baiedw
asked on
External IP address of iSeries machine
We are trying to set up secure ftp with a trading partner and need to send them our external IP address. How do I find it?
Also, what needs to be done on our end? The trading partner said that we will pick up an RSA Key when we connect.
Also, what needs to be done on our end? The trading partner said that we will pick up an RSA Key when we connect.
When your client software makes an SFTP connection the server will send its public SSH key. The client software will probably prompt you to accept or reject the key. If you reject it then it will drop the connection. If you accept it, it will save a copy of the key and the address of the server. The next time the software connects it will not prompt as long as the server sends the same key. This prevents someone else from setting up a fake version of the server. If they use a different public key you will notice that you had to re-accept it, if try try to re-use the original public key they won't have the matching private key for decryption.
Since you probably don't have a browser installed on your AS/400 (and a text browser like Lynx is the only thing you could have, since there is no GUI...), you can try:
TELNET RMTSYS('4vaddress.com)
This connects to a Telnet auto-responder service maintained by the nice folks at Sixscape communications.
Several possibilities on the IP address issue:
1) AS/400 is directly connected to the Internet without NAT. In that case, you can just GO CFGTCP, and select option 1 - Work With Interfaces to see the IP addresses assigned to each interface. This isn't a common configuration, and I don't encourage it from a security perspective.
2) If you only have one internet connection, and all of your systems including the AS/400 share a single external IP address, and connect through a NAT firewall, then you can just use a browser-based tool like "www.whatismyip.com" or ipchicken.com from any system on your network with a browser like an earlier poster suggested.
3) In a multiple-address location, if the TELNET trick doesn't work, you'll need to contact your network administrator. Most likely there is a NAT relationship set up in your firewall that associates the AS/400 private address with one of your public addresses,and some rules blocking outbound Telnet.
4) Finally, it is also possible that the AS/400 is completely (and intentionally) isolated from the Internet, and the answer is "there is no external address for that system".
- Gary Patterson
TELNET RMTSYS('4vaddress.com)
This connects to a Telnet auto-responder service maintained by the nice folks at Sixscape communications.
Several possibilities on the IP address issue:
1) AS/400 is directly connected to the Internet without NAT. In that case, you can just GO CFGTCP, and select option 1 - Work With Interfaces to see the IP addresses assigned to each interface. This isn't a common configuration, and I don't encourage it from a security perspective.
2) If you only have one internet connection, and all of your systems including the AS/400 share a single external IP address, and connect through a NAT firewall, then you can just use a browser-based tool like "www.whatismyip.com" or ipchicken.com from any system on your network with a browser like an earlier poster suggested.
3) In a multiple-address location, if the TELNET trick doesn't work, you'll need to contact your network administrator. Most likely there is a NAT relationship set up in your firewall that associates the AS/400 private address with one of your public addresses,and some rules blocking outbound Telnet.
4) Finally, it is also possible that the AS/400 is completely (and intentionally) isolated from the Internet, and the answer is "there is no external address for that system".
- Gary Patterson
First, you have to have the right utilities installed to enable SSH and sFTP:
5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)
Then, you have to configure public-key authentication on IBM i.
Note that the RSA key you generate using ssh-keygen is associated with a specific user profile, and you must use that same profile to perform the sFTP transfers.
You can use one profile and public key to communicate with multiple trading partners, or you can set up a different profile and key for each trading partner.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710
Finally, here is a very basic example of how to automate an sFTP script:
https://www-304.ibm.com/support/docview.wss?uid=nas8N1014104
- Gary Patterson
- Gary Patterson
5733SC1 IBM Portable Utilities for i5/OS *BASE & Option 1
57XXSS1 Option 33 (Portable Application Solutions Environment)
Then, you have to configure public-key authentication on IBM i.
Note that the RSA key you generate using ssh-keygen is associated with a specific user profile, and you must use that same profile to perform the sFTP transfers.
