Solved

External IP address of iSeries machine

Posted on 2013-11-07
12
1,219 Views
Last Modified: 2013-11-11
We are trying to set up secure ftp with a trading partner and need to send them our external IP address.  How do I find it?  

Also, what needs to be done on our end?  The trading partner said that we will pick up an RSA Key when we connect.
0
Comment
Question by:baiedw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 22

Expert Comment

by:Nick Rhode
ID: 39631289
www.ipchicken.com

Will give you our external address
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 39631427
When your client software makes an SFTP connection the server will send its public SSH key.  The client software will probably prompt you to accept or reject the key.  If you reject it then it will drop the connection.  If you accept it, it will save a copy of the key and the address of the server.  The next time the software connects it will not prompt as long as the server sends the same key.  This prevents someone else from setting up a fake version of the server.  If they use a different public key you will notice that you had to re-accept it, if try try to re-use the original public key they won't have the matching private key for decryption.
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 39631751
Since you probably don't have a browser installed on your AS/400 (and a text browser like Lynx is the only thing you could have, since there is no GUI...), you can try:

TELNET RMTSYS('4vaddress.com)

This connects to a Telnet auto-responder service maintained by the nice folks at Sixscape communications.  

Several possibilities on the IP address issue:

1) AS/400 is directly connected to the Internet without NAT.  In that case, you can just GO CFGTCP, and select option 1 - Work With Interfaces to see the IP addresses assigned to each interface.  This isn't a common configuration, and I don't encourage it from a security perspective.

2) If you only have one internet connection, and all of your systems including the AS/400 share a single external IP address, and connect through a NAT firewall, then you can just use a browser-based tool like "www.whatismyip.com" or ipchicken.com from any system on your network with a browser like an earlier poster suggested.

3) In a multiple-address location, if the TELNET trick doesn't work, you'll need to contact your network administrator.  Most likely there is a NAT relationship set up in your firewall that associates the AS/400 private address with one of your public addresses,and some rules blocking outbound Telnet.

4) Finally, it is also possible that the AS/400 is completely (and intentionally) isolated from the Internet, and the answer is "there is no external address for that system".

- Gary Patterson
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 35

Expert Comment

by:Gary Patterson
ID: 39631822
First, you have to have the right utilities installed to enable SSH and sFTP:

5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)

Then, you have to configure public-key authentication on IBM i.  

Note that the RSA key you generate using ssh-keygen is associated with a specific user profile, and you must use that same profile to perform the sFTP transfers.  

You can use one profile and public key to communicate with multiple trading partners, or you can set up a different profile and key for each trading partner.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

Finally, here is a very basic example of how to automate an sFTP script:

https://www-304.ibm.com/support/docview.wss?uid=nas8N1014104

- Gary Patterson
- Gary Patterson
0
 

Author Comment

by:baiedw
ID: 39632083
Gary,
The telnet test logs me off of the iSeries and brings up a login screen.

whatismyip displays the ip number of our vpn.

The trading partner we are trying to connect to said that they have created a tunnel for a specific ip number, which is the vpn number, and we should be able to connect with putty and accept a key.  Since the connection times out every time I was thinking that we told them the wrong IP number.  That is why I am trying to verify the number of our iSeries machine.  Our tech services gave be a number starting with 10.10. which I know is not correct.
Ed
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 39632086
To clarify with regard to the keys.  The server will definitely give you its SSH public key when your client connects and it is also possible that the server will want you to provide your own SSH public key for user authentication.  Some SFTP servers allow users to log in with username/password but others are configured to require the client (you) to provide your own public key as part of the user authentication process.
0
 

Author Comment

by:baiedw
ID: 39632093
They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key.
0
 
LVL 35

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 39633418
Ed,

Sorry, just noticed I had a typo in the system name in the Telnet command.  Try this:

TELNET RMTSYS('v4address.com)

The 10.10 address that tech services gave you is an internal IP address.  

