Request demo

Tectia SSH Server for IBM z/OS Product Updates

Release notes for Tectia Server for IBM z/OS

NOTE:

License policy

Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.

Upgrade information

It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier

Customers upgrading from v6.6.10 or earlier releases should consider to grant read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.

PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)

This access grants the authorization right for installing Tectia SSH Server program sshd2 to use the mainframe zIIP processor.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to
F=record,J=MVS in order to maintain record with four byte length prefix.

Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier

To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate random number.  If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.

Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier

To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.

Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9

The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".


********************************************************************

Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.

********************************************************************

All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS Administrator Manual for instructions on installing and removing the software.

 

1. About This Release

Items addressed in this release are listed under sections "New Features in 6.7.2" and "Bug Fixes in 6.7.2".

 

2. Tectia SSH Server 6.7.2 IBM for z/OS

Tectia SSH Server 6.7.2 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts.

The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.

File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.

The client module of Tectia SSH Server 6.7.2 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.

In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.7.2 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.

More information on the key features in Tectia SSH Server 6.7.2 for IBM z/OS can be found in the Product Description.

2.1 Pre-upgrade actions

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four byte length prefix.

2.2 Post-upgrade actions

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2,I=DOS/UNIX,J=MVS-FTP to C=UCS-2,I=DOS/UNIX,J=MVS-FTP. Refer to Bug Fix (FB #61700) for more  detail.

Ensure z/OS ICSF product is installed in the running z/OS system.  Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.

 

3. New Features

The following new features have been implemented in Tectia SSH Server for IBM z/OS:

New Features in 6.7.2

The product has been built and tested on z/OS v3.1 and v2.5, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).

(ZOS-367) Added support for client side usage of ED25519 keys, this includes public key authentication with client programs and ssh-keygen-g3 key generation.

(ZOS-483) Removed support for hostbased user authentication.

(ZOS-484) Added support for server side usage of ED25519 keys. Allows server to use ED25519 host keys and the usage of ssh-ed25519 signature algorithm for public key authentication.

(ZOS-507) Added EWOULDBLOCK statistics generated from sshd2 server program TCPIP accept() to netstat socket appldata field.

(ZOS-446) Added facility to resume a failed file-transfer of a z/OS dataset or file.

 

4. Bug Fixes

The following fixes have been implemented in Tectia SSH Server for IBM z/OS:

 

Bug Fixes in 6.7.2

(ZOS-458)
Fixed sftpg3 server/client program abend when reading PS dataset with LRECL=0 and RECFM=(F/V)B.  An error message is displayed when reading PS dataset with LRECL=0 and RECFM=(F/V)B.

(ZOS-490)
Disable overriding the PARM field in started task JCL for Tectia for z/OS programs.

(ZOS-497)
Fixed sshd2 program abend 0C4 when TCPIP stack ends.

(ZOS-502)
Fixed the socks proxy server abend 0C4 caused by v6.7.1 license validation.

(ZOS-503)
Fixed sshd2 server program failed to respond to console command when TCP port 22 is included in TCP port scanning.

(ZOS-511)
Fixed sshd2 program abend 0C4 when IdleTimeOut and RekeyIntervalSeconds are configured with same values.

 

5. Known Issues

The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:

  • Certd client certificate validation not working properly. As a workaround use SAF validation.
  • ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.
  • The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.
  • Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.
  • All Platforms: FTP-SFTP Conversion does not support IPv6.
  • All Platforms: The usage of IPv6 addresses in certificates is not yet supported.
  • z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.
  • The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file.

    If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case the file must be manually untagged.

    If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.

  • The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.
  • IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2.

    z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set.

    Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.

  • Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.
  • Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command. Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.
  • Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy.

    This happens with third-party and older SSH Tectia (4.x, 5.1) clients.

    In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly.

    When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.

  • When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes).
  • If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.
  • On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed.

    This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason.

    For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation.

    Tectia Client 5.x can report the error correctly.

 

6. Further Information

More information can be found on the man pages and in the Tectia SSH manuals that are also available at: http://www.ssh.com/services/online-resources/

Additional licenses can be purchased from our online store at: https://www.ssh.com/manuals/

NOTE:

License policy

Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.

Upgrade information

It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier

Customer upgarding from v6.6.10 or earlier releases should consider to grant read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.

PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)

This access grants the authroisation right for installing Tectia SSH Server program sshd2 to use the mainframe zIIP processor.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier

Customer upgarding from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four byte length prefix.

Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier

To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate random number. If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.

Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier

To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.

Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9

The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".


********************************************************************

Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.

********************************************************************

All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS Administrator Manual for instructions on installing and removing the software.

 

 

1. About This Release

Items addressed in this release are listed under sections "New Features in 6.7.1" and "Bug Fixes in 6.7.1".

 

 

2. Tectia SSH Server 6.7.1 IBM for z/OS

Tectia SSH Server 6.7.1 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts.

The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.

File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.

The client module of Tectia SSH Server 6.7.1 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.

In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.6.11 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.

More information on the key features in Tectia SSH Server 6.7.1 for IBM z/OS can be found in the Product Description.

2.1 Pre-upgrade actions

Customer upgarding from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four byte length prefix.

2.2 Post-upgrade actions

Customer upgarding from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2,I=DOS/UNIX,J=MVS-FTP to C=UCS-2,I=DOS/UNIX,J=MVS-FTP.

Ensure z/OS ICSF product is installed in the running z/OS system. Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.

 

 

3. New Features

The following new features have been implemented in Tectia SSH Server for IBM z/OS::

New Features in 6.7.1

The product has been built and tested on z/OS v3.1, v2.5 and v2.4, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).

(ZOS #445) Added support for TYPE=PIPE, Supports file transfer to and from Unix named pipes.

(ZOS #444) Added support for FILETYPE=SORT access method. This allows the use of the z/OS DFSORT utility in file transfer requests. 

(ZOS #443) Included support for --suffix argumument to sftpg3 client. Behaves symmetrically with --prefix argument, but at the end of a Dataset / file name.

(ZOS #424) Added support for native z/OS FTP JesPutGet functionality into Tectia sock-proxy FTP. Allows users to use the GET command to submit a remote JCL to the remote server and retrieve the job output onto the local system.

(ZOS #416) Implemented SSZASST diagnostic facility, providing a means to investigate the installation and diagnose problems.

(ZOS #337) Message SSZ3045I displays on sftp client program on completion of file transfer.

