Dovetailed Technologies

2. Installation and Customization

The following sections describe how to install and customize the Co:Z FTP-SSH Proxy.

2.1 Client Installation and Configuration

The Co:Z FTP-SSH Proxy is a Java application which is typically run on the client host. In order to use it, the FTP client must be configured to use:

  • Co:Z FTP-SSH as a SOCKS5 proxy

  • passive mode FTP connections

This section will describe how to configure the z/OS Communications Server FTP client. Users of other operating systems should refer to their FTP client documentation for details.

  1. Download the ftpsshproxy-v.r.m.pax file and upload it it binary to a temporary HFS/zFS file on your z/OS system.

  2. Create an installation target directory of your choice and unpack the pax file:

    mkdir /usr/local/ftpsshproxy
     cd /usr/local/ftpsshproxy
     pax -rf /tmp/ftpsshproxy-v.r.m.pax 
            	

  3. The directory should contain the following files:

    • ftpsshproxy.jar - executable Java archive

    • jsch-0.1.53.jar - JCraft JSch library

    • log4j-1.2.14.jar - Apache Log4J logging framework

    • ftpsshproxy.sh - shell script to run under a Unix shell

    • ftpsshproxy.jcl - sample JCL to run as z/OS job (task)

    • license/ - license information

  4. Configure the FTP client to use Co:Z FTP-SSH as a SOCKS5 proxy. On z/OS, this can be configured on a system-wide, per user, or per job basis using the z/OS Communications Server FTP configuration files. [4]

    For example, to configure the FTP client for a specific userid to use passive mode and a SOCKS proxy, add the following lines to the dataset userid.FTP.DATA

    FWFRIENDLY TRUE
    SOCKSCONFIGFILE 'userid.FTP.SOCKS.CONF'
            

    Next, you must create an FTP SOCKS configuration file that enables the SOCKS proxy for selected destination FTP server ip addresses. For example, to use direct connections for selected local subnets and the proxy for everything else, create a dataset userid.FTP.SOCKS.CONF with the following:

    direct 127.0.0.1/32    ; loopback adapter
    direct 10.0.0.0/8      ; private subnet
    direct 192.168.0.0/16  ; private subnet
    sockd5 @=127.0.0.1 0.0.0.0 0.0.0.0  ; Anything else          
            

    This assumes that the Co:Z FTP-SSH Proxy will run on the same machine as the FTP client, and listen on the loopback address (127.0.0.1), port 1080. Note that the z/OS Communications Server FTP client can only use SOCKS proxies on port 1080, so if you have another service already running on 127.0.0.1:1080, you will need to define an alternate loopback adapter, say "127.0.0.2" in your z/OS TCP/IP profile dataset.

    The z/OS FTP client will select the first line in the socks configuration file that matches the destination address. If you wanted to proxy only selected networks and addresses a sample configuration might be:

    sockd5 @=127.0.0.1 216.34.181.0/24    ; class C subnet
    sockd5 @=127.0.0.1 216.239.120.99/32  ; a single address
    direct 0.0.0.0 0.0.0.0                ; Anything else          
            

    It is also possible to run the Co:Z FTP-SSH Proxy on another machine in the client network, but note that communications between the FTP client and the FTP-SSH Proxy machine are not encrypted.

2.2 Server Configuration

An SSH2 compatible server, such as OpenSSH must be installed on the same host as the target FTP server.

  • The SSH server must allow "port forwarding" to the FTP server via the loopback interface ("localhost").

  • The SSH server must be running on the default SSH port - 22. There is currently no way to configure the Co:Z FTP-SSH proxy to connect to alternate SSHD ports.

  • The SSH server must allow logins using the same userid and password that will be used for the FTP server.

Note: The default configuration for OpenSSH supports the above requirements.



[4] See the IBM publication: "z/OS Communications Server: IP Configuration Reference - File Transfer Protocol (FTP)" for details.

Copyright© 2009-2017 Dovetailed Technologies, LLC. All rights reserved.
Co:Z® is a registered trademark of Dovetailed Technologies, LLC.