I've set up a lot of these connections (both the AS/400 component and the firewall components at both ends).  Your trading partner almost certainly did one of two things:

1) Created a "permit" rule in their firewall that allows inbound SSH connections (protocol used by sFTP) that originate from your external IP address.  This could very well be the same address that you use when connecting to your company's VPN, but does not have to be.

This kind of connection isn't really what we'd refer to as a "tunnel", but I can see why someone not familiar with networking terminology might use that term.  It does allow traffic to get through the firewall.  If they don't have the correct external IP address set up in their firewall, you won't be able to access their server.  

This is the most common configuration.

2) Second option is that they worked with your network team to create a site-to-site VPN tunnel between the two networks.  In that case, they would usually need the external IP address to establish the tunnel, but then you would use a private address on their network to access their sFTP server.  

This is less common - and certainly less common when all you need to do is transfer files occasionally.

What are the first two octets of the IP address that you are using to try to access their sFTP server?

Maybe try rephrasing the question with your network team.  Try this:

"I'm working with our trading partner, ____________.  We need to send them some files via sFTP from our AS/400, which has an inside address of 10.10.x.x.  

They need to know our external address (our public source address) that requests will be coming in from.  That would be the NATted address of the AS/400, so that they can open up an exception in their firewall for us.

Can you tell me what external IP address is associated with 10.10.x.x in our firewall so that I can give them the correct address?"

If they can't figure that out, then ask them:

"In that case, can you just give me the entire range of possible external addresses?"

Then give the address range to your trading partner and they can open up the entire range.  After you connect, they should be able to look at their logs, see what address you came in from, and then just lock down to that one address if desired.

Other approaches:  Contact your internet service provider directly and ask for your public address range.

Or escalate the request to someone on your tech services team who will take the time to talk to you and figure out what it is you actually need.

You also need to be aware that in a lot of environments, your network or security team may have intentionally locked down external access to and from your AS/400 for security reasons.  This is pretty common.  If so, you'll need to work with your team as well to get rules or exceptions set up to allow the AS/400 to initiate SSH requests to the trading partner system, and to receive responses back from that system as well.

If you can find the right person, this is a five minute conversation.  It is a common setup, and should be very easy for any qualified network tech to help you with, once they understand the question.  

Be persistent, and keep explaining until they understand what it is you need.  Sometimes it is helpful to conference in the trading partner network technician so they can talk "network person to network person".

- Gary Patterson

Check out my EE profile: http://www.experts-exchange.com/M_4382324.html
0
 

Author Closing Comment

by:baiedw
ID: 39633516
Thanks for your help Gary, I learned a few things.  Unfortunately our network group says it  is too hard to set up secure ftp on the iSeries.  They said they will come a solution.  I hope it is one that works.  Thanks again.
Ed
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 39633877
Ed,

Lol.  Secure FTP takes about 10 minutes to set up on the iSeries.  Nothing complicated about it.  I've done it dozens of times.  

Maybe there are network restrictions in place that make it complicated or something like that, or maybe they just don't know how to do it and don't want to go to the effort to figure it out.  If they already have a good sFTP solution set up elsewhere, then that might bes the best approach anyhow.

Good luck.

- Gary
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39635535
There is secure FTP , and there is sftp. Those are two very different things. Secure FTP is easy. But sftp can take some study and some effort when doing it the first time. Be sure the difference is known and understood. Regardless, both can be used on the AS/400 series of systems; and the requirements are effectively the same as on any other system.

Tom
0
 
LVL 35

Expert Comment

by:Gary Patterson
ID: 39639767
Tom brings up a good point. Maybe we should define some terms.

I'm operating under the assumption that you want to use "SSH File Transfer Protocol", also called "Secure File Transfer Protocol", or SFTP.  

I'm basing this in part on the information about using an RSA key, and "They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key."

This is all consistent with SFTP.

There are other "secure file transfer" implementations, such as FTP over SSL/TLS, and SCP, but my money on this one is on SFTP.  If it is running across TCP port 22, is is sFTP.

http://www.rebex.net/kb/secure-ftp/default.aspx

- Gary Patterson
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question