(ZOS #332) Added support for traditional MVS dataset masks for filename-matched and file-transfer profiles in ssh_ftadv_config.

(ZOS #262) Added support for FILETYPE=ADRDSSU interface, allows users to use z/OS ADRDSSU dataset management utility in file transfer requests. This addresses GDGALL support allowing a GDG and all its members to be transferred.

(ZOS #59) Increased security related defaults. Default key size generation are as follows: 3072 bits for RSA and DSA keys, and 384 bits for ECDSA keys. X15KEYG host key generation job will now generate a 3072 bit RSA host key.

(ZOS #23) Program ssh-keygen-g3 generates SHA256 fingerprint output message.

 

New Features in 6.7.0

The product has been built and tested on z/OS v2.5, v2.4, v2.3 and v2.2, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).

(ZOS #345) Following key exchange methods are added to server and client programs curve25519-sha256,curve25519-sha256@libssh.org, ecdh-nistp521-kyber1024-sha512@ssh.com, ecdh-nistp521-firesaber-sha512@ssh.com, curve25519-frodokem1344-sha512@ssh.com, sntrup761x25519-sha512@openssh.com

(ZOS #368) If Tectia client program is started from JCL, address space region size will be adjusted to the configured MAXASSIZE if necessary.

(ZOS #146) Added support for new filetypes in ftadv for more powerful dataset handling FT=PDS for transfering PDS(E) datasets. FT=IBC(IEBCOPY) for transfering PDSE loadlibrary datasets. The IEBCOPY implements interface to the IEBCOPY dataset utility program.

 

New Features in 6.6.11

The product has been built and tested on z/OS v2.5, v2.4, v2.3 and v2.2, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above). 

(ZOS #348) Server program sshd2 is enhanced to write application-specific information (APPLDATA) to its associated z/OS TCP sockets. The information can be viewed via NETSTAT command and stored in SMF Type 119 subtype 2 (TCP connection termination record).

(ZOS #343) Server program sshd2 is optimised for allocating pseudo terminal for ssh terminal connection.

(ZOS #340) If zIIP processor is enabled on the z/OS system and server program sshd2 is running in authorised mode, mainframe CPACF instructions will be shifted to be executed in zIIP processor.

(ZOS #306) New option, -M, --destination-home-directory, is added to ssh-keydist-g3 program. The option allows user to specify the user home directory path in the destination system.

(ZOS #301) Filetype IDCAMS is added to sftp ft advice string. This permits definition of several kinds of datasets not otherwise possible. This phase handles entry of commands and retrieval of results, in a JES filetype way. 

(ZOS #265) Default XML and DTD files are compiled into Tectia for z/OS client programs.

(ZOS #263) Compression method zlib@openssh.com is supported in Tectia for z/OS server and client programs. The compression method zlib@openssh.com will exploit the benefit of z15 in-core compression facility running on z/OS v2.4 or later.

(ZOS #262) Random_seed file is no longer required by Tectia for z/OS client programs.

(ZOS #261) Plugin module i18n_iconv.so is not packed into product package file. Code page translation function is merged into Tectia for z/OS server and client programs.

(ZOS #246) Permit Tectia for z/OS server program to start on a RDONLY mount point. PidFile configuration option in ssh_certd_config is removed.

 

New Features in 6.6.10

(ZOS #60) Added AES-GCM cipher via CPU CPACF, CEX card via ICSF. Tectia for z/OS now supports cipher 3DES-CBC, AES-CBC, AES-CTR and AES-GCM and hash MD5, SHA1 and SHA2. Customer is recommended to apply resolution PTF to fix z/OS ICSF APAR OA59369 if CEX card is used for AES-GCM. 

(ZOS #145) GDG dataset name in WTO message SSZ3045I is expanded to fully qualified MVS dataset name. 

(ZOS #149) Allow GDG reference to (+0) as (0).

(ZOS #171) Added ECDSA public key algorithm to ssh-broker-g3 default configuration.

(ZOS #206) zlib in Tectia for z/OS is upgraded to zlib-v1.2.11-zEDC which is bundled in z/OS v2.4.

(ZOS #230) Added z/OS passticket support via password authentication method in Tectia for z/OS SSH server. 

 

New Features in 6.6.9

(ZOS #162) Compressions statement is added to sshd2_config file to specify the availability of compression methods (none,zlib) for a ssh connection. The default value is "none,zlib".

(ZOS #100) WTO message is displayed from ssh-socks-proxy program when TCPIP task ends.

(ZOS #69) Public key algorithms rsa-sha2-256 and rsa-sha2-512 are added to host key algorithms and user authentication public key signature algorithms.

(ZOS #68) Key Exchange methods diffie-hellman-group16-sha512, diffie-hellman-group18-sha512 diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256 are added.

Dynamic module sizes are optimised. sft-server-g3 supports call to customer JES exit program (FTCHKJES) for job submission permission.

Optimise random number generation in Tectia for z/OS client programs to use ICSF CSNBRNG callable service.

 

New Features in 6.6.8

The product has been built and tested on z/OS v2.4, v2.3 and v2.2, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).

sftpg3 connection error message is enhanced to contain the possible reason information.

 

New Features in 6.6.7

(ZOS #50) ssh-keyfetch is enhanced to support ECDSA server key.

 

New Features in 6.6.6

Optimise random number generation in Tectia for z/OS ssh server using ICSF CSNBRNG callable service.

Program sftpg3 is enhanced to display more informative message on open connection failure.

Tectia for z/OS sftpg3 and sft-server-g3 support transferring file with each record prefixed with 2-byte length field and following 2-byte zeros. The record format is similar to IBM RDW field in VB record format. Ftadv string F=record,J=MVS-FTP will generate record in the above format.

To customer upgrading from v6.6.5 or earlier release: If you are using ftadv string F=record,J=MVS-FTP for transferring record with four bytes length record format, it should be replaced with F=record,J=MVS.

 

New Features in 6.6.5

Use ICSF CSNBRNG callable services to assist the random number generation. z/OS UNIX files /dev/random and /dev/urandom will not be referred. Customer is reminded to verify the proper permission is configured in SAF profile CSFRNG in class CSFSERV.

sftpg3 and sft-server-g3 support z/OS dataset symbolic relate alias.

Use z/OS mainframe instruction to optimize the file line delimiter conversion.

Tectia for z/OS server prolongs the authentication process for invalid username.

