Table of Contents
User profile HARRY will be used in this example as the user profile that will do the transmission.
Using sFTP With Positive Pay
Requirements
5733SC1 Option *BASE: IBM Portable Utilities for i5/OS
5733SC1 Option 1: OpenSSH, OpenSSL, zlib
Install and Verify Secure Connectivity
Generate Your Key
Check User Profile
First check that the user profile that will actually do the transmission has a home directory defined and that it exists.
DSPUSRPRF HARRY
On the last page of the display verify that a home directory exists:
Home directory . . . . . . . . . . . . . . : /home/harry
Also note the full path, and the case of the directories. The sFTP procedure is case sensitive.
If there is no home directory defined add one:
CHGUSRPRF HARRY HOMEDIR('/home/harry')
Then start the shell and verify that the directory exists:
call qp2term
cd /home/harry
pwd
If the directory that prints is not /home/harry then create it:
mkdir /home/harry
chmod 700 /home/harry
Lastly verify that the $HOME environment variable is set to the home directory:
echo $HOME
Note that this directory should be the default directory in the transmission job. You should check that job descriptions do not set it differently.
Generate Your Certificate
Run these commands from the greenscreen command line to create your server's certificate:
call qp2term
cd /home/harry
mkdir .ssh
chmod 700 .ssh
ssh-keygen -t rsa
Press <enter> for the certificate passphrase, leaving it empty. Positive Pay does not presently support a passphrase for the certificate.
chmod 600 .ssh/*
You should now have a directory /home/harry/.ssh that contains two files:
id_rsa ( your private key )
id_rsa.pub ( your public key )
Use ftp to retrieve the public key id_rsa.pub ( not the private key!! ) from the IBM server
and send it to the remote processor.
Note that possession of the private key ( id_rsa ) is a security issue.
Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server.
Install the Remote Server's Key
The bank or processor may send you their public key, which will be given as bank.pub in this example.
FTP this file to /home/harry/.ssh
Then install the key:
call qp2term
cd /home/harry/.ssh
cat bank.pub » authorized_keys
chmod 600 authorized_keys
You should now have the contents of bank.pub appended to the authorized_keys file so that your SSH client can find it.
Final Check
As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:
ls -l /home/harry/.ssh
-rw------- 1 harry 0 227 Jan 14 13:29 authorized_keys -rw------- 1 harry 0 887 Nov 17 12:52 id_rsa -rw------- 1 harry 0 241 Nov 17 12:52 id_rsa.pubThe permissions are the first column.
The file owner is the third column.
If you need to set the file ownership use: chown harry id_rsa id_rsa.pub authorized_keys
If you need to set the permissions use: chmod 600 id_rsa id_rsa.pub authorized_keys
Test the Key Handshake
Presuming that the bank's login url is sshFtp.bigBank.com and that your login id is customer:
Create a text file to upload as a test:
call qp2term
cd /home/harry
echo 'hi there' > test.txt
sftp -v customer@sshFtp.bigBank.com
you should then get an sFTP command prompt:
sftp>
then upload the file:
put test.txt
then end the session if the remote system does not automatically disconnect:
quit
Notes:
1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an interactive ssh connection.
2. sFTP / SSH default port is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank
( for example port 10022 ) the test connection command is: sftp -v -oPort=10022 customer@sshFtp.bigBank.com.
3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the
known_hosts file. You should allow it to do so by responding with 'yes' to this prompt:
RSA key fingerprint is …
Are you sure you want to continue connecting (yes/no)?
Configure Positive Pay for sFTP
In the Positive Pay application definition F8 invokes the FTP configuration screen.
Configure FTP Use FTP . .: H Y=Yes N=No S=FTPS H=sFTP Domain. . . : sshFtp.bigBank.com User Name . : customer Password. . : Confirm . . : Target Path : Target File : upload.txt Remote File : Retrv File : / Lib/File Port: *SECURE *SECURE *DFT 1-65535 Encryption .: *SSL *SSL *NONE FTP Mode . .: *PASSIVE *ACTIVE *PASSIVE F1=Help F12=Previous F23=Delete
For sFTP you will need to specify the following items:
- Use FTP: this should be H
- Domain: the target URL, supplied by the bank
- User Name: supplied by the bank
- Target Path: most likely blank
- Target File: supplied by the bank. If they do not supply a name then specify something, for example upload.txt
Note that you should not supply a password since authentication is done via certificate.
Receiving a File Using sFTP
Configure FTP
Use FTP . .: H Y=Yes N=No S=FTPS H=sFTP
Domain. . . : sshFtp.bigBank.com
User Name . : customer
Password. . :
Confirm . . :
Target Path :
Target File : upload.txt
Remote File : acct100.txt
Retrv File : FMG / ACCT100 Lib/File
Port: *SECURE *SECURE *DFT 1-65535
Encryption .: *SSL *SSL *NONE
FTP Mode . .: *PASSIVE *ACTIVE *PASSIVE
F1=Help F12=Previous F23=Delete
Once uploading works you can configure downloading.
Specify the remote file name and target db2 library / file as marked in blue above.
The remote file is the path of the object on the bank's system to be retrieved.
The db2 file is the library and file name of the physical file on your system to receive the data.
The db2 file must separately exist and must have an adequate record length.
To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.
The target file's first member will be overwritten with the downloaded data.
Known Issues
If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission.
In general you should clear your temporary directory periodically.
You can use this command to setup a scheduled job to clear the directory of all files older than one day:
ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD('find /tmp/* -atime +1 -print | xargs rm')) FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('17:00:00') RCYACN(*NOSBM) TEXT('Clear /tmp')
You should adjust the run date and time as appropriate.
This command does not remove directories and a periodic manual inspection of /tmp is a good idea.