Solved

External IP address of iSeries machine

Posted on 2013-11-07
12
1,141 Views
Last Modified: 2013-11-11
We are trying to set up secure ftp with a trading partner and need to send them our external IP address.  How do I find it?  

Also, what needs to be done on our end?  The trading partner said that we will pick up an RSA Key when we connect.
0
Comment
Question by:baiedw
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:Nick Rhode
Comment Utility
www.ipchicken.com

Will give you our external address
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
When your client software makes an SFTP connection the server will send its public SSH key.  The client software will probably prompt you to accept or reject the key.  If you reject it then it will drop the connection.  If you accept it, it will save a copy of the key and the address of the server.  The next time the software connects it will not prompt as long as the server sends the same key.  This prevents someone else from setting up a fake version of the server.  If they use a different public key you will notice that you had to re-accept it, if try try to re-use the original public key they won't have the matching private key for decryption.
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
Since you probably don't have a browser installed on your AS/400 (and a text browser like Lynx is the only thing you could have, since there is no GUI...), you can try:

TELNET RMTSYS('4vaddress.com)

This connects to a Telnet auto-responder service maintained by the nice folks at Sixscape communications.  

Several possibilities on the IP address issue:

1) AS/400 is directly connected to the Internet without NAT.  In that case, you can just GO CFGTCP, and select option 1 - Work With Interfaces to see the IP addresses assigned to each interface.  This isn't a common configuration, and I don't encourage it from a security perspective.

2) If you only have one internet connection, and all of your systems including the AS/400 share a single external IP address, and connect through a NAT firewall, then you can just use a browser-based tool like "www.whatismyip.com" or ipchicken.com from any system on your network with a browser like an earlier poster suggested.

3) In a multiple-address location, if the TELNET trick doesn't work, you'll need to contact your network administrator.  Most likely there is a NAT relationship set up in your firewall that associates the AS/400 private address with one of your public addresses,and some rules blocking outbound Telnet.

4) Finally, it is also possible that the AS/400 is completely (and intentionally) isolated from the Internet, and the answer is "there is no external address for that system".

- Gary Patterson
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
First, you have to have the right utilities installed to enable SSH and sFTP:

5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)

Then, you have to configure public-key authentication on IBM i.  

Note that the RSA key you generate using ssh-keygen is associated with a specific user profile, and you must use that same profile to perform the sFTP transfers.  

You can use one profile and public key to communicate with multiple trading partners, or you can set up a different profile and key for each trading partner.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

Finally, here is a very basic example of how to automate an sFTP script:

https://www-304.ibm.com/support/docview.wss?uid=nas8N1014104

- Gary Patterson
- Gary Patterson
0
 

Author Comment

by:baiedw
Comment Utility
Gary,
The telnet test logs me off of the iSeries and brings up a login screen.

whatismyip displays the ip number of our vpn.

The trading partner we are trying to connect to said that they have created a tunnel for a specific ip number, which is the vpn number, and we should be able to connect with putty and accept a key.  Since the connection times out every time I was thinking that we told them the wrong IP number.  That is why I am trying to verify the number of our iSeries machine.  Our tech services gave be a number starting with 10.10. which I know is not correct.
Ed
0
 
LVL 16

Expert Comment

by:AlexPace
Comment Utility
To clarify with regard to the keys.  The server will definitely give you its SSH public key when your client connects and it is also possible that the server will want you to provide your own SSH public key for user authentication.  Some SFTP servers allow users to log in with username/password but others are configured to require the client (you) to provide your own public key as part of the user authentication process.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:baiedw
Comment Utility
They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key.
0
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
Comment Utility
Ed,

Sorry, just noticed I had a typo in the system name in the Telnet command.  Try this:

TELNET RMTSYS('v4address.com)

The 10.10 address that tech services gave you is an internal IP address.  