SAMPLIB member HOSTSAVF is created. It contains JCL to call ssh-broker-ctl for saving remote ssh host key into the calling user's ~/.ssh2/hostkeys/.

Improved user interface in keyboard-interactive authentication prompts.

 

New Features in 6.6.4

Use z/OS APAR PI74958 to restore the original pthread serialization mechanism. Prevent CPU loop in prime random number generation on z13 and z14 processor.

 

New Features in 6.6.3

The product has been built and tested on z/OS v2.3, v2.2 and v2.1, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14 and above).

 

New Features in 6.6.2

The product has been built and tested on z/OS v2.3, v2.2 and v2.1, which are now the officially supported platforms. The code targets architecture level 8 (z10, zBC/zEC12, z13, z14 and above).

The HLQ field length in SSZASST panel SSZSETI is increased to accept more than one dataset qualifier. Invalid field values in panels SSZSETG, SSZSETI, SSZSETO and SSZSETM are not accepted when PF3 function key is pressed.

If configured in sshd2_config, a WTO message will be displayed on z/OS console when the sft-server-g3 completes a file transfer.

If configured in sshd2_config, z/OS system message (IGD*/IGG*) will display on console for dynamic dataset allocation.

Message SSZ0012W will display on console when SIGXCPU signal (CPU limit exceeded) is caught by sshd2 server.

 

New Features in 6.6.1

The product has been built and tested on z/OS 2.2 and z/OS 2.1, which are now the officially supported platforms. z/OS 1.13 is no longer supported. The code targets architecture level 8 (z10 and above).

New configuration parameters: TcpListenBacklog, TcpListenRate and TcpListenPause. These parameters can be used to adjust product behaviour in case high incoming connection rate.

If IBM Crypto Express Card (CEX) is installed, Tectia Server/Client for IBM z/OS will direct cipher operations to the co-processors in CEX via ICSF. Customer is recommended to apply PTF to fix z/OS ICSF APAR OA52113 if CEX is used.

Ft advice string can be now used to override cataloged data set record format parameter. This enables transfer of VB including RDW and BDW.

zOS G2/G3 math routine using z13 vector facility. The new sshd2_config keyword is ZcpuMathFacility, and new client-side (sshg3, scpg3, sftpg3, ssh-keygen-g3) environment variable is SSH_ZCPU_MATH_FACILITY.

A console interface was added to Tectia SSH for z/OS G3.

Tectia Server for IBM z/OS utilizes now z/OS zEDC zlib provided by IBM.

Additional changes include:

  • The socks proxy and broker no longer require shell script wrappers when run as started tasks, allowing them to be started, stopped and modified using console commands. Several new informational status commands are now available and responses are issued as WTO messages.

  • The SSZASST ISPF application has been updated to: support the socks proxy started task console interface, including new status and control commands; capture console messages more reliably and completely; provide utilities to remove replaced ZFS installation datasets and to uninstall the product.

  • Numerous small optimizations and memory usage improvements have been made.

  • The default keygen type has been changed to RSA. The default host key length has been increased to 2048 bits.

  • Some useful debug messages have been made available in non-debug builds.

 

New Features in 6.5.0

The product now targets a minimum z/OS version of 1.13.

Provide an ISPF interface for installation, configuration and management of the product.

Added Elliptic Curve support for Diffie-Hellman key exchange, key signature generation and verification to the server using ICSF where available.

Added ECC hardware support via ICSF for clients and broker.

Added AES-CTR cipher hardware support via ICSF for server.

Added AES-CTR cipher hardware support via ICSF to clients and broker.

The sshd2 server now properly respects the tag attributes of its configuration files.

Lines in the server configuration file may be continued via a final backslash.

Removed diffie-hellman-group1-sha1 key exchange from defaults.

Single des-cbc cipher removed.

Removed RC2 cipher support.

 

New Features in 6.4.10

  • z/OS: Added support for Elliptic Curve Diffie-Hellmann (ECDH) for key exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) for keys and host keys on the z/OS clients.

  • z/OS: Added a new SSHD2 console modify command F SSHD2,RESTART,FORCE that restarts SSHD2 and kills all child connections.

  • z/OS: Added _EDC_ADD_ERRNO2 to recommended environment files, improving error reporting detail.

  • z/OS: z/OS clients now support AES-CTR bulk encryption outgoing to servers accepting that cipher, via an implementation exploiting CPACF AES-CBC.

  • z/OS: When log-on is refused because of expired user ID, the name of the user is now logged.

  • Documentation: Published the Tectia Server for IBM z/OS Cookbook.

  • Documentation: Added new sample jobs SCPPUT1 and SCPGET3W to SAMPLIB.

 

New Features in 6.4.8

  • All Platforms: Added standard MACs hmac-sha2-256 and hmac-sha2-512 as specified in RFC 6668. This enables third-party compatibility when using SHA-2 MACs in Tectia products.

  • z/OS: Tectia Server now accepts z/OS operator console modify and stop commands. This makes it possible for example to enable debug messages via the 'debug' modify command without having to restart the server. Please note that the syntax has changed to console commands for managing SSHD2 and SSHCERTD started tasks. When upgrading to this version and if it is desired to make use of modify-command support, shut down the existing started tasks, update the relevant PROCLIB members from the supplied samples newly installed in /opt/tectia/doc/zOS/SAMPLIB/ and then start the new procedures. If you do not update the started-task procedures, the daemons will run under control of the old shell-scripts, responding to the old syntax, but not to modify commands.

 

New Features in 6.4.7

  • z/OS: Implemented "load control", a connection flood DoS attack mitigation feature that uses a white list of IP addresses. The feature attempts to keep Tectia Server up and running in the face of a Denial of Service attack that tries to use so much of the server's resources that normal service would be disrupted.

  • z/OS: Added the following operations to the JES interface of Tectia Server for IBM z/OS:

    • Deleting jobs

    • Displaying the status of all the user's jobs

 

New Features in 6.4.6

  • z/OS: Added the new SFTP SITE command and advice string parameter "SPACE_RELEASE"(or RLSE when abbreviated). If SPACE_RELEASE is set to "yes" (default) when a new data set is allocated, unused disk space will be released. Otherwise the allocated space of a data set is retained.

 

New Features in 6.4.5

  • All Platforms: When the standard output of sftpg3/scpg3 is redirected to a file, it will now contain the file transfer progress percentage.

  • z/OS: Added support for z/OS 2.1 to Tectia Server for IBM z/OS.

