inFORM Decisions Information Portal

User Tools

Site Tools

Trace:
pub:pospaysftp

Differences

This shows you the differences between two versions of the page.


pub:pospaysftp [2022/06/25 17:02] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +<html>&#091;</html>[[start#iseries_positive_pay | Up To Main Index]]<html>&#093;</html>
  
 +User profile **HARRY** will be used in this example as the user profile that will do the transmission.
 +
 +
 +====== Using sFTP With Positive Pay ======
 +
 +
 +
 +
 +
 +
 +
 +===== Requirements =====
 +
 +**''5733SC1   Option *BASE:   IBM Portable Utilities for i5/OS  \\
 +5733SC1   Option 1:       OpenSSH, OpenSSL, zlib  ''**          
 +
 +
 +===== Install and Verify Secure Connectivity =====
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +==== Generate Your Key ====
 +
 +== Check User Profile ==
 +First check that the user profile that will actually do the transmission has a home directory
 +defined and that it exists.
 +
 +''DSPUSRPRF HARRY''
 +
 +On the last page of the display verify that a home directory exists:
 +''Home directory . . . . . . . . . . . . . . :   /home/harry''
 +
 +Also note the full path, and the case of the directories. The sFTP procedure is case sensitive.
 +
 +If there is no home directory defined add one:\\
 +''CHGUSRPRF HARRY HOMEDIR('/home/harry')''
 +
 +Then start the shell and verify that the directory exists:\\
 +''call qp2term''\\
 +''cd /home/harry''\\
 +''[[http://en.wikipedia.org/wiki/Pwd | pwd]]''
 +
 +If the directory that prints is not /home/harry then create it:\\
 +''mkdir /home/harry''\\
 +''[[http://en.wikipedia.org/wiki/Chmod | chmod]] 700 /home/harry''
 +
 +Lastly verify that the $HOME environment variable is set to the home directory:\\
 +''echo $HOME''\\
 +
 +Note that this directory should be the default directory in the transmission job.
 +You should check that job descriptions do not set it differently.
 +
 +== Generate Your Certificate ==
 +
 +Run these commands from the greenscreen command line to create your server's certificate:
 +
 +''call qp2term''\\
 +''cd /home/harry''\\
 +''mkdir .ssh''\\
 +''chmod 700 .ssh''\\
 +
 +''[[http://en.wikipedia.org/wiki/Ssh-keygen | ssh-keygen]] -t rsa'' \\
 +Press <enter> for the certificate passphrase, leaving it empty. Positive Pay does not presently support a passphrase for the certificate.
 +
 +''chmod 600 .ssh/*''
 +
 +You should now have a directory /home/harry/.ssh that contains two files:\\
 +id_rsa  ( your private key )\\
 +id_rsa.pub ( your public key )
 +
 +Use ftp to retrieve the public key **id_rsa.pub** ( not the private key!! ) from the IBM server\\
 +and send it to the remote processor.
 +
 +Note that possession of the private key ( **id_rsa** ) is a security issue.
 +
 +Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server.
 +
 +
 +
 +
 +
 +
 +==== Install the Remote Server's Key ====
 +
 +The bank or processor may send you their public key, which will be given as **bank.pub** in this example.
 +
 +FTP this file to /home/harry/.ssh
 +
 +Then install the key:\\
 +''call qp2term''\\
 +''cd /home/harry/.ssh''\\
 +''[[http://en.wikipedia.org/wiki/Cat_%28Unix%29 | cat]] bank.pub >> authorized_keys''\\
 +''chmod 600 authorized_keys''
 +
 +You should now have the contents of bank.pub appended to the authorized_keys file so that your
 +[[http://en.wikipedia.org/wiki/Secure_Shell | SSH]] client can find it.
 +
 +
 +
 +
 +==== Final Check ====
 +
 +
 +As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:\\
 +
 +''ls -l /home/harry/.ssh''
 +<html><pre>
 +-rw-------   1 harry  0               227 Jan 14 13:29 authorized_keys  
 +-rw-------   1 harry  0               887 Nov 17 12:52 id_rsa           
 +-rw-------   1 harry  0               241 Nov 17 12:52 id_rsa.pub       
 +</pre></html>
 +The permissions are the first column.\\
 +The file owner is the third column.
 +
 +If you need to set the file ownership use: ''chown harry id_rsa id_rsa.pub authorized_keys''\\
 +If you need to set the permissions use: ''chmod 600 id_rsa id_rsa.pub authorized_keys''
 +
 +
 +
 +
 +
 +==== Test the Key Handshake ====
 +
 +Presuming that the bank's login url is **sshFtp.bigBank.com** and that your login id is **customer**:
 +
 +Create a text file to upload as a test:\\
 +''call qp2term''\\
 +''cd /home/harry''\\
 +''echo 'hi there' > test.txt''\\
 +''[[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol | sftp]] -v customer@sshFtp.bigBank.com''
 +
 +you should then get an sFTP command prompt:\\
 +''sftp>''\\
 +
 +then upload the file:\\
 +''put test.txt''
 +
 +then end the session if the remote system does not automatically disconnect:\\
 +''quit''
 +
 +**Notes**:\\
 +1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an **interactive** ssh connection.\\
 + \\
 +2. sFTP / SSH **default port** is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank\\
 +( for example port 10022 ) the test connection command is: **sftp -v -oPort=10022 customer@sshFtp.bigBank.com**.<html></span></html>\\
