Release Notes for SSH Tectia Server 6.0.0 for IBM z/OS 9 May 2008 (C) 2008 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 1.1 The SSH Tectia Client/Server Solution 1.2 SSH Tectia Server 6.0 for IBM z/OS 2. Key New Features in Version 6.0 3. Bug Fixes 4. Known Issues 5. Further Information ******************************************************************** NOTE ******************************************************************** SSH Tectia Server 6.0 for IBM z/OS introduces the new G3 client architecture bringing several improvements and changes to the previous versions. Along with architecture changes, the configuration file format used by SSH Tectia Server for IBM z/OS client tools has been changed to a more flexible and robust XML format. Also some of the command-line options have been included to the configuration and are not available on the command line anymore. Migrating existing 5.5 and earlier installations of SSH Tectia Server for IBM z/OS will require planning and rewriting of the configuration files, and possibly some changes to the existing batch jobs. For instructions on migrating the configurations, please see the Migration Guide. SSH Tectia Server 6.0 for IBM z/OS installs the binaries and configuration files to /opt/tectia whereas the version 5.5 and older installed to /usr/lpp/ssh and /etc/ssh2. Because of the new client architecture and different installation location, SSH Tectia 5.5 for IBM z/OS and earlier versions cannot be directly upgraded to 6.0, but a separate installation is required. The existing server host-key pair, hostkey and hostkey.pub on /etc/ssh2, can be automatically copied to /opt/tectia/etc/ to preserve the server identity. For more detailed installation and upgrade instructions, please see the Administrator Manual. ******************************************************************** The transparent FTP tunneling and FTP-SFTP conversion features require that the host keys of the Secure Shell tunneling servers are stored based on the IP addresses of the servers before the feature is used. Host keys can be fetched and stored, for example, by using the ssh-keydist-g3 tool, which includes an option -i to store the keys automatically also using the IP addresses of the hosts. The HOSTSAVE JCL example that is part of SAMPLIB provided in the installation package uses ssh-keydist-g3 to store remote server host keys using both hostnames and IP addresses. If the server host keys are stored manually, ensure that the keys are stored using the IP address of the servers. ******************************************************************** Please read the license agreement located in the CD-ROM root before installing the software. If you are installing from the online package, the license agreement can be found under the doc directory in the extracted installation package. Should you have any questions, please contact ssh.sales@ssh.com or your sales representative. ******************************************************************** All SSH Tectia Server for IBM z/OS user documentation is included in the online package and on the CD-ROM. Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for instructions on installing and removing the software. ******************************************************************** 1. About This Release 1.1 The SSH Tectia Client/Server Solution The SSH Tectia client/server solution 6.0 is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of four base products: * SSH Tectia Client * SSH Tectia ConnectSecure * SSH Tectia Server * SSH Tectia Server for IBM z/OS SSH Tectia Client provides a traditional and powerful secure terminal and secure file transfer client to be used in conjunction with SSH Tectia Server or other Secure Shell servers to enable secure connectivity and file transfers in heterogeneous enterprise environments. SSH Tectia ConnectSecure provides additional powerful features to transparently secure FTP file transfers and server connectivity. SSH Tectia ConnectSecure is designed especially for server-to-server file transfer security and it introduces new features enabling enhanced, high-performance file transfers in conjunction with SSH Tectia Servers, third-party or OpenSSH servers in heterogeneous enterprise environments. SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia Client and Server that were available in SSH Tectia version 5.x. SSH Tectia Server provides secure terminal, secure file transfer, and tunneling server functionality for system administrators and other users of SSH Tectia Client and ConnectSecure. 1.2 SSH Tectia Server 6.0 for IBM z/OS SSH Tectia Server 6.0 for IBM z/OS is a client/server solution designed for securing IBM z/OS mainframe connectivity. It provides transparent application tunneling for users of SSH Tectia Client and ConnectSecure, and secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts. For supporting secure file transfers between IBM z/OS systems, and between IBM z/OS and distributed hosts, SSH Tectia Server 6.0 for IBM z/OS provides a secure file transfer server to be used in conjunction with SSH Tectia Client and ConnectSecure, or other Secure Shell clients. The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. File transfer client applications of SSH Tectia Server for IBM z/OS provide support for direct secure file transfers to and from the MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL. File transfer profiles and mainframe-specific file transfer commands, such as the SITE command, can be used for significant improvement of the file transfer usability and user experience. The client module of SSH Tectia Server 6.0 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs. SSH Tectia Server 6.0 for IBM z/OS also provides secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. In addition, SSH Tectia Server 6.0 for IBM z/OS allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server for IBM z/OS combines the SSH secure system administration functionality with transparent application tunneling for TN3270 users through SSH Tectia Client and ConnectSecure enabling complete transparency to the user and enables secure application connectivity without any user intervention. More information on the key features in SSH Tectia Server 6.0 for IBM z/OS can be found in Section 3 and in the Product Description. 