 

New Features in 6.4.4

  • z/OS: For dataset transfers, the default for the 'staging' extended attribute is now 'no'.

  • Enable staging explicitly only when it is required by sending SITE STAGE=YES or ftadv:S=YES.

 

New Features in 6.4.2

  • All Platforms: Added the possibility to show the SFTP server banner to the FTP client when connecting using FTP-to-SFTP Conversion.

 

New Features in 6.4.0

  • z/OS: Added the possibility to allow the user to enter a password or passphrase from the OMVS environment.

  • All Platforms: Added TCP and FTP Transparent Tunneling support for IPv6. Note that FTP-SFTP Conversion still does not work with IPv6 addresses.

  • z/OS: Added initial support for SITE Filetype=JES. Currently supported features are:

    • Switching between accessing JES and the normal filesystem viaSITE FILETYPE=JES|SEQ

    • Submitting a file or dataset of JCL to the JES internal reader

    • Retrieving spool files by job id from the JES hold queue

This is the initial release of a feature which will be enhanced to support other operations on the JES spool such as listing and selecting spool files using various criteria.

  • All Platforms: scpg3, sftpg3 and FTP Conversion will now notify the JOBID when dealing with SITE Filetype=JES. Please, refer to documentation to obtain those JOBID with older Tectia clients or with third-party clients.

 

 

4. Bug Fixes

The following fixes have been implemented in Tectia SSH Server for IBM z/OS:

Bug Fixes in 6.7.1

(ZOS #436) Probe the availability of SMF subsystem correctly.

(ZOS #421) Added support for non-directory wildcard masks for remote file targets The behavior should now match to what is to be expected when specifying paths with wildcards.

(ZOS #420) Enhanced FILETYPE=PDS to support copying of IMS PSBLIBS.

(ZOS #388) Removed redundant chown API calls when creating new directories.

(ZOS #370) Display SSZ3049 message when sock proxy fails to listen on TCP port.

(ZOS #360) Non-Comment lines in translation tables are no longer identified by an x'00' in column 0.

(ZOS #318) Migrated datasets now correctly use original values instead of default values.

 

Bug Fixes in 6.7.0

(ZOS #373) Following RACF statements are added to X05CSFS installation job RDEFINE CSFSERV CSFRNGL UACC(NONE) PERMIT CSFRNGL CLASS(CSFSERV) ID(*) ACCESS(READ)

(ZOS #380) Elapsed time of FTP job with thousands of ftp commands is extended. Internal timer for checking the availability FTP data port to Tectia proxy server program is reduced.

(ZOS #383) Tectia ssh server hung after 255th session rekey is fixed.

(ZOS #384) Memory usage of ssh server increased after session rekey is fixed.

(ZOS #386) Tectia FTP socks-proxy server substituting tilde in file name with user home path fixed.

(ZOS #400) Tectia z/OS client programs disconnecting ssh connection using AES-GCM cipher during session rekey is fixed.

 

Bug Fixes in 6.6.11

(ZOS #353) Tolerate empty extended attribute returned from SSH sftp server.

(ZOS #290) A bug in reading MVS dataset for ft advice string J=MVS-FTP is fixed. The bug leads to a record being splited into two records.

(ZOS #284) Bugs relating to operation on sftp JES spool files are fixed.

(ZOS #283) A bug in Tectia for z/OS client program sshg3 on filtering escape character is fixed.

(ZOS #271) A bug in Tectia for z/OS server program debug record is fixed.

 

Bug Fixes in 6.6.10

(ZOS #226) A bug in sft-serverg-g3 and ssh-socks-proxy program when performing append operation to a open system file is fixed.

(ZOS #201) A bug in sft-server-g3 and sftg3 program when handling ftadv string status=MOD is fixed.

(ZOS #184) A bug in ssh-socks-proxy program causing abend 0C4 and end with reason code 11 duing ftp tunnel estblishment is fixed.

 

Bug Fixes in 6.6.9

(ZOS #160) It is recommended to install PTFs for APAR OA60084 to fix IBM module FPZINLPA abend 0C4 called by sshd2 or ssh-broker-g3 when running on a z15 processor with compression feature.

(ZOS #152) Tectia SSH for IBM z/OS sftpg3 reports Error: message for upload operation to new file in target server. The target server responds SSH_FX_FAILURE status to SSH_FXP_STAT request for new file name. A toleration fix is added to Tectia SSH for IBM z/OS sftpg3 program.

(ZOS #111) A bug in program sft_server_g3 rejecting SSH_FXP_OPEN request with exclusive flag set is fixed.

(ZOS #107) Tectia SSH for IBM z/OS file transfer failed to allocate existing PDS dataset occasionally. Existing PDS dataset will now be allocated with DISP=SHR.

(ZOS #105) A bug in program sshg3 and sftpg3 to handle TERM/HUP signal is fixed.

(ZOS #100, #93) Inadequate customer site z/OS Language Environment runtime settings, HEAP and STACK, causes Tectia SSH for IBM z/OS program abend. IBM recommended values for LE runtime setting are restored when Tectia SSH for IBM z/OS program is loaded.

(ZOS #97) A bug in program sft_server_g3 to parse dataset name in SSH_FXP_OPEN request is fixed.

(ZOS #94) A bug in program sshd2 when handling TCPIP tasks end is fixed.

(ZOS #84) A bug in program ssh-socks-proxy that causes displaying message 'IEA450I ABEND SEC6 for job SSHSP1' during shutdown is fixed.

(ZOS #82) Incorrect return code from successful ssh-broker-ctl probe-key operation is fixed.

A bug in program ssh-sock-proxy that causes reload command hang is fixed.

 

Bug Fixes in 6.6.8

A bug in handling informative message from sftpg3 being buffered is fixed.

Message 'Received signal 11. (no core)' logged in SSHD2 started task when a ssh session ended is fixed. This issue might also lead to SSHD2 started task end.

(ZOS #63) Abend 0C4 in ssh-ftp-proxy is fixed. Race condition in buffer, data structure and program memory release are fixed in sftpg3, sft-server-g3 and ssh-ftp-proxy.

(ZOS #72) Task SSHSP startup failure due to tectia for z/OS product installed on USS path name starting with '/_' is fixed.

 

Bug Fixes in 6.6.7

Information message will be displayed if ISPF installer is not initialized properly via panel option 0.

