Release Notes for SSH Tectia Server 6.0.1 for IBM z/OS 16 July 2008 (C) 2008 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 1.1 The SSH Tectia Client/Server Solution 1.2 SSH Tectia Server 6.0 for IBM z/OS 2. Key New Features in Version 6.0 3. Bug Fixes 4. Known Issues 5. Further Information ******************************************************************** NOTE ******************************************************************** Upgrade information ------------------- Upgrading SSH Tectia Server 5.5 for IBM z/OS or earlier to 6.0.0 or 6.0.1. -------------------------------------------------------------------------- SSH Tectia Server 6.0 for IBM z/OS introduces the new G3 client architecture bringing several improvements and changes to the previous versions. Along with architecture changes, the configuration file format used by SSH Tectia Server for IBM z/OS client tools has been changed to a more flexible and robust XML format. Also some of the command-line options have been included to the configuration and are not available on the command line anymore. Migrating existing 5.5 and earlier installations of SSH Tectia Server for IBM z/OS will require planning and rewriting of the configuration files, and possibly some changes to the existing batch jobs. For instructions on migrating the configurations, please see the Migration Guide. SSH Tectia Server 6.0 for IBM z/OS installs the binaries and configuration files to /opt/tectia whereas the version 5.5 and older installed to /usr/lpp/ssh and /etc/ssh2. Because of the new client architecture and different installation location, SSH Tectia 5.5 for IBM z/OS and earlier versions cannot be directly upgraded to 6.0, but a separate installation is required. The existing server host-key pair, hostkey and hostkey.pub on /etc/ssh2, can be automatically copied to /opt/tectia/etc/ to preserve the server identity. For more detailed installation and upgrade instructions, please see the Administrator Manual. Upgrading SSH Tectia Server 6.0.0 for IBM z/OS to 6.0.1 ------------------------------------------------------- Upgrading SSH Tectia Server 6.0.0 for IBM z/OS to 6.0.1 does not affect the separate version 5.5 installation. ******************************************************************** Transparent FTP Tunneling and FTP-SFTP Conversion ------------------------------------------------- The transparent FTP tunneling and FTP-SFTP conversion features require that the host keys of the Secure Shell tunneling servers are stored based on the IP addresses of the servers before the feature is used. Host keys can be fetched and stored, for example, by using the ssh-keydist-g3 tool, which includes an option -i to store the keys automatically also using the IP addresses of the hosts. The HOSTSAVE JCL example that is part of SAMPLIB provided in the installation package uses ssh-keydist-g3 to store remote server host keys using both hostnames and IP addresses. If the server host keys are stored manually, ensure that the keys are stored using the IP address of the servers. ******************************************************************** Please read the license agreement located in the CD-ROM root before installing the software. If you are installing from the online package, the license agreement can be found under the doc directory in the extracted installation package. Should you have any questions, please contact ssh.sales@ssh.com or your sales representative. ******************************************************************** All SSH Tectia Server for IBM z/OS user documentation is included in the online package and on the CD-ROM. Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for instructions on installing and removing the software. ******************************************************************** 1. About This Release 1.1 The SSH Tectia Client/Server Solution The SSH Tectia client/server solution 6.0 is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of four base products: * SSH Tectia Client * SSH Tectia ConnectSecure * SSH Tectia Server * SSH Tectia Server for IBM z/OS SSH Tectia Client provides a traditional and powerful secure terminal and secure file transfer client to be used in conjunction with SSH Tectia Server or other Secure Shell servers to enable secure connectivity and file transfers in heterogeneous enterprise environments. SSH Tectia ConnectSecure provides additional powerful features to transparently secure FTP file transfers and server connectivity. SSH Tectia ConnectSecure is designed especially for server-to-server file transfer security and it introduces new features enabling enhanced, high-performance file transfers in conjunction with SSH Tectia Servers, third-party or OpenSSH servers in heterogeneous enterprise environments. SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia Client and Server that were available in SSH Tectia version 5.x. SSH Tectia Server provides secure terminal, secure file transfer, and tunneling server functionality for system administrators and other users of SSH Tectia Client and ConnectSecure. 1.2 SSH Tectia Server 6.0 for IBM z/OS SSH Tectia Server 6.0 for IBM z/OS is a client/server solution designed for securing IBM z/OS mainframe connectivity. It provides transparent application tunneling for users of SSH Tectia Client and ConnectSecure, and secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts. For supporting secure file transfers between IBM z/OS systems, and between IBM z/OS and distributed hosts, SSH Tectia Server 6.0 for IBM z/OS provides a secure file transfer server to be used in conjunction with SSH Tectia Client and ConnectSecure, or other Secure Shell clients. The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. File transfer client applications of SSH Tectia Server for IBM z/OS provide support for direct secure file transfers to and from the MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL. File transfer profiles and mainframe-specific file transfer commands, such as the SITE command, can be used for significant improvement of the file transfer usability and user experience. The client module of SSH Tectia Server 6.0 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs. SSH Tectia Server 6.0 for IBM z/OS also provides secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. In addition, SSH Tectia Server 6.0 for IBM z/OS allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server for IBM z/OS combines the SSH secure system administration functionality with transparent application tunneling for TN3270 users through SSH Tectia Client and ConnectSecure enabling complete transparency to the user and enables secure application connectivity without any user intervention. More information on the key features in SSH Tectia Server 6.0 for IBM z/OS can be found in Section 3 and in the Product Description. 