the dataset name directly to the sftp2 command or addressing it by using DD card. - HostCA and PKI trust-anchors cannot be shared in ssh-certd. - ssh-keygen2 does not tag certificates as binary when extracted from PKCS#12 or PKCS#7 packages. Before using the extracted certificates, tag the certificates manually by using the command chtag -b certificate.crt - sftp2 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client. - ssh2, sftp2, and scp2 clients fail to exit gracefully when exited (Ctrl-C) during authentication. This happens only on /bin/sh shell. Use tcsh or bash shells instead of /bin/sh. - scp2 and sftp2 return wrong exit code (exit code 8, RC=2048 on JCL) on successful file transfers when the destination dataset is new and allocated during the file transfer. If the dataset already exists or is preallocated, scp2 and sftp2 return correct exit code (0). This behavior is caused by _BPX_SHAREAS=MUST environment variable that is required when DD cards are used to address the dataset on scp2 or sftp2 commands. Workaround is to change the _BPX_SHAREAS to NO. However, this disables the functionality to use DD cards on scp2 and sftp2 commands. - sftp2 'put' command preserves the file timestamp attributes, even when the -p attribute is not defined. - If sftp2 or scp2 are used to overwrite existing datasets without additional options related to dataset formatting, and the dataset is referred by using the DSN, the old dataset is first deleted and then re-allocated using the default dataset formatting. This might cause a situation where the new dataset attributes are different than the original. Workarounds: 1.Define the dataset formatting using the Advice String or file transfer profiles. For example: sget file.txt /FTADV:O=FB,R=80///'USERID.JCLLIB(JCL1)' 2. Re-allocate the dataset before the transfer using DD card and use the card on the file transfer command. For example: sget trans.out //DD:ZOSDSN - scp2 sometimes exits with code 0, even though file transfer fails. This might happen if ssh2 fails to connect to the Secure Shell server. 6. Further Information More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at http://www.ssh.com/company/sales/store/. The End of Support and Maintenance dates of previous SSH Tectia mainframe product releases are: - SSH Tectia Server 5.3 for IBM z/OS - December 2007 - SSH Tectia Server 5.2 for IBM z/OS - June 2007 - SSH Tectia Server (M) 5.1 - Support and Maintenance has ended - SSH Tectia Server (M) 5.0 - Support and Maintenance has ended