A bug in handling SSH_DEBUG_FMT environment variable in Tectia SSH for IBM z/OS programs is fixed.

A bug in handling FTADV string J=MVS-FTP,TRAILING_BLANK=NO for outbound operation is fixed.

A bug in handling the sequence of SSH packet during the USERAUTH phase is fixed.

A bug in handling SSH_SFTP_HOME_MVS=YES environment variable is fixed. The value of environment variable SSH_SFTP_HOME_MVS will be reset to NO if there is no catalogue entry found for the username executing the Tectia SSH for IBM z/OS program.

(ZOS #51) A bug in handling ICSF random number in Tectia for IBM z/OS sshd2 server causing 0C4 abend is fixed.

 

Bug Fixes in 6.6.6

A bug in handling ftadv string I=MVS-FTP and J=MVS-FTP on reading dataset operation is fixed. The result network data stream is expected containing no delimiter character.

A bug in handling ftadv string CONDDISP=DELETE on reading dataset operation is fixed.

A bug in Tectia for z/OS ssh server causing LE heap storage pool depletion is fixed.

A bug in printing "reading auxdata file failed" debug message is fixed.

A bug in refusing passive ftp data connection to sock-proxy program too quickly is fixed.

A bug in transferring dataset using ftadv string D=UCS-2,I=DOS,J=MVS-FTP is fixed. Customer wishing to have DOS style delimiter in UCS-2 format (x'000D000A') on the download file should use ftadv string C=UCS-2,I=DOS,J=MVS-FTP.

A bug in Tectia for z/OS sftpg3 client handling -b buffer_size_bytes option is fixed.

 

Bug Fixes in 6.6.5

SSZASST uninstall job (U03DELU) is enhanced to learn the home directory path of user SSHD2 and SSHSP from SAF.

A bug in Tectia for z/OS ssh server for supporting diffie-hellman- group14-sha1 host key exchange algorithm is fixed.

Sftp JES interface is worked with z/OS running JES3 subsystem.

Re-introduce following sftpg3 site command aliases: BLOCKSIZE, DATACLASS, DIRECTORY, MGMTCLASS, PRIMARY, RETPD, SECONDARY, STORCLASS, UCOUNT, VCOUNT.

A bug in transferring VB dataset with F=record is fixed.

A bug in codepage translation causing program loop in CPU is fixed.

 

Bug Fixes in 6.6.3

Sftp JES interface is now worked with OpenSSH sftp.

SSZASST how to document is updated to upload the package file with suffix tar.Z to with enlarged mainframe dataset size.

A bug in sftp transfer using I=DOS, J=MVS-FTP with bytes trunscated in the last record is fixed.

CYL and PRIM are re-introduced as alias for SPACE_UNIT=CYLS and PRIMARY_SPACE site commands.

 

Bug Fixes in 6.6.2

Broker configuration reload and reconfig options are now removed.

SSZASST installation job X12LIBS now returns code zero disregard the existence of SSZ PARMLIB dataset.

SSHD2 and broker now correctly detect the availability of HMAC in IBM CEX card through ICSF (FMID HCR77C0).

G2 server and G3 client for outgoing traffic can now use zEDC hardware if the compression option is set. For G2 server and G3 client incoming traffic, zEDC will be used for non-streaming mode sftp data if the compression option is set.

G2 ssh-certd does not crash anymore when processing ECC certificate.

ssh-certd does not fail anymore to check certificate validity using CRLS or OCSP.

sftpg3 checkpoint file content is now encoded in EBCDIC.

 

Bug Fixes in 6.6.1

COND can be again used as an alias for CONDDISP site command.

Unnecessary warning messages have been removed.

The sshg3 fork-into-background -f option has always caused a failure on z/OS with message EDC5257I due to an architectural error in its use of threads. To avoid this fatal error, the option has been disabled for the time being. Use shell job control facilities or run from JCL to put sshg3 into background.

The ssh-certd -d debug option parsing has been corrected to remove a bug.

A bug in sftp batch file handling where a missing final newline caused the last command to be ignored has been fixed.

A bug where the broker was not recording a successful password authentication event after a previous password authentication failure has now been fixed.

A bug in the functioning of the sftp filetype=JES cd command when using z/OS 2.2 has been fixed.

A bug triggered when the sshd2 option UseCryptoHardware No is set and CSF is not running has been fixed.

Shell script wrappers for running servers as started tasks have now been completely removed, because the socks proxy can be started and managed from z/OS operator console. The environment variable SSH_MVS_CONSOLE is no longer needed and has been removed from the sample sshenv file.”

The bug related to choosing Tectia ISPF installer option 3.4 SOXP, /opt/tectia/etc/ssh-socks-proxy-config.xml file with default values gets created, if it did not exist before. You have to manually delete the file if you want to remove the unintentionally created configuration has been fixed.

HOSTSAVE job, which uses ssh-keydist-g3, prior 6.4.2 saved host keys in ascii format and files were tagged as ISO8859-1. 6.4/6.5 upgrade process removes the tags during the tar/untar. Client is not able to read ascii host key files if those are not tagged. Bug has been fixed.

The bug related to chmod in sftp session resets directory permissions has been fixed.

The bug about record format U and BLKSIZE smaller than 1024 has been fixed.

Bug related to sshd2_config - LoadControl.Active, default is incorrectly stated to be 'yes' when in reality it is 'no' has been fixed.

A bug related to an attempt to allocate memory in the Language Environment and has failed has been fixed.

A bug in which SSH assistant Server TASK 4.7 TSRVOP "Set options for starting the SSH server" converts given options to upper case has been fixed.

A bug related to doing get operation with Putty fails after about 1GB has been transferred has been fixed.

A bug about allocating too small data set, or trying to transfer file to a small existing dataset, hangs, has been fixed.

A bug about leaving version field empty gives an unclear error message hasbeen fixed.

 

Bug Fixes in 6.5.0

Fixed a problem causing S0C4 in hardware crypto support when debug level greater than 10 is specified.

Fixed bug where circular symlink on server-side can cause sftp server to loop.

Fixed an issue with server configured configured to use SAF certificate store where user IDs derived from the AuthorizationEkProvider option were not translated to uppercase.

Fixed an issue with certificate-based authentication where an ampersand in the subject OU caused a broker XML error and client disconnection. of the product.

Fixed an issue which caused automatic FTP tunnels intermittently to fail to start.

