Release Notes for SSH Tectia Server 5.5.0 for IBM z/OS 5 October 2007 (C) 2007 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 1.1 The SSH Tectia Client/Server Solution 1.2 SSH Tectia Server 5.5 for IBM z/OS 2. CD Contents 2.1 Binaries 2.2 Documentation 3. Key New Features in Version 5.5 4. Bug Fixes 5. Known Issues 6. Further Information ******************************************************************** NOTE ******************************************************************** The transparent FTP tunneling feature requires that the host keys of the Secure Shell tunneling servers are stored based on the IP addresses of the servers before the feature is used. Host keys can be fetched and stored, for example, by using the ssh-keydist2 tool, which includes an option -i to store the keys automatically also using the IP addresses of the hosts. The HOSTSAVE JCL example that is part of SAMPLIB provided in the installation package uses ssh-keydist2 to store remote server host keys using both hostnames and IP addresses. If the server host keys are stored manually, ensure that the keys are stored using the IP address of the servers. ******************************************************************** The _BPX_SHAREAS functionality of client applications has been changed in version 5.4.0. In versions before 5.4.0, the _BPX_SHAREAS variable was set to MUST, but from version 5.4.0, it is by default set to NO. When upgrading older versions to version 5.5.0, ensure that the SSHENV and other environment files are updated to contain _BPX_SHAREAS=NO ******************************************************************** Please read the license agreement located in the CD-ROM root before installing the software. Should you have any questions, please contact ssh.sales@ssh.com or your sales representative. ******************************************************************** Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for instructions on installing and removing the software. ******************************************************************** 1. About This Release 1.1 The SSH Tectia Client/Server Solution The SSH Tectia client/server solution is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of four product modules: * SSH Tectia Server * SSH Tectia Server for IBM z/OS * SSH Tectia Client * SSH Tectia Connector The product modules are expandable with the following add-on packs: * EFT Expansion Pack for SSH Tectia Server * EFT Expansion Pack for SSH Tectia Client * Tunneling Expansion Pack for SSH Tectia Server SSH Tectia Server provides secure terminal, secure file transfer, and tunneling server functionality for system administrators and other users of SSH Tectia Client. SSH Tectia Server with EFT Expansion Pack provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Client with EFT Expansion Pack provides client-side SFTP (Secure File Transfer Protocol) APIs, GUI, and command-line tools for securing non-interactive and automated file transfers. SSH Tectia Client with EFT Expansion Pack has been specifically designed for use with SSH Tectia Server with EFT Expansion Pack, enabling secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Server with Tunneling Expansion Pack provides tunneling server functionality for users of SSH Tectia Connector and secure terminal and secure file transfer functionality for users of SSH Tectia Client. SSH Tectia Connector is designed to work exclusively with SSH Tectia Server with Tunneling Expansion Pack and SSH Tectia Server for IBM z/OS to provide completely transparent secure application connectivity without any user intervention. SSH Tectia Server for IBM z/OS includes the key functionality of the server-side EFT Expansion Pack and server-side Tunneling Expansion Pack. 1.2 SSH Tectia Server 5.5 for IBM z/OS SSH Tectia Server 5.5 for IBM z/OS is a client/server solution designed for securing IBM z/OS mainframe connectivity. It provides transparent application tunneling for users of SSH Tectia Connector, and secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts. SSH Tectia Server 5.5 for IBM z/OS provides secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. For supporting secure file transfers between IBM z/OS systems, and between IBM z/OS and distributed hosts, SSH Tectia Server 5.5 for IBM z/OS provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack, or other Secure Shell clients, to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. File transfer client applications provide support for direct secure file transfers to and from the MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL. A profile setup can be utilized for significant improvement of the usability and user