 + \\
 +3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the \\
 +**known_hosts file**. You should allow it to do so by responding with 'yes' to this prompt:\\
 +
 +<html><div style="margin-left: 25px;"></html>
 +The authenticity of host <bankHost> can't be established.\\
 +RSA key fingerprint is ...\\
 +Are you sure you want to continue connecting (yes/no)?
 + <html></div></html>
 +
 +
 +
 +
 +
 +
 +
 +
 +===== Configure Positive Pay for sFTP =====
 +
 +In the Positive Pay application definition **F8** invokes the FTP configuration screen.
 +
 +<html><pre>
 +                           Configure FTP                        
 +                                                                
 +       <span style="color: blue;">Use FTP  . .: H</span>   Y=Yes N=No S=FTPS H=sFTP               
 +                                                                
 +       <span style="color: blue;">Domain. . . : sshFtp.bigBank.com</span>
 +       <span style="color: blue;">User Name . : customer</span>
 +       Password. . :                                            
 +       Confirm . . :                                            
 +                                                                
 +       <span style="color: blue;">
 +       Target Path :                                           
 +       Target File : upload.txt</span>
 +       Remote File :                                    
 +       Retrv File  :            /            Lib/File    
 +                                                                
 +       Port:         *SECURE     *SECURE *DFT 1-65535           
 +       Encryption .: *SSL        *SSL *NONE                     
 +       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
 +                                                                
 +  F1=Help   F12=Previous  F23=Delete                            
 +</pre></html>
 +
 +For sFTP you will need to specify the following items:
 +
 +  * **Use FTP**: this should be **H**
 +  * **Domain**:  the target URL, supplied by the bank
 +  * **User Name**: supplied by the bank
 +  * **Target Path**: most likely blank
 +  * **Target File**: supplied by the bank. If they do not supply a name then specify something, for example upload.txt
 +
 +Note that you should not supply a password since authentication is done via certificate.
 +
 +
 +
 +
 +===== Receiving a File Using sFTP =====
 +
 +<html><pre>
 +                           Configure FTP                        
 +                                                                
 +       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP               
 +                                                                
 +       Domain. . . : sshFtp.bigBank.com
 +       User Name . : customer
 +       Password. . :                                            
 +       Confirm . . :                                            
 +                                                                
 +       Target Path :                                           
 +       Target File : upload.txt
 +       <span style="color: blue;">Remote File : acct100.txt                                   
 +       Retrv File  : FMG        / ACCT100     Lib/File    </span>
 +                                                                
 +       Port:         *SECURE     *SECURE *DFT 1-65535           
 +       Encryption .: *SSL        *SSL *NONE                     
 +       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
 +                                                                
 +  F1=Help   F12=Previous  F23=Delete                            
 +</pre></html>
 +
 +Once uploading works you can configure downloading. 
 +
 +Specify the remote file name and target db2 library / file as marked in blue above.\\
 +The remote file is the path of the object on the bank's system to be retrieved. \\
 +The db2 file is the library and file name of the physical file on your system to receive the data.\\
 +The db2 file must separately exist and must have an adequate record length.
 +
 +To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.\\
 +The target file's first member will be overwritten with the downloaded data.
 +
 +
 +===== Known Issues =====
 +
 +If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission.
 +
 +In general you should clear your temporary directory periodically. \\
 +You can use this command to setup a scheduled job to clear the directory of all files older than one day:
 +
 +<html><pre>
 +ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD('find /tmp/* -atime +1 -print  | xargs rm')) 
 +FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('17:00:00') RCYACN(*NOSBM) TEXT('Clear /tmp')
 +</pre></html>
 +
 +You should adjust the run date and time as appropriate.
 +
 +This command does not remove directories and a periodic manual inspection of /tmp is a good idea.
 +
 +----
 + 
 +<html>&#091;</html>[[start#iseries_positive_pay | Up To Main Index]]<html>&#093;</html>