 

Bug Fixes in 6.4.11

  • z/OS: Fixed a problem where the list of ciphers and MACs in sshd2_config was truncated after the first entry.

  • z/OS: Fixed a problem where the sft-server-g3 option --attribute=staging:YES was being ignored.

 

Bug Fixes in 6.4.10

  • z/OS: Removed incorrect file tags from some distributed files.

  • All Platforms: Fixed a potential crash in the Connection Broker that occurred when handling a connection that was waiting for the passphrase, and the SSH server that the Connection Broker was connecting to shut down.

  • z/OS: sshd2 -v -V now reports source code commit hash (relevant for problem reporting).

  • z/OS: SSHD2 is now built in EBCDIC mode, ensuring that system error messages are always reported readably.

  • z/OS: Improved error messages when user log-on is refused to make the reason for failure clearer.

  • All Platforms: ssh-broker-g3 will no longer crash if it fails to read its configuration file because of faulty permissions.

  • z/OS: SSHD2 verbose messages now include information on hardware cryptography support in a more readable manner.

  • z/OS: The SSHD2 pidfile is now removed when the daemon is stopped or exits.

  • All Platforms: ssh-broker-ctl will no longer busyloop when using add-crl or add-certificate command without specifying a file name.

  • z/OS: File transfer advice string TYPE=PREFIX|ALIAS were removed as allowable types.

  • Documentation: The documentation of the accepted abbreviations of file transfer advice strings and sftpg3 SITE parameters was clarified.

  • Documentation: Generic documentation improvements.

 

Bug Fixes in 6.4.8

  • z/OS: Fixed the line delimiter conversion in DOS files that are submitted from UNIX to JES.

  • All Platforms: Fixed an issue in Tectia Client where short host name was accepted in host authentication with certificate. It is no longer possible to connect to a host without providing the FQDN.

  • z/OS: File transfer to a data set with existing prefix using PuTTY no longer fails.

  • z/OS: Fixed an issue that occurred when an sput destination file name was a non-existing z/OS PDS dataset. A new PDS dataset is created when the destination file name is //__PDS(member) and FTADV directory_size is set.

  • Documentation: Generic documentation improvements.

  • Documentation: Tectia Server for IBM z/OS Quick Start Guide has been rewritten into a more compact version.

  • z/OS: The LIBPATH environment variable is no longer set by Tectia Server in the user's environment when logging in.

  • z/OS: Fixed an issue in Tectia Server which caused a file transfer to fail when a third-party SSH client tried to fetch a data set with conversion.

 

Bug Fixes in 6.4.7

  • Documentation: Minor modifications to the documents.

  • z/OS: Fixed a situation in which under certain conditions, some sshd2 processes were not being shut down after a third-party SSH client was disconnecting.

  • All Platforms: Active mode for static FTP tunneling no longer fails to work when using IPv4 addresses.

  • z/OS: File transfers with an ftadv profile no longer fail with an "invalid code reached" message.

  • z/OS: The environment variable _CEE_RUNOPTS is no longer needed when running Tectia client tools for z/OS programs.

  • z/OS: When handling JES spool files from a Windows client with sftpg3 or scpg3, the commands "ascii" and "get jobid" no longer fail to convert to ASCII.

  • All Platforms: Removed sshg3 options +w/--try-empty-password and -w from the manuals and help, as the feature is no longer supported.

  • All Platforms: IPv6-wrapped IPv4 addresses are now rendered correctly in the logs.

  • All Platforms: sftpg3 and scpg3 no longer fail to get the current user name when using the option (user=%username%) in a connection profile.

  • All Platforms: IPv6-wrapped IPv4 addresses no longer fail to be tunneled when made via a dual layer socket.

  • z/OS: Removed an obsolete file (ssh-broker-config-example-ftp-sftp.xml) from the packages.

  • All Platforms: In scpg3, when transferring a file, if the character code set conversion of the file name fails for some characters, the conversion of the file name is no longer aborted.

  • z/OS: When configuring the IPv6 listener of Tectia Server with zones and within brackets, Tectia Server will no longer refuse to start.

 

Bug Fixes in 6.4.6

  • All Platforms: Newline conversions in Tectia file transfer clients no longer fail to work when transferring files to a VShell Server (VanDyke).

  • All Platforms: File transfers from Tectia Clients no longer crash when transferring files in ASCII mode to a VShell Server (VanDyke).

  • z/OS: S378 abends should no longer happen when using FILETYPE=JES directory functions.

  • z/OS: Using a file transfer profile via file transfer advice strings with the OpenSSH client no longer fails to work.

  • z/OS: The execution of the commands "digest" or "ldigest" from sftpg3 on the server side no longer fails in some cases.

  • z/OS: Listing PDSEs with sftpg3 no longer shows space as 0. It now reports the estimated size based on the number of allocated tracks of the PDSE.

  • z/OS: Fixed the issue with file transfer advice strings where data set allocation was done dynamically even when the VOLUMES attribute was specified, except for when the UNIT attribute was configured.

  • Documentation: Improved the instructions for installing licenses in the z/OS documentation.

  • z/OS: Fixed the upgrade script, so that it will no longer create a new host key for the server.

  • z/OS: Simplified the license location requirement for Tectia Server for z/OS. From now on, the licenses must be installed by copying the license files to /opt/tectia/etc/licenses/ and making sure they are readable.

  • All platforms: Fixed a potential memory corruption when transferring files recursively and using a configuration file to specify the file transfer advice strings.

  • z/OS: Removed the no longer used ICU libraries from the packages.

  • All Platforms: Fixed a memory leak that occurred in the ssh-ftp-proxy when showing the SFTP server banner message.

 

Bug Fixes in 6.4.5

  • z/OS: In SITE Filetype=JES, if the job_owner attribute is not specified, the default value will be the current user.

  • z/OS: In SITE Filetype=JES, the command 'ls -l' for an individual job id no longer returns unsorted order when issued by clients.

  • z/OS: With SITE Filetype=JES, the command 'get job-id' no longer fails to run.

  • z/OS: Tectia clients and server will now create a correct output file when transferring text data from a MVS dataset to a POSIX file with \r\n line delimiters. Previously (since 6.3.6 release) several hundred bytes of data could be missing from the output file if the file was larger than about 32000 bytes. This type of transfer is specified by using a MVS dataset name and the attributes TRANSFER_FILE_LINE_DELIMITER=MVS and TRANSFER_LINE_DELIMITER=DOS for the source file.

