Tectia SSH Server for IBM z/OS Product Updates
Release notes for Tectia Server for IBM z/OS
Tectia SSH Server 6.7.0 for IBM z/OS
2023-04-17
Table of Contents
1. About This Release
2. Tectia SSH Server 6.7.0 for IBM z/OS
3. New Features
4. Bug Fixes
5. Known Issues
6. Further Information
NOTE:
License policy
Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.
Upgrade information
It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.
Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier
Customers upgrading from v6.6.10 or earlier releases should consider granting read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.
PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)
This access grants the authorization right for installing Tectia SSH Server program sshd2 to use the mainframe zIIP processor.
Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier
Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four-byte length prefix.
Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier
To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate random number. If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.
Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier
To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.
Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9
The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".
********************************************************************
Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.
********************************************************************
All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS Administrator Manual for instructions on installing and removing the software.
1. About This Release
Items addressed in this release are listed under sections "New Features in 6.7.0" and "Bug Fixes in 6.7.0".
2. Tectia SSH Server 6.7.0 IBM for z/OS
Tectia SSH Server 6.7.0 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems and between IBM z/OS and distributed hosts.
The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.
File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.
The client module of Tectia SSH Server 6.7.0 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.
In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.6.11 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.
More information on the key features in Tectia SSH Server 6.7.0 for IBM z/OS can be found in the Product Description.
2.1 Pre-upgrade actions
Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four-byte length prefix.
2.2 Post-upgrade actions
Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2,I=DOS/UNIX,J=MVS-FTP to C=UCS-2,I=DOS/UNIX,J=MVS-FTP.
Ensure z/OS ICSF product is installed in the running z/OS system. Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.
3. New Features
The following new features have been implemented in Tectia SSH Server for IBM z/OS:
New Features in 6.7.0
The product has been built and tested on z/OS v2.5, v2.4, v2.3, and v2.2, which are now officially supported platforms.
The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15, and above).
(ZOS #345) Following key exchange methods are added to server and client programs curve25519-sha256,curve25519-sha256@libssh.org, ecdh-nistp521-kyber1024-sha512@ssh.com, ecdh-nistp521-firesaber-sha512@ssh.com, curve25519-frodokem1344-sha512@ssh.com, sntrup761x25519-sha512@openssh.com
(ZOS #368) If Tectia client program is started from JCL, the address space region size will be adjusted to the configured MAXASSIZE if necessary.
(ZOS #146) Added support for new filetypes in ftadv for more powerful dataset handling FT=PDS for transfering PDS(E) datasets. FT=IBC(IEBCOPY) for transfering PDSE loadlibrary datasets. The IEBCOPY implements interface to the IEBCOPY dataset utility program.
4. Big Fixes
The following fixes have been implemented in Tectia SSH Server for IBM z/OS:
Bug Fixes in 6.7.0
(ZOS #373) Following RACF statements are added to X05CSFS installation job RDEFINE CSFSERV CSFRNGL UACC(NONE) PERMIT CSFRNGL CLASS(CSFSERV) ID(*) ACCESS(READ)
(ZOS #380) Elapsed time of FTP job with thousands of ftp commands is extended. Internal timer for checking the availability FTP data port to Tectia proxy server program is reduced.
(ZOS #383) Tectia ssh server hung after 255th session rekey is fixed.
(ZOS #384) Memory usage of ssh server increased after session rekey is fixed.
(ZOS #386) Tectia FTP socks-proxy server substituting tilde in file name with user home path fixed.
(ZOS #400) Tectia z/OS client programs disconnecting ssh connection using AES-GCM cipher during session rekey is fixed.
5. Known Issues
The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:
- Certd client certificate validation not working properly. As a workaround use SAF validation.
- ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.
- The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.
- Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.
- All Platforms: FTP-SFTP Conversion does not support IPv6.
- All Platforms: The usage of IPv6 addresses in certificates is not yet supported.
- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.
- The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file.
If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case the file must be manually untagged.
If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.
- The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.
- IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2. z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set.
Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.
- Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.
- Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command.
Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.
- Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy.
This happens with third-party and older SSH Tectia (4.x, 5.1) clients.
In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly.
When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.
- When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes).
- If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.
- On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality, the transfer might have failed.
This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason.
For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation.
Tectia Client 5.x can report the error correctly.
6. Further Information
More information can be found on the man pages and in the Tectia SSH manuals that are also available at:
https://www.ssh.com/manuals/
Additional licenses can be purchased from our online store at: http://www.ssh.com/
Tectia SSH Server 6.6.11 for IBM z/OS
2022-06-30
Table of Contents
1. About This Release
2. Tectia SSH Server 6.6.11 for IBM z/OS
3. New Features
4. Bug Fixes
5. Known Issues
6. Further Information
NOTE:
License policy
Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.
