[[[start#iseries_positive_pay | Up To Main Index]]] User profile **HARRY** will be used in this example as the user profile that will do the transmission. ====== Using sFTP With Positive Pay ====== ===== Requirements ===== **''5733SC1 Option *BASE: IBM Portable Utilities for i5/OS \\ 5733SC1 Option 1: OpenSSH, OpenSSL, zlib ''** ===== Install and Verify Secure Connectivity ===== ==== Generate Your Key ==== == Check User Profile == First check that the user profile that will actually do the transmission has a home directory defined and that it exists. ''DSPUSRPRF HARRY'' On the last page of the display verify that a home directory exists: ''Home directory . . . . . . . . . . . . . . : /home/harry'' Also note the full path, and the case of the directories. The sFTP procedure is case sensitive. If there is no home directory defined add one:\\ ''CHGUSRPRF HARRY HOMEDIR('/home/harry')'' Then start the shell and verify that the directory exists:\\ ''call qp2term''\\ ''cd /home/harry''\\ ''[[http://en.wikipedia.org/wiki/Pwd | pwd]]'' If the directory that prints is not /home/harry then create it:\\ ''mkdir /home/harry''\\ ''[[http://en.wikipedia.org/wiki/Chmod | chmod]] 700 /home/harry'' Lastly verify that the $HOME environment variable is set to the home directory:\\ ''echo $HOME''\\ Note that this directory should be the default directory in the transmission job. You should check that job descriptions do not set it differently. == Generate Your Certificate == Run these commands from the greenscreen command line to create your server's certificate: ''call qp2term''\\ ''cd /home/harry''\\ ''mkdir .ssh''\\ ''chmod 700 .ssh''\\ ''[[http://en.wikipedia.org/wiki/Ssh-keygen | ssh-keygen]] -t rsa'' \\ Press for the certificate passphrase, leaving it empty. Positive Pay does not presently support a passphrase for the certificate. ''chmod 600 .ssh/*'' You should now have a directory /home/harry/.ssh that contains two files:\\ id_rsa ( your private key )\\ id_rsa.pub ( your public key ) Use ftp to retrieve the public key **id_rsa.pub** ( not the private key!! ) from the IBM server\\ and send it to the remote processor. Note that possession of the private key ( **id_rsa** ) is a security issue. Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server. ==== Install the Remote Server's Key ==== The bank or processor may send you their public key, which will be given as **bank.pub** in this example. FTP this file to /home/harry/.ssh Then install the key:\\ ''call qp2term''\\ ''cd /home/harry/.ssh''\\ ''[[http://en.wikipedia.org/wiki/Cat_%28Unix%29 | cat]] bank.pub >> authorized_keys''\\ ''chmod 600 authorized_keys'' You should now have the contents of bank.pub appended to the authorized_keys file so that your [[http://en.wikipedia.org/wiki/Secure_Shell | SSH]] client can find it. ==== Final Check ==== As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:\\ ''ls -l /home/harry/.ssh''

-rw-------   1 harry  0               227 Jan 14 13:29 authorized_keys  
-rw-------   1 harry  0               887 Nov 17 12:52 id_rsa           
-rw-------   1 harry  0               241 Nov 17 12:52 id_rsa.pub

The permissions are the first column.\\ The file owner is the third column. If you need to set the file ownership use: ''chown harry id_rsa id_rsa.pub authorized_keys''\\ If you need to set the permissions use: ''chmod 600 id_rsa id_rsa.pub authorized_keys'' ==== Test the Key Handshake ==== Presuming that the bank's login url is **sshFtp.bigBank.com** and that your login id is **customer**: Create a text file to upload as a test:\\ ''call qp2term''\\ ''cd /home/harry''\\ ''echo 'hi there' > test.txt''\\ ''[[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol | sftp]] -v customer@sshFtp.bigBank.com'' you should then get an sFTP command prompt:\\ ''sftp>''\\ then upload the file:\\ ''put test.txt'' then end the session if the remote system does not automatically disconnect:\\ ''quit'' **Notes**:\\ 1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an **interactive** ssh connection.\\ \\ 2. sFTP / SSH **default port** is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank\\ ( for example port 10022 ) the test connection command is: **sftp -v -oPort=10022 customer@sshFtp.bigBank.com**.\\ \\ 3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the \\ **known_hosts file**. You should allow it to do so by responding with 'yes' to this prompt:\\

The authenticity of host can't be established.\\ RSA key fingerprint is ...\\ Are you sure you want to continue connecting (yes/no)?

===== Configure Positive Pay for sFTP ===== In the Positive Pay application definition **F8** invokes the FTP configuration screen.

                           Configure FTP                        
                                                                
       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP               
                                                                
       Domain. . . : sshFtp.bigBank.com
       User Name . : customer
       Password. . :                                            
       Confirm . . :                                            
                                                                
       
       Target Path :                                           
       Target File : upload.txt
       Remote File :                                    
       Retrv File  :            /            Lib/File    
                                                                
       Port:         *SECURE     *SECURE *DFT 1-65535           
       Encryption .: *SSL        *SSL *NONE                     
       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
                                                                
  F1=Help   F12=Previous  F23=Delete

For sFTP you will need to specify the following items: * **Use FTP**: this should be **H** * **Domain**: the target URL, supplied by the bank * **User Name**: supplied by the bank * **Target Path**: most likely blank * **Target File**: supplied by the bank. If they do not supply a name then specify something, for example upload.txt Note that you should not supply a password since authentication is done via certificate. ===== Receiving a File Using sFTP =====

                           Configure FTP                        
                                                                
       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP               
                                                                
       Domain. . . : sshFtp.bigBank.com
       User Name . : customer
       Password. . :                                            
       Confirm . . :                                            
                                                                
       Target Path :                                           
       Target File : upload.txt
       Remote File : acct100.txt                                   
       Retrv File  : FMG        / ACCT100     Lib/File    
                                                                
       Port:         *SECURE     *SECURE *DFT 1-65535           
       Encryption .: *SSL        *SSL *NONE                     
       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
                                                                
  F1=Help   F12=Previous  F23=Delete

Once uploading works you can configure downloading. Specify the remote file name and target db2 library / file as marked in blue above.\\ The remote file is the path of the object on the bank's system to be retrieved. \\ The db2 file is the library and file name of the physical file on your system to receive the data.\\ The db2 file must separately exist and must have an adequate record length. To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.\\ The target file's first member will be overwritten with the downloaded data. ===== Known Issues ===== If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission. In general you should clear your temporary directory periodically. \\ You can use this command to setup a scheduled job to clear the directory of all files older than one day:

ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD('find /tmp/* -atime +1 -print  | xargs rm')) 
FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('17:00:00') RCYACN(*NOSBM) TEXT('Clear /tmp')

You should adjust the run date and time as appropriate. This command does not remove directories and a periodic manual inspection of /tmp is a good idea. ---- [[[start#iseries_positive_pay | Up To Main Index]]]