User Tools

Site Tools


pub:pospaysftp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

pub:pospaysftp [2018/05/24 23:06] (current)
Line 1: Line 1:
 +<​html>&#​091;</​html>​[[start#​iseries_positive_pay | Up To Main Index]]<​html>&#​093;</​html>​
  
 +User profile **HARRY** will be used in this example as the user profile that will do the transmission.
 +
 +
 +====== Using sFTP With Positive Pay ======
 +
 +
 +
 +
 +
 +
 +
 +===== Requirements =====
 +
 +**''​5733SC1 ​  ​Option *BASE: ​  IBM Portable Utilities for i5/OS  \\
 +5733SC1 ​  ​Option 1:       ​OpenSSH,​ OpenSSL, zlib  ''​** ​         ​
 +
 +
 +===== Install and Verify Secure Connectivity =====
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +==== Generate Your Key ====
 +
 +== Check User Profile ==
 +First check that the user profile that will actually do the transmission has a home directory
 +defined and that it exists.
 +
 +''​DSPUSRPRF HARRY''​
 +
 +On the last page of the display verify that a home directory exists:
 +''​Home directory . . . . . . . . . . . . . . :   /​home/​harry''​
 +
 +Also note the full path, and the case of the directories. The sFTP procedure is case sensitive.
 +
 +If there is no home directory defined add one:\\
 +''​CHGUSRPRF HARRY HOMEDIR('/​home/​harry'​)''​
 +
 +Then start the shell and verify that the directory exists:\\
 +''​call qp2term''​\\
 +''​cd /​home/​harry''​\\
 +''​[[http://​en.wikipedia.org/​wiki/​Pwd | pwd]]''​
 +
 +If the directory that prints is not /home/harry then create it:\\
 +''​mkdir /​home/​harry''​\\
 +''​[[http://​en.wikipedia.org/​wiki/​Chmod | chmod]] 700 /​home/​harry''​
 +
 +Lastly verify that the $HOME environment variable is set to the home directory:​\\
 +''​echo $HOME''​\\
 +
 +Note that this directory should be the default directory in the transmission job.
 +You should check that job descriptions do not set it differently.
 +
 +== Generate Your Certificate ==
 +
 +Run these commands from the greenscreen command line to create your server'​s certificate:​
 +
 +''​call qp2term''​\\
 +''​cd /​home/​harry''​\\
 +''​mkdir .ssh''​\\
 +''​chmod 700 .ssh''​\\
 +
 +''​[[http://​en.wikipedia.org/​wiki/​Ssh-keygen | ssh-keygen]] -t rsa''​ \\
 +Press <​enter>​ for the certificate passphrase, leaving it empty. Positive Pay does not presently support a passphrase for the certificate.
 +
 +''​chmod 600 .ssh/​*''​
 +
 +You should now have a directory /​home/​harry/​.ssh that contains two files:\\
 +id_rsa ​ ( your private key )\\
 +id_rsa.pub ( your public key )
 +
 +Use ftp to retrieve the public key **id_rsa.pub** ( not the private key!! ) from the IBM server\\
 +and send it to the remote processor.
 +
 +Note that possession of the private key ( **id_rsa** ) is a security issue.
 +
 +Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server.
 +
 +
 +
 +
 +
 +
 +==== Install the Remote Server'​s Key ====
 +
 +The bank or processor may send you their public key, which will be given as **bank.pub** in this example.
 +
 +FTP this file to /​home/​harry/​.ssh
 +
 +Then install the key:\\
 +''​call qp2term''​\\
 +''​cd /​home/​harry/​.ssh''​\\
 +''​[[http://​en.wikipedia.org/​wiki/​Cat_%28Unix%29 | cat]] bank.pub >> authorized_keys''​\\
 +''​chmod 600 authorized_keys''​
 +
 +You should now have the contents of bank.pub appended to the authorized_keys file so that your
 +[[http://​en.wikipedia.org/​wiki/​Secure_Shell | SSH]] client can find it.
 +
 +
 +
 +
 +==== Final Check ====
 +
 +
 +As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:\\
 +
 +''​ls -l /​home/​harry/​.ssh''​
 +<​html><​pre>​
 +-rw------- ​  1 harry  0               227 Jan 14 13:29 authorized_keys  ​
 +-rw------- ​  1 harry  0               887 Nov 17 12:52 id_rsa ​          
 +-rw------- ​  1 harry  0               241 Nov 17 12:52 id_rsa.pub ​      
 +</​pre></​html>​
 +The permissions are the first column.\\
 +The file owner is the third column.
 +
 +If you need to set the file ownership use: ''​chown harry id_rsa id_rsa.pub authorized_keys''​\\
 +If you need to set the permissions use: ''​chmod 600 id_rsa id_rsa.pub authorized_keys''​
 +
 +
 +
 +
 +
 +==== Test the Key Handshake ====
 +
 +Presuming that the bank's login url is **sshFtp.bigBank.com** and that your login id is **customer**:​
 +
 +Create a text file to upload as a test:\\
 +''​call qp2term''​\\
 +''​cd /​home/​harry''​\\
 +''​echo 'hi there' > test.txt''​\\
 +''​[[http://​en.wikipedia.org/​wiki/​SSH_file_transfer_protocol | sftp]] -v customer@sshFtp.bigBank.com''​
 +
 +you should then get an sFTP command prompt:\\
 +''​sftp>''​\\
 +
 +then upload the file:\\
 +''​put test.txt''​
 +
 +then end the session if the remote system does not automatically disconnect:​\\
 +''​quit''​
 +
 +**Notes**:​\\
 +1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an **interactive** ssh connection.\\
 + \\
 +2. sFTP / SSH **default port** is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank\\
 +( for example port 10022 ) the test connection command is: **sftp -v -oPort=10022 customer@sshFtp.bigBank.com**.<​html></​span></​html>​\\
 + \\
 +3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the \\
