Setup SFTP for internal iSeries servers

I would like to set up SFTP for our internal iSeries servers. I have 24 iSeries servers and would like to SFTP between them all.  Does anyone have a good resource for helping me to accomplish this?

Thanks
LVL 1
Matthew RoessnerSenior Systems ProgrammerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave FordSoftware Developer / Database AdministratorCommented:
The following command works or me:

FTP RMTSYS(ftp.MyServer.com) SECCNN(*SSL) DTAPROT(*PRIVATE)

HTH,
DaveSlash
0
Gary PattersonVP Technology / Senior Consultant Commented:
Well, that's not sftp.  That is ftp over ssl.

That said, ftps is relatively secure.  It doesn't offer some of the features that sftp does, like public key authentication, easy basic automation using scp, complex scripting with Expect, ssh benefits, but it does get you a secure method of transferring files in an encrypted fashion, and retains the benefits of ftp, including remote command execution, FTP exit point processing, and compatibility with existing automated processes that you have that use FTP.

If you want to use sftp with public key authentication, here's a good article that explains the setup needed

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

sftp has some complexities on IBM i.  You may want to read these:

http://iprodeveloper.com/rpg-programming/ssh-scp-and-sftp-tools-openssh
http://www.ibmsystemsmag.com/ibmi/administrator/systemsmanagement/sFTP-Tips/

One problem is that it is tricky to use interactive password authentication in a 5250 session.  I usually connect with ssh rather than green-screen when I need to use sftp with password authentication..

- Gary
0
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I attempt to set up SFTP with the instructions you sent Gary (I had previously found this article as well).  I create a RSA key and FTP both the public and private key to the remote iSeries I am trying to connect to.  

If, from within CALL QP2TERM, I attempt to connect via SFTP:
sftp serveruid@somehost

I get the following errors:
Permission denied, please try again.                        
Permission denied, please try again.                        
Permission denied (publickey,password,keyboard-interactive).
Connection closed  
                                         

Any ideas?
0
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Gary PattersonVP Technology / Senior Consultant Commented:
Sounds like your ssh server (sshd) on the target server isn't set up properly for public key authentication.  

Those articles I sent you too don't have a very complete set of instructions for configuring the ssh server (sshd).  Basics are outlined here:

http://www-304.ibm.com/partnerworld/wps/servlet/ContentHandler/pw_com_porting_tools_openssh

When it comes to keys, we give away public keys, and we keep private keys.  So, for the purpose of this discussion you'll never send a private key to another system, only public keys.

So let's say we have this scenario:

Host (sshd): SSHHOST, local user assigned to client user is SSH1
Client (ssh/sftp/scp): SSHCLIENT, local user is user MYUSER

So, you set up the server, generate server keys, set permissions, create user profiles, and create home directories for SSH1 (/home/SSH1).

And you follow the earlier instructions for creating client keys, etc.

Then you send the SSHCLIENT / MYUSER public key over to SSHHOST, and install it in /home/SSH1/.ssh/authorized_keys.  This is probably what you're missing.  Set your permissions as outlined in the pw_com_porting_tools_openssh article above.

Remember host and client private keys are intended to be private.  They should not be sent to another system.  In general PKI works like this:

In PKI, you generate a key pair:  a public key that you give to others, and a private key that you keep secret.  Anyone who has your public key can use it to encrypt messages that only your private key can decrypt.  So you never send our your private key - you break the security of the whole process when you do that.

In ssh (protocol under sftp), the host server (running sshd) has a server key pair.  The first time a client connects, it will download the host server's public key and store it in a file in the user's profile directory called known_hosts.  The client also has a public/private key pair (could be a server key, or a user-level key).  

Move info in configuring OpenSSH ssh server (sshd) can be found here:

http://www.openssh.com/manual.html

If you still have trouble, generate logs on both the server and the client and post them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
Thanks for the help Gary. That got me pointed in the right direction. I will post my instructions in case anyone else is wanting to get this set up.

One last question. Do you have any idea how to setup and/or view logging for SFTP?

