pub:pospaysftp
Differences
This shows you the differences between two versions of the page.
— | pub:pospaysftp [2022/06/25 17:02] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | < | ||
+ | User profile **HARRY** will be used in this example as the user profile that will do the transmission. | ||
+ | |||
+ | |||
+ | ====== Using sFTP With Positive Pay ====== | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Requirements ===== | ||
+ | |||
+ | **'' | ||
+ | 5733SC1 | ||
+ | |||
+ | |||
+ | ===== Install and Verify Secure Connectivity ===== | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Generate Your Key ==== | ||
+ | |||
+ | == Check User Profile == | ||
+ | First check that the user profile that will actually do the transmission has a home directory | ||
+ | defined and that it exists. | ||
+ | |||
+ | '' | ||
+ | |||
+ | On the last page of the display verify that a home directory exists: | ||
+ | '' | ||
+ | |||
+ | Also note the full path, and the case of the directories. The sFTP procedure is case sensitive. | ||
+ | |||
+ | If there is no home directory defined add one:\\ | ||
+ | '' | ||
+ | |||
+ | Then start the shell and verify that the directory exists:\\ | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | |||
+ | If the directory that prints is not /home/harry then create it:\\ | ||
+ | '' | ||
+ | '' | ||
+ | |||
+ | Lastly verify that the $HOME environment variable is set to the home directory: | ||
+ | '' | ||
+ | |||
+ | Note that this directory should be the default directory in the transmission job. | ||
+ | You should check that job descriptions do not set it differently. | ||
+ | |||
+ | == Generate Your Certificate == | ||
+ | |||
+ | Run these commands from the greenscreen command line to create your server' | ||
+ | |||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | |||
+ | '' | ||
+ | Press < | ||
+ | |||
+ | '' | ||
+ | |||
+ | You should now have a directory / | ||
+ | id_rsa | ||
+ | id_rsa.pub ( your public key ) | ||
+ | |||
+ | Use ftp to retrieve the public key **id_rsa.pub** ( not the private key!! ) from the IBM server\\ | ||
+ | and send it to the remote processor. | ||
+ | |||
+ | Note that possession of the private key ( **id_rsa** ) is a security issue. | ||
+ | |||
+ | Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Install the Remote Server' | ||
+ | |||
+ | The bank or processor may send you their public key, which will be given as **bank.pub** in this example. | ||
+ | |||
+ | FTP this file to / | ||
+ | |||
+ | Then install the key:\\ | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | |||
+ | You should now have the contents of bank.pub appended to the authorized_keys file so that your | ||
+ | [[http:// | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Final Check ==== | ||
+ | |||
+ | |||
+ | As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:\\ | ||
+ | |||
+ | '' | ||
+ | < | ||
+ | -rw------- | ||
+ | -rw------- | ||
+ | -rw------- | ||
+ | </ | ||
+ | The permissions are the first column.\\ | ||
+ | The file owner is the third column. | ||
+ | |||
+ | If you need to set the file ownership use: '' | ||
+ | If you need to set the permissions use: '' | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Test the Key Handshake ==== | ||
+ | |||
+ | Presuming that the bank's login url is **sshFtp.bigBank.com** and that your login id is **customer**: | ||
+ | |||
+ | Create a text file to upload as a test:\\ | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | '' | ||
+ | |||
+ | you should then get an sFTP command prompt:\\ | ||
+ | '' | ||
+ | |||
+ | then upload the file:\\ | ||
+ | '' | ||
+ | |||
+ | then end the session if the remote system does not automatically disconnect: | ||
+ | '' | ||
+ | |||
+ | **Notes**: | ||
+ | 1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an **interactive** ssh connection.\\ | ||
+ | \\ | ||
+ | 2. sFTP / SSH **default port** is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank\\ | ||
+ | ( for example port 10022 ) the test connection command is: **sftp -v -oPort=10022 customer@sshFtp.bigBank.com**.< | ||
+ | \\ | ||
+ | 3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the \\ | ||
+ | **known_hosts file**. You should allow it to do so by responding with ' | ||
+ | |||
+ | < | ||
+ | The authenticity of host < | ||
+ | RSA key fingerprint is ...\\ | ||
+ | Are you sure you want to continue connecting (yes/no)? | ||
+ | < | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Configure Positive Pay for sFTP ===== | ||
+ | |||
+ | In the Positive Pay application definition **F8** invokes the FTP configuration screen. | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | < | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | Retrv File : / Lib/ | ||
+ | | ||
+ | | ||
+ | | ||
+ | FTP Mode . .: *PASSIVE | ||
+ | | ||
+ | F1=Help | ||
+ | </ | ||
+ | |||
+ | For sFTP you will need to specify the following items: | ||
+ | |||
+ | * **Use FTP**: this should be **H** | ||
+ | * **Domain**: | ||
+ | * **User Name**: supplied by the bank | ||
+ | * **Target Path**: most likely blank | ||
+ | * **Target File**: supplied by the bank. If they do not supply a name then specify something, for example upload.txt | ||
+ | |||
+ | Note that you should not supply a password since authentication is done via certificate. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Receiving a File Using sFTP ===== | ||
+ | |||
+ | < | ||
+ | | ||
+ | | ||
+ | Use FTP . .: H Y=Yes N=No S=FTPS H=sFTP | ||
+ | | ||
+ | | ||
+ | User Name . : customer | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | < | ||
+ | Retrv File : FMG / ACCT100 | ||
+ | | ||
+ | | ||
+ | | ||
+ | FTP Mode . .: *PASSIVE | ||
+ | | ||
+ | F1=Help | ||
+ | </ | ||
+ | |||
+ | Once uploading works you can configure downloading. | ||
+ | |||
+ | Specify the remote file name and target db2 library / file as marked in blue above.\\ | ||
+ | The remote file is the path of the object on the bank's system to be retrieved. \\ | ||
+ | The db2 file is the library and file name of the physical file on your system to receive the data.\\ | ||
+ | The db2 file must separately exist and must have an adequate record length. | ||
+ | |||
+ | To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.\\ | ||
+ | The target file's first member will be overwritten with the downloaded data. | ||
+ | |||
+ | |||
+ | ===== Known Issues ===== | ||
+ | |||
+ | If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission. | ||
+ | |||
+ | In general you should clear your temporary directory periodically. \\ | ||
+ | You can use this command to setup a scheduled job to clear the directory of all files older than one day: | ||
+ | |||
+ | < | ||
+ | ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD(' | ||
+ | FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME(' | ||
+ | </ | ||
+ | |||
+ | You should adjust the run date and time as appropriate. | ||
+ | |||
+ | This command does not remove directories and a periodic manual inspection of /tmp is a good idea. | ||
+ | |||
+ | ---- | ||
+ | |||
+ | < |