You can use one profile and public key to communicate with multiple trading partners, or you can set up a different profile and key for each trading partner.
http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710
Finally, here is a very basic example of how to automate an sFTP script:
https://www-304.ibm.com/support/docview.wss?uid=nas8N1014104
- Gary Patterson
- Gary Patterson
ASKER
Gary,
The telnet test logs me off of the iSeries and brings up a login screen.
whatismyip displays the ip number of our vpn.
The trading partner we are trying to connect to said that they have created a tunnel for a specific ip number, which is the vpn number, and we should be able to connect with putty and accept a key. Since the connection times out every time I was thinking that we told them the wrong IP number. That is why I am trying to verify the number of our iSeries machine. Our tech services gave be a number starting with 10.10. which I know is not correct.
Ed
The telnet test logs me off of the iSeries and brings up a login screen.
whatismyip displays the ip number of our vpn.
The trading partner we are trying to connect to said that they have created a tunnel for a specific ip number, which is the vpn number, and we should be able to connect with putty and accept a key. Since the connection times out every time I was thinking that we told them the wrong IP number. That is why I am trying to verify the number of our iSeries machine. Our tech services gave be a number starting with 10.10. which I know is not correct.
Ed
To clarify with regard to the keys. The server will definitely give you its SSH public key when your client connects and it is also possible that the server will want you to provide your own SSH public key for user authentication. Some SFTP servers allow users to log in with username/password but others are configured to require the client (you) to provide your own public key as part of the user authentication process.
ASKER
They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help Gary, I learned a few things. Unfortunately our network group says it is too hard to set up secure ftp on the iSeries. They said they will come a solution. I hope it is one that works. Thanks again.
Ed
Ed
Ed,
Lol. Secure FTP takes about 10 minutes to set up on the iSeries. Nothing complicated about it. I've done it dozens of times.
Maybe there are network restrictions in place that make it complicated or something like that, or maybe they just don't know how to do it and don't want to go to the effort to figure it out. If they already have a good sFTP solution set up elsewhere, then that might bes the best approach anyhow.
Good luck.
- Gary
Lol. Secure FTP takes about 10 minutes to set up on the iSeries. Nothing complicated about it. I've done it dozens of times.
Maybe there are network restrictions in place that make it complicated or something like that, or maybe they just don't know how to do it and don't want to go to the effort to figure it out. If they already have a good sFTP solution set up elsewhere, then that might bes the best approach anyhow.
Good luck.
- Gary
There is secure FTP , and there is sftp. Those are two very different things. Secure FTP is easy. But sftp can take some study and some effort when doing it the first time. Be sure the difference is known and understood. Regardless, both can be used on the AS/400 series of systems; and the requirements are effectively the same as on any other system.
Tom
Tom
Tom brings up a good point. Maybe we should define some terms.
I'm operating under the assumption that you want to use "SSH File Transfer Protocol", also called "Secure File Transfer Protocol", or SFTP.
I'm basing this in part on the information about using an RSA key, and "They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key."
This is all consistent with SFTP.
There are other "secure file transfer" implementations, such as FTP over SSL/TLS, and SCP, but my money on this one is on SFTP. If it is running across TCP port 22, is is sFTP.
http://www.rebex.net/kb/secure-ftp/default.aspx
- Gary Patterson
I'm operating under the assumption that you want to use "SSH File Transfer Protocol", also called "Secure File Transfer Protocol", or SFTP.
I'm basing this in part on the information about using an RSA key, and "They told us that we do not have to give them anything, that we just need to connect with the correct ip number and then we accept the key."
This is all consistent with SFTP.
There are other "secure file transfer" implementations, such as FTP over SSL/TLS, and SCP, but my money on this one is on SFTP. If it is running across TCP port 22, is is sFTP.
http://www.rebex.net/kb/secure-ftp/default.aspx
- Gary Patterson
Will give you our external address