  • z/OS: In sftpg3, when setting the filetype to JES and giving the command 'cd', the behavior is now the same as for the command 'cd //'.

  • All Platforms: Defining "summary-format" to print the file transfer progress percentage no longer fails when connected to an OpenSSH server.

 

Bug Fixes in 6.4.4

  • z/OS: Fixed problems regarding the transfer of zero-length files and datasets to and from z/OS using the Windows Putty psftp client.

  • z/OS: Enhanced file transfer behavior with third-party clients that issue multiple read requests in advance and thus may end up trying to read beyond the end of the file.

  • z/OS: File transfer advice string abbreviations and aliases have been synchronized with those in the documentation.

  • z/OS: A workaround for third-party clients has been provided for the case where a previous 'cd' command is ignored when a subsequent 'get' or 'put' operand begins with a file transfer advice string '/ftadv:.../'. These clients do not prefix their 'cwd' onto the operand because the initial '/' causes it to be interpreted as an absolute path. The 'ftadv' string may now begin with a leading dot './ftadv:.../', allowing the operand to be interpreted as a relative path.

  • Parsing of 'ftadv' strings in 'pathname' operands has been enhanced to provide greater flexibility.

 

Bug Fixes in 6.4.3

  • Documentation: Added an additional step in the zFS mounting instructions about how to format the zFS file system prior to mounting it.

  • z/OS: ssh-keydist now writes host keys and public keys in EBCIDC. As well, for executing ssh-keydist, now it is needed to set the environment variable SSH_CHARSET_CONV accordingly. Check Tectia Server for z/OS User Manual for details.

 

Bug Fixes in 6.4.2

  • All Platforms: In file transfer clients, ASCII and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS.

  • z/OS: Changed the behavior so that OpenSSH SFTP client no longer gets different results from Tectia Client when putting to a new dataset that has the same name as an existing dataset prefix.

  • All Platforms: Now it is possible to set the remote newline convention in FTP-SFTP conversion when performing ASCII file transfers.

  • z/OS: Migrated datasets that are transferred as ASCII via SOCKS proxy will no longer be unusable.

  • z/OS: sft-server-g3 no longer goes into an endless loop when putting to a preallocated dataset using OpenSSH sftp client and ftadv:TRANSFER_FILE_LINE_DELIMITER=MVS-FTP

  • z/OS: Improved the documentation regarding the usage of OpenSSH scp when connecting to Tectia Server for IBM z/OS.

  • All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again.

  • All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name.

  • All Platforms: scpg3 option "-a" no longer fails to do ASCII conversion.

  • z/OS: Removed a few wrong warning messages.

  • z/OS: Fixed the task init scripts when stopping child processes to not to result in EC6 abends on shutdown.

  • z/OS: Removed a redundant license check when using socks proxy.

  • z/OS: SSHSP no longer raises EC6 abends on shutdown.

  • z/OS: When using FTP Proxy, z/OS Migrated datasets no longer fail to be recalled.

  • All Platforms: Broker acting as socks proxy no longer leaves connections in close_wait state.

  • z/OS: Upgrading Tectia Server for IBM z/OS from 6.3.1 or later to 6.4.2 no longer fails.

 

Bug Fixes in 6.4.1

  • All Platforms: In file transfer clients, ASCII and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS.

 

Bug Fixes in 6.4.0

  • All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name.

  • All platforms: Broker no longer crashes when running in SOCKS proxy mode and falling back to plain.

  • All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again.

 

 

5. Known Issues

The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:

  • Certd client certificate validation not working properly. As a workaround use SAF validation.

  • ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.

  • The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.

  • Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.

  • All Platforms: FTP-SFTP Conversion does not support IPv6.

  • All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

  • z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

  • The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file. If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case the file must be manually untagged. If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.

  • The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.

  • IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2. z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set. Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.

  • Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.

  • Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command. Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.

  • Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy. This happens with third-party and older SSH Tectia (4.x, 5.1) clients. In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly. When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.

  • When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes).

  • If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.

  • On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed. This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation. Tectia Client 5.x can report the error correctly.

 

 

6. Further Information

More information can be found on the man pages and in the Tectia SSH manuals that are also available at: https://www.ssh.com/manuals/

NOTE:

License policy

Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.

Upgrade information

It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier

Customers upgrading from v6.6.10 or earlier releases should consider granting read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.

PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)

This access grants the authorization right for installing Tectia SSH Server program sshd2 to use the mainframe zIIP processor.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four-byte length prefix.

Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier

To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate random number. If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.

Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier

To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.

Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9

The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".


********************************************************************

Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.

********************************************************************

All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS Administrator Manual for instructions on installing and removing the software.

 

1. About This Release

Items addressed in this release are listed under sections "New Features in 6.7.0" and "Bug Fixes in 6.7.0".

 

2. Tectia SSH Server 6.7.0 IBM for z/OS

Tectia SSH Server 6.7.0 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems and between IBM z/OS and distributed hosts.

The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.

File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.

The client module of Tectia SSH Server 6.7.0 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.

In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.6.11 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.

More information on the key features in Tectia SSH Server 6.7.0 for IBM z/OS can be found in the Product Description.

2.1 Pre-upgrade actions

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record,J=MVS-FTP to F=record,J=MVS in order to maintain record with four-byte length prefix.

2.2 Post-upgrade actions

Customers upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2,I=DOS/UNIX,J=MVS-FTP to C=UCS-2,I=DOS/UNIX,J=MVS-FTP. 

Ensure z/OS ICSF product is installed in the running z/OS system. Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.

 

3. New Features

The following new features have been implemented in Tectia SSH Server for IBM z/OS:

New Features in 6.7.0

The product has been built and tested on z/OS v2.5, v2.4, v2.3, and v2.2, which are now officially supported platforms.

The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15, and above).

(ZOS #345) Following key exchange methods are added to server and client programs curve25519-sha256,curve25519-sha256@libssh.org, ecdh-nistp521-kyber1024-sha512@ssh.com, ecdh-nistp521-firesaber-sha512@ssh.com, curve25519-frodokem1344-sha512@ssh.com, sntrup761x25519-sha512@openssh.com

(ZOS #368) If Tectia client program is started from JCL, the address space region size will be adjusted to the configured MAXASSIZE if necessary.

(ZOS #146) Added support for new filetypes in ftadv for more powerful dataset handling FT=PDS for transfering PDS(E) datasets. FT=IBC(IEBCOPY) for transfering PDSE loadlibrary datasets. The IEBCOPY implements interface to the IEBCOPY dataset utility program.