Thanks again for your help
0
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
This is the process I followed to set up SFTP between 2 iSeries servers (SSHHOST and SSHCLIENT):

1.      Log onto the iHost (SSHHOST) server as yourself
2.      Create a user profile to use for the SFTP process (SFTPUSER). At least initially, this user must have command line    capabilities.
3.      From the command line, type the following:
        CALL QP2TERM
4.      Create a home directory for the SFTP user:
        $ mkdir /home/SFTPUSER
5.      Change the ownership of the new directory:
        $ chown hmlsftp /home/SFTPUSER
6.      Set permissions on the user’s home directory:
        $ chmod 755 /home/SFTPUSER
7.      Create a .SSH within the user’s home directory:
        $ mkdir /home/SFTPUSER/.ssh
8.      Change ownership of the .SSH directory to the SSH user:
        $ chown hmlsftp /home/SFTPUSER/.ssh
9.      Set permissions on the user’s .SSH directory:
        $ chmod 700 /home/SFTPUSER/.ssh
10.      Close the PASE environment by pressing F3
11.      Change the home directory parameter in the SSH user’s profile to point to the IFS path of the home directory created     in step 4.
       CHGUSRPRF USRPRF(SFTPUSER) HOMEDIR(‘/home/SFTPUSER’)
12.      Sign off of the iSeries Host Server (SSHHOST) and sign on as the SSH User (SFTPUSER)
13.      From the command line, type the following:
        CALL QP2TERM
14.      Create a RSA private/public key:
        $ ssh-keygen -t rsa -N ""
15.      If asked to specify the location, simply press Enter to accept the default location (within the .SSH folder)
16.      Press F3 to exit
17.      Log out of the SSH user and log back in as yourself
18.      Initiate a FTP session to the client server you want to SFTP to (SSHCLIENT):
FTP SSHCLIENT
BIN
NAMEFMT 1
CD /HOME/SFTPUSER/.SSH
LCD /HOME/SFTPUSER/.SSH
PUT ID_RSA.PUB SSHHOST.PUB
QUIT

19.      Log into the SSHCLIENT server and type the following command:
        CALL QP2TERM
20.      Rename the Public Key files to authorized_keys
        cat /home/SFTPUSER/.ssh/SSHHOST.pub >> /home/SFTPUSER/.ssh/authorized_keys
21.      Change the ownership of the authorized_keys file (only need to do this the first time):
       chown SFTPUSER /home/SFTPUSER/.ssh/authorized_keys
22.      Set permissions on the authorized_keys file (only need to do this the first time):
        chmod 600 /home/SFTPUSER/.ssh/authorized_keys
23.      Press F3 to exit
24.      Log back into the Host server (SSHHOST) as the SSH User (SFTPUSER) and type the following command:
        CALL QP2TERM
25.      Execute the following command to create a known_hosts file:
        ssh -T sftpuser@sshclient
26.      To test the connection, type the following command:
        sftp sftpuser@sshclient

You will likely also want to repeat the above instructions - except flip/flop the roles. This will allow you to SFTP from either server. As the set up stands above, only SSHHOST will be able to SFTP to SSHCLIENT. The SSHCLIENT will not be able to SFTP to SSHHOST. This is why you should repeat the process to set things up so both servers can SFTP to each other (if this is what you want to do).

Lastly: This is a CL command that I use as an example for what you could use in an actual program to SFTP data from one server to another (this is assuming that you have a directory called /sftp and it has a FTP command file in it):

SBMJOB CMD(QSH CMD('/QOpenSys/bin/sftp -b/sftp/test.txt sftpuser@sshclient')) JOB(TESTFTP) USER(SFTPUSER)

Hope this helps anyone wanting to set this up for themselves.
1
Gary PattersonVP Technology / Senior Consultant Commented:
Matthew,

Nice of you to post such a complete solution.  Appreciated.

Here's a technote on configuring logging:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1012933

In general, IBM i uses OpenSSH, so typically you just need to consult OpenSSH documentation for stuff like this.

http://www.openssh.com/manual.html

sshd (subsystem):  http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/sshd_config.5?query=sshd_config&sec=5

sftp-server: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man8/sftp-server.8?query=sftp-server&sec=8

Note that logging depends on syslogd, which is not started by default on IBM i.  You'll need to configure syslogd and start it.  You'll probably want to automate syslogd startup so that it comes back up after IPLs and subsystem start/end.

If syslogd isn't running, logging messages get sent to QSYSOPR, the interactive user's message queue, or the job log, and may not be as useful.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1013082
1
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
Gary helped point me in the right direction and I wanted to re-post the full solution
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IBM System i

From novice to tech pro — start learning today.