experience. Profiles for different host and file types can be defined at server and/or user level. The default profile also supports profile-defined ASCII-EBCDIC translation when using the SSH Tectia Client GUI drag-and-drop functionality. SSH Tectia Server 5.5 for IBM z/OS also provides Transparent FTP Tunneling feature that allows users to secure their FTP file transfers without any modifications to existing FTP jobs. In addition, SSH Tectia Server 5.5 for IBM z/OS allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server for IBM z/OS combines the SSH secure system administration functionality with transparent application tunneling for TN3270 users through SSH Tectia Connector, the client software that is completely transparent to the user and enables secure application connectivity without any user intervention. More information on the key features in SSH Tectia Server 5.5 for IBM z/OS can be found in Section 3 and in the Administrator Manual. 2. CD Contents Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for details on installation packages and step-by-step instructions on how to install the product into the IBM z/OS environment. 2.1 Binaries The latest binaries are version 5.5.0. install/zos/ Installation package for IBM z/OS. 2.2 Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaServer_zOS_ProductDescription.pdf, doc/SSHTectiaServer_zOS_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaServer_zOS_AdminManual.pdf, doc/SSHTectiaServer_zOS_AdminManual_html/index.html Administrator Manual for SSH Tectia Server for IBM z/OS in PDF and HTML formats. doc/SSHTectiaServer_zOS_Quickstart.pdf, doc/SSHTectiaServer_zOS_Quickstart_html/index.html Quick Start Guide for SSH Tectia Server for IBM z/OS in PDF and HTML formats. 3. Key New Features in Version 5.5 Version 5.5.0 of SSH Tectia Server for IBM z/OS contains the following new features: * Transparent FTP Tunneling - Transparent FTP Tunneling allows users to secure their z/OS FTP file transfers without any modifications to existing FTP jobs. - Transparent FTP Tunneling can be used for interactive and batch file transfers. - Easy to configure either system-wide, per FTP job, or per user ID. - Possibility to fall back to plaintext FTP for easy migration. * New options on ssh-keydist2 - Option to automatically store the host keys in both hostname and IP address format. - Option to store the host keys to system-wide keystore that is available to all users. - Option to store the host keys in plaintext format instead of hashed key format. 4. Bug Fixes The following SSH Tectia Server 5.4.0 for IBM z/OS bugs were fixed In Version 5.5.0: - Return code parsing problems in the SSZRED SAMPLIB member are now corrected. - sftp2 no longer reports an error and exit if the dataset it tries to access is reserved by some other step in the same JCL job. - ssh2 now honors the terminal type specified with the TERM environment variable. - Ssh-keydist now accepts also FB format datasets and dataset with line numbers. - HOSTSAVE JCL output and error filenames are now corrected. - ssh-keydist2 does not anymore erroneously create a directory named ")" on Windows targets. - KEYDIST JCL sample referred to the ssh-keydist2 utility with wrong pathname. The KEYDIST sample is now corrected. - The server can now be stopped or restarted from the console without using the cancel command. Usage: s sshd2 s sshd2,f=restart s sshd2,f=stop - Syntax for defining the HostKeyEkInitString is now corrected in the default server configuration file, sshd2_config. - Server configuration option HostKey.Cert.Required can have value "optional", which means that both certificate and public key in that certificate can be used in server authentication. - SFTP2BAT file transfer example had wrong syntax for defining the batch file. The syntax is now corrected. - New file transfer option U= (RECORD_TRUNCATE) introduced in 5.4.2 is now mentioned in file transfer profile example file, ssh_ftadv_config.example. - The use of the TZ variable is now more clearly described in Administrator Manual. 