 +**known_hosts file**. You should allow it to do so by responding with '​yes'​ to this prompt:\\
 +
 +<​html><​div style="​margin-left:​ 25px;"></​html>​
 +The authenticity of host <​bankHost>​ can't be established.\\
 +RSA key fingerprint is ...\\
 +Are you sure you want to continue connecting (yes/no)?
 + <​html></​div></​html>​
 +
 +
 +
 +
 +
 +
 +
 +
 +===== Configure Positive Pay for sFTP =====
 +
 +In the Positive Pay application definition **F8** invokes the FTP configuration screen.
 +
 +<​html><​pre>​
 +                           ​Configure FTP                        ​
 +                                                                ​
 +       <​span style="​color:​ blue;">​Use FTP  . .: H</​span> ​  Y=Yes N=No S=FTPS H=sFTP ​              
 +                                                                ​
 +       <​span style="​color:​ blue;">​Domain. . . : sshFtp.bigBank.com</​span>​
 +       <​span style="​color:​ blue;">​User Name . : customer</​span>​
 +       ​Password. . :                                            ​
 +       ​Confirm . . :                                            ​
 +                                                                ​
 +       <​span style="​color:​ blue;">​
 +       ​Target Path :                                           
 +       ​Target File : upload.txt</​span>​
 +       ​Remote File :                                    ​
 +       Retrv File  :            /            Lib/​File ​   ​
 +                                                                ​
 +       ​Port: ​        ​*SECURE ​    ​*SECURE *DFT 1-65535 ​          
 +       ​Encryption .: *SSL        *SSL *NONE                     
 +       FTP Mode . .: *PASSIVE ​   *ACTIVE *PASSIVE ​              
 +                                                                ​
 +  F1=Help ​  ​F12=Previous ​ F23=Delete ​                           ​
 +</​pre></​html>​
 +
 +For sFTP you will need to specify the following items:
 +
 +  * **Use FTP**: this should be **H**
 +  * **Domain**: ​ the target URL, supplied by the bank
 +  * **User Name**: supplied by the bank
 +  * **Target Path**: most likely blank
 +  * **Target File**: supplied by the bank. If they do not supply a name then specify something, for example upload.txt
 +
 +Note that you should not supply a password since authentication is done via certificate.
 +
 +
 +
 +
 +===== Receiving a File Using sFTP =====
 +
 +<​html><​pre>​
 +                           ​Configure FTP                        ​
 +                                                                ​
 +       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP ​              
 +                                                                ​
 +       ​Domain. . . : sshFtp.bigBank.com
 +       User Name . : customer
 +       ​Password. . :                                            ​
 +       ​Confirm . . :                                            ​
 +                                                                ​
 +       ​Target Path :                                           
 +       ​Target File : upload.txt
 +       <​span style="​color:​ blue;">​Remote File : acct100.txt ​                                  
 +       Retrv File  : FMG        / ACCT100 ​    ​Lib/​File ​   </​span>​
 +                                                                ​
 +       ​Port: ​        ​*SECURE ​    ​*SECURE *DFT 1-65535 ​          
 +       ​Encryption .: *SSL        *SSL *NONE                     
 +       FTP Mode . .: *PASSIVE ​   *ACTIVE *PASSIVE ​              
 +                                                                ​
 +  F1=Help ​  ​F12=Previous ​ F23=Delete ​                           ​
 +</​pre></​html>​
 +
 +Once uploading works you can configure downloading. ​
 +
 +Specify the remote file name and target db2 library / file as marked in blue above.\\
 +The remote file is the path of the object on the bank's system to be retrieved. \\
 +The db2 file is the library and file name of the physical file on your system to receive the data.\\
 +The db2 file must separately exist and must have an adequate record length.
 +
 +To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.\\
 +The target file's first member will be overwritten with the downloaded data.
 +
 +
 +===== Known Issues =====
 +
 +If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission.
 +
 +In general you should clear your temporary directory periodically. \\
 +You can use this command to setup a scheduled job to clear the directory of all files older than one day:
 +
 +<​html><​pre>​
 +ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD('​find /tmp/* -atime +1 -print ​ | xargs rm'​)) ​
 +FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('​17:​00:​00'​) RCYACN(*NOSBM) TEXT('​Clear /tmp')
 +</​pre></​html>​
 +
 +You should adjust the run date and time as appropriate.
 +
 +This command does not remove directories and a periodic manual inspection of /tmp is a good idea.
 +
 +----
 + 
 +<​html>&#​091;</​html>​[[start#​iseries_positive_pay | Up To Main Index]]<​html>&#​093;</​html>​
pub/pospaysftp.txt ยท Last modified: 2018/05/24 23:06 (external edit)