2. Key New Features in Version 6.0 * Enhanced G3 client architecture for better scalability and performance * FTP-SFTP conversion - Transparent FTP to SFTP conversion for quick and easy FTP replacement. No changes required to existing FTP jobs. * New file transfer commands and parameters - site / locsite - ascii / binary, with configurable ASCII/EBCDIC conversion - conddisp - sunique (usable with FTP-SFTP conversion) * MVS file transfer access controls - Possibility to limit users' access to their own MVS prefix, MVS file system or HFS * New file transfer format to preserve trailing blanks * Checkpoint/Restart in the Client module 3. Bug Fixes The following SSH Tectia Server 5.5.1 for IBM z/OS bugs were fixed In Version 6.0.0: - ACLs for the files which are preserved at upgrade are now left intact. - If the user's terminal access was denied, login succeeded with expired password. Now login fails with expired password if terminal access is not allowed. - The process ID file left in the system during the IPL prevented sshd2 server process from being started after ther IPL. The PID file handling is now fixed. - An additional 10s timer was added to the SSHD2 server restart procedure to prevent occasional restart failures. - The 2-gigabyte z/OS-to-z/OS file transfer limit is fixed by the new G3 client architecture. - The new ssh-keydist-g3 now supports multiple -p options to define separate password files for each host. Separate password files can also be entered to the host-list file (as specified with option -H). - All the error messages of the client applications are now displayed correctly in the EBCDIC format. - Zos-saf EK provider now accepts more than one KEY(...) spec in the init string. - Non-mainframe generated Tectia 6.0 public keys can now be used in Mainframe without any manual conversions. - Now the FTP tunneling feature can be used also from interactive sh shell. Previously it was possible only with tcsh or bash shells. - The file tag handling of the transferred files has been fixed. If files are transferred in binary mode, sft-server-g3 does not set the file tag (binary/EBCDIC/ASCII). If HFS is uploaded (written to HFS partition) and binary file transfer is used (X=BIN), HFS file is tagged as binary. If ASCII file transfer is performed (X=TEXT), file is tagged with the given codeset. - Now the dataset attributes are preserved when transferring datasets between z/OS systems. - The file transfer client applications, sftpg3 and scpg3, now correctly preserve the old dataset parameters when the dataset is overwritten. - The sftpg3 file transfer client tool now supports local dataset listing. - Client and server modules now support dataset aliases. - Listing of Aliases is now possible. - ssh-cmpclient-g3 now automatically converts and tags private-key and certificate files. - Now the users can login after a forced password change without first disconnecting. - setsid() message is no longer displayed to the console during the server startup. - The file transfer truncation option (U=YES) now works also with files that do not have line feeds at the end of the record. - Server no longer allows users to create world-writable directories and files. On some z/OS installations the server could be run with an empty umask, which caused some created HFS files to have insecure (world-writable) permissions. This is no longer possible. - Now the client and server set the Unix executable bits correctly. - ssh-dummy-shell can now be used as a login shell for users restricted to file transfer only. - Using invalid option for client applications now cause the client to output the usage and a non-zero exit value. - ssh-keydist-g3 no longer creates duplicate entries in the identification file. 4. Known issues The following issues are currently known to exist in SSH Tectia Server 6.0.0 for IBM z/OS: - sshg3 does not support one-shot-mode command-line TCP or FTP tunnels. Use ssh-socks-proxy for system-wide tunnels and ssh-broker-g3 for user-specific tunnels. Mode information and configuration instructions can be found from Admin and User Manuals. - sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client. - On some occasions, SSH Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to SSH Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed. This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but SSH Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation. SSH Tectia Client 5.x can report the error correctly. - If password on command line is used, process listing shows the password as part of the running process. Use either public-key authentication or use password in file or dataset. - When browsing MVS datasets in the SSH Tectia Client SFTP Windows GUI, dataset sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes). - Multiple files cannot be transferred in parallel into a PDS. If an sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy. This happens with third-party SecSh and older SSH Tectia (4.x, 5.1) clients. SSH Tectia 5.2 and later file transfer clients can detect the type of the dataset and transfer the members correctly. When using third-party SecSh and older SSH Tectia clients, a workaround is to use PDSE datasets. - Empty datasets cannot be read when referred to by DD names. - DD cards do not work with the sftp '-B' option with HFS files. sftpg3 does not accept HFS batch files if addressed by using DD card. HFS batch files can be used by entering the path of the batch file directly to the sftp2 command. Alternatively MVS datasets can be used, either by entering the dataset name directly to the sftp2 command or addressing it by using DD card. - HostCA and PKI trust-anchors cannot be shared in ssh-certd. - ssh-keygen-g3 does not tag certificates as binary when extracted from PKCS#12 or PKCS#7 packages. Before using the extracted certificates, tag the certificates manually by using the command chtag -b certificate.crt 5. Further Information More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at http://www.ssh.com/company/sales/store/. The End of Support and Maintenance dates of previous SSH Tectia mainframe product releases are: - SSH Tectia Server for IBM z/OS 5.5 - October 2008 - SSH Tectia Server for IBM z/OS 5.4 - May 2008 - SSH Tectia Server for IBM z/OS 5.3 - End of Support reached