Upgrade information
It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.
Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier
Customer upgrading from v6.6.10 or earlier releases should consider granting read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.
PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)
This access grants the authorization right for installing the Tectia SSH Server program sshd2 to use the mainframe zIIP processor.
Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier
Customer upgrading from v6.6.5 or earlier releases should change all sftp scripts using ftadv string F=record, J=MVS-FTP to F=record, J=MVS in order to maintain a record with a four-byte length prefix.
Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier
To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate a random number. If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.
Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier
To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.
Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9
The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".
********************************************************************
Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.
********************************************************************
All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS
Administrator Manual for instructions on installing and removing the software.
1. About This Release
Items addressed in this release are listed under sections New Features in 6.6.11 and Bug Fixes in 6.6.11.
2. Tectia SSH Server 6.6.11 for IBM z/OS
Tectia SSH Server 6.6.11 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts.
The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.
File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.
The client module of Tectia SSH Server 6.6.11 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.
In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.6.11 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.
More information on the key features in Tectia SSH Server 6.6.11 for IBM z/OS can be found in the Product Description.
2.1 Pre-upgrade actions
Customer upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record, J=MVS-FTP to F=record, J=MVS in order to maintain a record with a four-byte length prefix.
2.2 Post-upgrade actions
Customer upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2, I=DOS/UNIX, J=MVS-FTP to C=UCS-2, I=DOS/UNIX, J=MVS-FTP.
Ensure z/OS ICSF product is installed in the running z/OS system. Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.
3. New Features
The following new features have been implemented in Tectia SSH Server for IBM z/OS:
New Features in 6.6.11
The product has been built and tested on z/OS v2.5, v2.4, v2.3 and v2.2, which are now the officially supported platforms.
The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).
(ZOS #348) Server program sshd2 is enhanced to write application-specific information (APPLDATA) to its associated z/OS TCP sockets. The information can be viewed via NETSTAT command and stored in SMF Type 119 subtype 2 (TCP connection termination record).
(ZOS #343) Server program sshd2 is optimized for allocating pseudo terminal for ssh terminal connection.
(ZOS #340) If zIIP processor is enabled on the z/OS system and server program sshd2 is running in authorized mode, mainframe CPACF instructions will be shifted to be executed in zIIP processor.
(ZOS #306) New option, -M, --destination-home-directory, is added to ssh-keydist-g3 program. The option allows user to specify the user home directory path in the destination system.
(ZOS #301) Filetype IDCAMS is added to sftp ft advice string. This permits the definition of several kinds of datasets not otherwise possible. This phase handles the entry of commands and retrieval of results, in a JES filetype way.
(ZOS #265) Default XML and DTD files are compiled into Tectia for z/OS client programs.
(ZOS #263) Compression method zlib@openssh.com is supported in Tectia for z/OS server and client programs. The compression method zlib@openssh.com will exploit the benefit of z15 in-core compression facility running on z/OS v2.4 or later.
(ZOS #262) Random_seed file is no longer required by Tectia for z/OS client programs.
(ZOS #261) Plugin module i18n_iconv.so is not packed into product package file. Code page translation function is merged into Tectia for z/OS server and client programs.
(ZOS #246) Permit Tectia for z/OS server program to start on a RDONLY mount point. PidFile configuration option in ssh_certd_config is removed.
4. Bug Fixes
The following fixes have been implemented in Tectia SSH Server for IBM z/OS:
Bug Fixes in 6.6.11
(ZOS #353) Tolerate empty extended attribute returned from SSH sftp server.
(ZOS #290) A bug in reading MVS dataset for ft advice string J=MVS-FTP is fixed. The bug leads to a record being splited into two records.
(ZOS #284) Bugs relating to operation on sftp JES spool files are fixed.
(ZOS #283) A bug in Tectia for z/OS client program sshg3 on filtering escape character is fixed.
(ZOS #271) A bug in Tectia for z/OS server program debug record is fixed.
5. Known Issues
The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:
- Certd client certificate validation not working properly. As a workaround use SAF validation.
- ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.
- The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.
- Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.
- All Platforms: FTP-SFTP Conversion does not support IPv6.
- All Platforms: The usage of IPv6 addresses in certificates is not yet
supported.
- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.
- The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file.
If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case, the file must be manually untagged.
If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.
- The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.
- IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2.
z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set.
Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.
- Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.
- Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command. Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.
- Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy.
This happens with third-party and older SSH Tectia (4.x, 5.1) clients.
In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly.
When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.
- When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes).
- If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.
- On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed.
This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason.
For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation.
Tectia Client 5.x can report the error correctly.
6. Further Information
More information can be found on the man pages and in the Tectia SSH manuals that are also available at:
https://www.ssh.com/manuals/
Additional licenses can be purchased from our online store at: http://www.ssh.com/