5. Known issues The following issues are currently known in SSH Tectia Server 5.5.0 for IBM z/OS: - SFTP file transfers do not work to a nonexistent dataset if the dataset name is a prefix of an existing dataset name. File transfers work if the dataset name is pre-allocated or already existing. The problem occurs in file transfers to SSH Tectia server on IBM z/OS. This problem is already fixed in SSH Tectia Client 5.3.3 on Unix and Windows. - Current version does not support dataset aliases. Use real dataset names instead of aliases. - ssh-socks-proxy and ssh-scepclient manual pages are missing from the installation package. Manual pages are available in the Administrator Manual and on the SSH web site. - The '--all' option does not work in the ssh-socks-proxy-ctl key-passphrase --passphrase-string=xxxx command. As a workaround enter all key passphrases separately. - On some occasions, SSH Tectia 4.x series and OpenSSH clients do not report errors if a file transfer to Mainframe server fails. Client informs that the transfer was OK, but in reality the transfer might have failed. This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but SSH Tectia 4.x and OpenSSH clients ignore the return value of the close operation. SSH Tectia 5.x Clients reports the error correctly. - Some interrupt signals from 'ssh2', 'scp2', and 'sftp2' are written in ASCII to the terminal. - If password on command line is used, process listing shows the password as part of the running process. Use either public-key authentication or use password in file or dataset. - When browsing MVS datasets in the SSH Tectia Client SFTP Windows GUI, dataset sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes). - In SSH Tectia Server 5.5 for IBM z/OS, dataset listing is only provided by the SFTP server. The 'sftp2' file transfer client application does not have this feature. In order to list local datasets in z/OS using the sftp2 client, connect to the local SFTP server. After the local connection, local datasets can be listed using a local command, e.g. 'lls'. For example: sftp2 username@remote_host sftp> lopen localhost sftp> lcd /__USER1. sftp> lls - Command-line FTP tunneling cannot be used on interactive sh shell. Use other shells like tcsh or bash, or use non-interactive sessions for FTP tunneling. - If files are transferred in binary mode, sft-server-g3 does not set the file tag (binary/EBCDIC/ASCII) automatically. - One-shot tunneling client forked to background does not exit if it fails to open its listener. If TCP tunneling is used, ensure that every job has a unique TCP port assigned. - Multiple files cannot be transferred in parallel into a PDS. If an sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy. This happens with third-party SecSh and older SSH Tectia (4.x, 5.1) clients. SSH Tectia 5.2 and later file transfer clients can detect the type of the dataset and transfer the members correctly. When using third-party SecSh and older SSH Tectia clients, a workaround is to use PDSE datasets. - Empty datasets cannot be read when referred to by DD names. - DD cards do not work with the sftp '-B' option with HFS files. sftp2 does not accept HFS batch files if addressed by using DD card. HFS batch files can be used by entering the path of the batch file directly to the sftp2 command. Alternatively MVS datasets can be used, either by entering the dataset name directly to the sftp2 command or addressing it by using DD card. - HostCA and PKI trust-anchors cannot be shared in ssh-certd. - ssh-keygen2 does not tag certificates as binary when extracted from PKCS#12 or PKCS#7 packages. Before using the extracted certificates, tag the certificates manually by using the command chtag -b certificate.crt - sftp2 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client. - ssh2, sftp2, and scp2 clients fail to exit gracefully when exited (Ctrl-C) during authentication. This happens only on /bin/sh shell. Use tcsh or bash shells instead of /bin/sh. - sftp2 'put' command preserves the file timestamp attributes, even when the -p attribute is not defined. - If sftp2 or scp2 are used to overwrite existing datasets without additional options related to dataset formatting, and the dataset is referred by using the DSN, the old dataset is first deleted and then re-allocated using the default dataset formatting. This might cause a situation where the new dataset attributes are different than the original. Workarounds: 1.Define the dataset formatting using the Advice String or file transfer profiles. For example: sget file.txt /FTADV:O=FB,R=80///'USERID.JCLLIB(JCL1)' 2. Re-allocate the dataset before the transfer using DD card and use the card on the file transfer command. For example: sget trans.out //DD:ZOSDSN - On large OpenSSH-client-initiated file transfers, SSH Tectia Server for IBM z/OS may report an error: Offset is beyond end of file. Despite the error message, the file is transferred correctly. 6. Further Information More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at http://www.ssh.com/company/sales/store/. The End of Support and Maintenance dates of previous SSH Tectia mainframe product releases are: - SSH Tectia Server 5.4 for IBM z/OS - April 2008 - SSH Tectia Server 5.3 for IBM z/OS - December 2007 - SSH Tectia Server 5.2 for IBM z/OS - Support and Maintenance has ended