2. Key New Features in Version 6.0 * Enhanced G3 client architecture for better scalability and performance * FTP-SFTP conversion - Transparent FTP to SFTP conversion for quick and easy FTP replacement. No changes required to existing FTP jobs. * New file transfer commands and parameters - site / locsite - ascii / binary, with configurable ASCII/EBCDIC conversion - conddisp - sunique (usable with FTP-SFTP conversion) * MVS file transfer access controls - Possibility to limit users' access to their own MVS prefix, MVS file system or HFS * New file transfer format to preserve trailing blanks * Checkpoint/Restart in the Client module 3. Bug Fixes The following SSH Tectia Server 6.0.0 for IBM z/OS bugs were fixed In Version 6.0.1: - It was not possible to disable auditing in sft-server-g3. Option "--audit=yes|no" was accidentally removed. Now it is again available. - File transfer clients and ftp-proxy did not understand "fixrecfm" site parameter. This parameter is now supported. - Server startup script now accepts the command line arguments correctly. - Components ssh-broker-g3, ssh-socks-proxy and sft-server-g3 displayed and stored the log messages always using the UTC timestamp. This is now fixed. - SFT server failed to delete GDG datasets in case file transfer was interrupted and "conddisp" was set to "delete". This is now fixed. - DD cards did not work in file transfer clients, if they pointed to PDS/PDSE members. This is now fixed. - Globally accepted hostkeys had wrong access permissions. This is now fixed. - The CONDDISP attribute can now be used as an sftp-server-g3 option, and can be entered directly to the server configuration file as described in documentation. - Trailing Blanks feature now works also with GDGs. - Symlinks for the old binary names, e.g. ssh2, sftp2, ssh-keygen2, are now included in the installation. - sftpg3 and scpg3 clients failed to connect to some of the old SFTP servers that are using SFTP protocol versions lower than 3. This is now fixed. - ssh-keydist can now fetch hostkeys from GlobalScape servers. - File transfer clients expanded remote user prefixes in a wrong way. Now clients let file transfer servers do the prefix expansion. - If the server host has both RSA and DSS hostkeys, ssh-keydist now prefers DSS when fetching the server hostkey. The change was made to ensure compatibility with other SSH Tectia components that prefer DSS keys. - In some situations, sftpg3 failed to start in JCLs in batchmode. This is now fixed. - Compression level configuration did not affect the compression algoritm. Now the level changes the compression prosessing correctly. - If clocks on the OCSP responder and the SSH host were different, certificate validation might fail during OCSP check. This is now fixed. - Lines beginning with ";" in sftpg3 batch files were not handled as comments. This is now fixed. - ssh-broker-g3 client component now uses and honors the end-point-identity check configuration option correctly. - If the CRL Distribution Point had %20 signs, the client components failed to download the CRL. This is now fixed. - Improvements in the ssh-keydist-g3 sanity checks and error diagnostics have been made. - Several documentation enhancements and fixes have been made. - Improvements in the server startup script error diagnostics have been made. 4. Known issues The following issues are currently known to exist in SSH Tectia Server 6.0.1 for IBM z/OS: - The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file. If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT and the public key setup fails. In this case, the file must be manually untagged. If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications. - The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer. - IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. SSH Tectia uses iconv() for character set conversions. Iconv, in z/OS 1.8 and earlier releases, does not have a translation between IBM-EUCJC and UTF-8 or UCS-2. z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set. Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv. - Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client. - ssh-keygen2 cannot save certificates from PKCS#7 and PKCS#12 packages. If PKCS#7 or PKCS#12 are used, certificates need to be extracted with some other tool and then transferred to Mainframe as separate certificates. - SFTPG3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command. Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card. - Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied succesfully. The rest fail because PDS is in use by the first file copy. This happens with 3rd party and older SSH Tectia (4.x, 5.1) clients. In SSH Tectia 5.2 file transfer clients can detect the type of the dataset and transfer the members correctly. When using 3rd party and older SSH Tectia Clients, the workaround is to use PDSE datasets. - When browsing MVS data sets in SSH Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes). - If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file. - On some occasions, SSH Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to SSH Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed. This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but SSH Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation. SSH Tectia Client 5.x can report the error correctly. 5. Further Information More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at http://www.ssh.com/company/sales/store/. The End of Support and Maintenance dates of previous SSH Tectia mainframe product releases are: - SSH Tectia Server 5.5 for IBM z/OS - October 2008 - SSH Tectia Server 5.4 for IBM z/OS - End of Support reached