Tectia® Server 6.4 for IBM z/OS

User Manual

SSH Communications Security Corporation

This software and documentation are protected by international copyright laws and treaties. All rights reserved.

ssh® and Tectia® are registered trademarks of SSH Communications Security Corporation in the United States and in certain other jurisdictions.

SSH and Tectia logos and names of products and services are trademarks of SSH Communications Security Corporation. Logos and names of products may be registered in certain jurisdictions.

All other names and marks are property of their respective owners.

No part of this publication may be reproduced, published, stored in an electronic database, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, for any purpose, without the prior written permission of SSH Communications Security Corporation.


For Open Source Software acknowledgements, see appendix Open Source Software License Acknowledgements in the Administrator Manual.

20 March 2015

Table of Contents

1. About This Document
Documentation Conventions
Operating System Names
Customer Support
2. Getting Started
Product Components
Environment Variables for Client Applications
Running Client Programs
Under USS
Under MVS
Running the Connection Broker
Starting ssh-broker-g3 Manually under USS
Stopping ssh-broker-g3
Reconfiguring ssh-broker-g3
Connecting to a Remote Host
Authenticating Remote Server Hosts
Using Password Authentication
Using Public-Key Authentication
Logging in with Command-Line sshg3
3. Configuring Client Tools
Client Configuration Files
Editing the Configuration Files
Environment Variables
Command-Line Options
4. Authentication
Supported User Authentication Methods
Server Authentication with Public Keys in File
Host Key Storage Formats
Using the System-Wide Host Key Storage
Resolving Hashed Host Keys
Using the OpenSSH known_hosts File
Server Authentication with Certificates
CA Certificates Stored in File
CA Certificates Stored in SAF
Server Certificates Stored in SAF
User Authentication with Passwords
Password Stored in a File or Data Set
User Authentication with Public Keys in a File
Creating Keys with ssh-keygen-g3 on z/OS
Uploading Public Keys from z/OS to Remote Host
Using Keys Generated with OpenSSH
Special Considerations with Windows Servers
User Authentication with Certificates
Certificates Stored in File
Certificates Stored in SAF
Host-Based User Authentication
User Authentication with Keyboard-Interactive
Distributing Public Keys Using the Key Distribution Tool
Fetching Remote Server Keys
Distributing Mainframe User Keys
5. System Administration
Defining Shell Access
Setting Codepage for Remote Account
Running Remote Commands
Remote Command Examples from USS
Remote Command Examples using JCL
Managing JCL Jobs over SFTP
Tectia sftpg3
Tectia scpg3
OpenSSH sftp
Securing the Client
Disabling Agent Forwarding
6. Secure File Transfer Using SFTP
Native z/OS FTP commands versus Tectia SFTP commands
Secure File Transfer with scpg3 and sftpg3 Commands
Using scpg3
Using sftpg3
Enhanced File Transfer Functions
Handling MVS Data Sets and HFS File System Access
Data Set and HFS File System Access
Data Set Access Using DD Cards
Accessing Generation Data Groups (GDG)
Accessing Migrated Data Sets
SFTP and Tape Data Sets
Controlling File Transfer
File Transfer Advice String / Site Command
File Transfer Environment Variables for the Clients
Restoring Archived Data Sets
Listing Data Sets with Tectia client tools for z/OS
Data Set Lists
Data Set Hierarchy
Secure File Transfer Examples Using the z/OS Client
Interactive File Transfers
Unattended File Transfers
7. Secure Shell Tunneling
Local Tunnels
Non-Transparent TCP Tunneling
Non-Transparent FTP Tunneling
SOCKS Tunneling
Remote Tunnels
Agent Forwarding
8. Troubleshooting Tectia
Starting Connection Broker in Debug Mode
Debugging File Transfer
Solving Problem Situations
9. Using Off-Platform Clients to Access z/OS Hosts Running Tectia Server for IBM z/OS
Using Public-Key Authentication from Other Hosts to z/OS
From Tectia Client on Windows to Tectia Server on z/OS
From Tectia Client on Unix to Tectia Server on z/OS
From OpenSSH Client on Unix to Tectia Server on z/OS
Setting up Terminal Data Conversion
Handling MVS Data Sets and HFS File System Access
Data Set and HFS File System Access
Accessing Generation Data Groups (GDG)
Alternate Methods for Controlling File Transfer
File Transfer Advice String (FTADV)
File Transfer Profiles
File Transfer Environment Variables for the Server
Listing Data Sets with Other SFTP Clients
Data Set Lists
Data Set Hierarchy
Secure File Transfer Examples Using Windows and Unix Clients
File Transfers Using Windows GUI
File Transfers Using Command-Line Applications
File Transfers Using FTP-SFTP Conversion
A. Connection Broker and SOCKS Proxy Configuration Files
Configuration File
Configuration File Quick Reference
Broker Configuration File Syntax
B. Command-Line Tools and Man Pages
ssh-broker-g3 - Tectia Connection Broker - Generation 3
ssh-broker-ctl - Tectia Connection Broker control utility
ssh-troubleshoot - tool for collecting system information
sshg3 - Secure Shell terminal client - Generation 3
scpg3 - Secure Shell file copy client - Generation 3
sftpg3 - Secure Shell file transfer client - Generation 3
ssh-translation-table - Secure Shell Translation Table
ssh-sft-stage - stage and destage MVS data sets and HFS files
ssh-keygen-g3 - authentication key pair generator
ssh-keydist-g3 - Key distribution tool
ssh-keyfetch - Host key tool for the Secure Shell client
ssh-cmpclient-g3 - CMP enrollment client
ssh-scepclient-g3 - SCEP enrollment client
ssh-certview-g3 - certificate viewer
ssh-ekview-g3 - external key viewer
C. Egrep Syntax
Egrep Patterns
Escaped Tokens for Regex Syntax Egrep
Character Sets For Egrep
D. Audit Messages