Your browser does not allow this site to store cookies and other data. Some functionality on this site may not work without them. See Privacy Policy for details on how we would use cookies.

SSH

Running Two SOCKS Proxies on a Dual TCP/IP Stack

In this example we have two users, SSHSP and SSHSPB, and two started tasks, SSHSP and SSHSPB, for two Tectia SOCKS Proxies:

  • SSHSP: this started task is assigned to user SSHSP and uses stack TCPIP:

    //STDENV  DD  DSN=<HLQ>.V650.PARMLIB(SSHENV),
    //            DISP=SHR                             
    //        DD  DSN=<HLQ>.V650.PARMLIB(TCPIP),DISP=SHR 1
    1

    The TCP/IP stack name is specified using the _BPXK_SETIBMOPT_TRANSPORT environment variable that is set in <HLQ>.V650.PARMLIB(TCPIP):

    _BPXK_SETIBMOPT_TRANSPORT=TCPIP
  • SSHSPB: this started task is assigned to user SSHSPB and uses stack TCPIPB:

    //STDENV  DD  DSN=<HLQ>.V650.PARMLIB(SSHENV),
    //            DISP=SHR 
    //        DD  DSN=<HLQ>.V650.PARMLIB(TCPIPB),DISP=SHR 

The IP address of the SOCKS Proxy in stack TCPIP is 198.51.100.1, and the IP address of the SOCKS Proxy in stack TCPIPB is 198.51.100.2. The SOCKS Proxies are used to connect to remote servers at 203.0.113.1 and 203.0.113.2.

Dual TCP/IP stack setup for Tectia SOCKS Proxy

Figure D.1. Dual TCP/IP stack setup for Tectia SOCKS Proxy

You can run the two SOCKS proxies on a dual stack z/OS in two ways:

  • Using two SOCKS Proxy configuration files with different network listeners (see Example D.1)

  • Using one global SOCKS Proxy configuration file, and creating network listeners on both TCP/IP stacks' loopback address (see Example D.2). You can also use two separate SOCKS Proxy configuration files if you want to have different rules for the other stack connections.

Example D.1. Two configuration files with different network listeners

Add the following elements to the SSHSP configuration file (/u/SSHSP/.ssh2/ssh-socks-proxy-config.xml):

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...    
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="198.51.100.1"
         listen-port="1080"
         dst-port="0"
         profile="" />
...        
<rule    ip-address="203.0.113.1"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Add the following elements to the SSHSPB configuration file (/u/SSHSPB/.ssh2/ssh-socks-proxy-config.xml):

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...    
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="198.51.100.2
         listen-port="1080"
         dst-port="0"
         profile="" />
...        
<rule    ip-address="203.0.113.2"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Define the IP addresses of the SOCKS Proxies in the socks.conf file:

sockd @=198.51.100.1 203.0.113.1 255.255.255.0
sockd @=198.51.100.2 203.0.113.2 255.255.255.0
direct 0.0.0.0 0.0.0.0

Example D.2. Network listeners on TCP/IP stacks' loopback address

Add the following elements to the global SOCKS Proxy configuration file (/opt/tectia/etc/ssh-socks-proxy-config.xml):

...
<profile name="dynamic-ftp"
         id="id1"
         host=""
         port="22"
         user="">
</profile>
...
<!-- SOCKS proxy needs its own listener for SOCKS. -->
<tunnel  type="socks-proxy"
         listen-address="127.0.0.1"
         listen-port="1080"
         dst-port="0"
         profile="" />
...
<rule    ip-address="203.0.113.*"
         ports="21"
         action="ftp-proxy"
         profile-id="id1"
         username-from-app="YES"
         hostname-from-app="YES"
         fallback-to-plain="NO" />
...

Create listeners on both TCP/IP stacks' loopback address (127.0.0.1) in the socks.conf file:

sockd @=127.0.0.1 203.0.113.1 255.255.255.255
sockd @=127.0.0.1 203.0.113.2 255.255.255.0
direct 0.0.0.0 0.0.0.0

===AUTO_SCHEMA_MARKUP===