I've set up a lot of these connections (both the AS/400 component and the firewall components at both ends).  Your trading partner almost certainly did one of two things:

1) Created a "permit" rule in their firewall that allows inbound SSH connections (protocol used by sFTP) that originate from your external IP address.  This could very well be the same address that you use when connecting to your company's VPN, but does not have to be.

This kind of connection isn't really what we'd refer to as a "tunnel", but I can see why someone not familiar with networking terminology might use that term.  It does allow traffic to get through the firewall.  If they don't have the correct external IP address set up in their firewall, you won't be able to access their server.  

This is the most common configuration.

2) Second option is that they worked with your network team to create a site-to-site VPN tunnel between the two networks.  In that case, they would usually need the external IP address to establish the tunnel, but then you would use a private address on their network to access their sFTP server.  

This is less common - and certainly less common when all you need to do is transfer files occasionally.

What are the first two octets of the IP address that you are using to try to access their sFTP server?

Maybe try rephrasing the question with your network team.  Try this:

"I'm working with our trading partner, ____________.  We need to send them some files via sFTP from our AS/400, which has an inside address of 10.10.x.x.  

They need to know our external address (our public source address) that requests will be coming in from.  That would be the NATted address of the AS/400, so that they can open up an exception in their firewall for us.

Can you tell me what external IP address is associated with 10.10.x.x in our firewall so that I can give them the correct address?"

If they can't figure that out, then ask them:

"In that case, can you just give me the entire range of possible external addresses?"

Then give the address range to your trading partner and they can open up the entire range.  After you connect, they should be able to look at their logs, see what address you came in from, and then just lock down to that one address if desired.

Other approaches:  Contact your internet service provider directly and ask for your public address range.

Or escalate the request to someone on your tech services team who will take the time to talk to you and figure out what it is you actually need.

You also need to be aware that in a lot of environments, your network or security team may have intentionally locked down external access to and from your AS/400 for security reasons.  This is pretty common.  If so, you'll need to work with your team as well to get rules or exceptions set up to allow the AS/400 to initiate SSH requests to the trading partner system, and to receive responses back from that system as well.

If you can find the right person, this is a five minute conversation.  It is a common setup, and should be very easy for any qualified network tech to help you with, once they understand the question.  

Be persistent, and keep explaining until they understand what it is you need.  Sometimes it is helpful to conference in the trading partner network technician so they can talk "network person to network person".

- Gary Patterson

Check out my EE profile: http://www.experts-exchange.com/M_4382324.html
0
 

Author Closing Comment

by:baiedw
Comment Utility
Thanks for your help Gary, I learned a few things.  Unfortunately our network group says it  is too hard to set up secure ftp on the iSeries.  They said they will come a solution.  I hope it is one that works.  Thanks again.
Ed
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
Ed,

Lol.  Secure FTP takes about 10 minutes to set up on the iSeries.  Nothing complicated about it.  I've done it dozens of times.  

Maybe there are network restrictions in place that make it complicated or something like that, or maybe they just don't know how to do it and don't want to go to the effort to figure it out.  If they already have a good sFTP solution set up elsewhere, then that might bes the best approach anyhow.

Good luck.

- Gary
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
There is secure FTP , and there is sftp. Those are two very different things. Secure FTP is easy. But sftp can take some study and some effort when doing it the first time. Be sure the difference is known and understood. Regardless, both can be used on the AS/400 series of systems; and the requirements are effectively the same as on any other system.

Tom
0
 
LVL 34

Expert Comment

by:Gary Patterson
Comment Utility
Tom brings up a good point. Maybe we should define some terms.

I'm operating under the assumption that you want to use "SSH File Transfer Protocol", also called "Secure File Transfer Protocol", or SFTP.  

I'm basing this in part on the information about using an RSA key, and "They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key."

This is all consistent with SFTP.

There are other "secure file transfer" implementations, such as FTP over SSL/TLS, and SCP, but my money on this one is on SFTP.  If it is running across TCP port 22, is is sFTP.

http://www.rebex.net/kb/secure-ftp/default.aspx

- Gary Patterson
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now