 

4. Bug Fixes

The following fixes have been implemented in Tectia SSH Server for IBM z/OS:

Bug Fixes in 6.7.0

(ZOS #373) Following RACF statements are added to X05CSFS installation job RDEFINE CSFSERV CSFRNGL UACC(NONE) PERMIT CSFRNGL CLASS(CSFSERV) ID(*) ACCESS(READ)

(ZOS #380) Elapsed time of FTP job with thousands of ftp commands is extended. Internal timer for checking the availability FTP data port to Tectia proxy server program is reduced.

(ZOS #383) Tectia ssh server hung after 255th session rekey is fixed.

(ZOS #384) Memory usage of ssh server increased after session rekey is fixed. 

(ZOS #386) Tectia FTP socks-proxy server substituting tilde in file name with user home path fixed.

(ZOS #400) Tectia z/OS client programs disconnecting ssh connection using AES-GCM cipher during session rekey is fixed.

 

5. Known Issues

The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:

- Certd client certificate validation not working properly. As a workaround use SAF validation.

- ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.

- The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.

- Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.

- All Platforms: FTP-SFTP Conversion does not support IPv6.

- All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

- The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file.

If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case the file must be manually untagged.

If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.

- The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.

- IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2. z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set.

Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.

- Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.

- Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command.

Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.

- Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy.

This happens with third-party and older SSH Tectia (4.x, 5.1) clients.

In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly.

When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.

- When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes). 

- If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.

- On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality, the transfer might have failed.

This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason. 

For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation.

Tectia Client 5.x can report the error correctly.

 

6. Further Information

More information can be found on the man pages and in the Tectia SSH manuals that are also available at:
https://www.ssh.com/manuals/

Additional licenses can be purchased from our online store at: http://www.ssh.com/

NOTE:

License policy
Tectia SSH Server for IBM z/OS and the SSH client tools require valid licenses that are provided separately. Please contact your sales representative if you have not received your licenses.

Upgrade information
It's no longer necessary to remove the license_ssh2.dat file or symlink before upgrading.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.10 or earlier
Customer upgrading from v6.6.10 or earlier releases should consider granting read access to the installer user for profile BPX.FILEATTR.APF in class FACILITY as listed in job X01IUSR.

PERMIT BPX.FILEATTR.APF CLASS(FACILITY) ID(username) ACCESS(READ)

This access grants the authorization right for installing the Tectia SSH Server program sshd2 to use the mainframe zIIP processor.

Upgrading from Tectia SSH Server for IBM z/OS 6.6.5 or earlier
Customer upgrading from v6.6.5 or earlier releases should change all sftp scripts using ftadv string F=record, J=MVS-FTP to F=record, J=MVS in order to maintain a record with a four-byte length prefix.

Upgrading from Tectia SSH Server for IBM z/OS 6.6 or earlier
To eliminate z/OS USS special file /dev/random dependency, Tectia SSH Server and Client programs used ICSF callable service to generate a random number. If ICSF callable service is controlled by SAF, please ensure READ access is granted to users (including sshd2) that will use Tectia SSH Server and Client programs for profile CSFRNG in class CSFSERV.

Upgrading from Tectia SSH Server for IBM z/OS 6.4 or earlier
To make the file transfer advice string and site command parameters consistent, many of them were modified in 6.4.x releases. Please check the currently available parameter names and their abbreviations from Tectia SSH Server for IBM z/OS User Manual.

Upgrading from Tectia SSH Server for IBM z/OS 6.4.8 or 6.4.9
The behavior of the modify command restart (introduced in Tectia SSH Server for IBM z/OS 6.4.8) changed in version 6.4.10. The restart command now restarts the server without killing the existing connections. To restart the server and kill existing connections, use "restart force".

********************************************************************

Before installing the software, please read the license agreement located in the extracted installation package. Should you have any questions, please contact sales@ssh.com or your sales representative.

********************************************************************

All Tectia SSH Server for IBM z/OS user documentation is included in the online package. Please refer to Tectia SSH Server for IBM z/OS
Administrator Manual for instructions on installing and removing the software.

 

1. About This Release

Items addressed in this release are listed under sections New Features in 6.6.11 and Bug Fixes in 6.6.11.

 

2. Tectia SSH Server 6.6.11 for IBM z/OS

Tectia SSH Server 6.6.11 for IBM z/OS is an SSH client/server solution designed for securing IBM z/OS mainframe connectivity. It provides secure terminal and secure file transfer functionalities between IBM z/OS systems, and between IBM z/OS and distributed hosts.

The server provides support for direct secure file transfers to and from MVS file system with configurable codeset translation. Client applications can be run interactively or from JCL.

File transfer profiles and mainframe-specific file transfer commands, such as the SITE command and advice strings, can be used to enhance file transfer capabilities and usability significantly.

The client module of Tectia SSH Server 6.6.11 for IBM z/OS also provides Transparent FTP Tunneling and FTP-SFTP Conversion features that allow users to secure their FTP file transfers without any modifications to existing FTP jobs.

In conjunction with other Tectia products for distributed platforms, Tectia SSH Server 6.6.11 for IBM z/OS enables complete transparency to the user as well as secure application connectivity, including TN3270, without any user intervention.

More information on the key features in Tectia SSH Server 6.6.11 for IBM z/OS can be found in the Product Description.

 

2.1 Pre-upgrade actions

Customer upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string F=record, J=MVS-FTP to F=record, J=MVS in order to maintain a record with a four-byte length prefix.

 

2.2 Post-upgrade actions

Customer upgrading from v6.6.5 or earlier releases should change all sftp script using ftadv string D=UCS-2, I=DOS/UNIX, J=MVS-FTP to C=UCS-2, I=DOS/UNIX, J=MVS-FTP.

Ensure z/OS ICSF product is installed in the running z/OS system. Program module CSFDLL3X must be resolved via LNKLST in z/OS system SIEALNKE PDSE.

 

3. New Features

The following new features have been implemented in Tectia SSH Server for IBM z/OS:

New Features in 6.6.11

The product has been built and tested on z/OS v2.5, v2.4, v2.3 and v2.2, which are now the officially supported platforms.
The code targets architecture level 8 (z10, zBC/zEC12, z13, z14, z15 and above).

(ZOS #348) Server program sshd2 is enhanced to write application-specific information (APPLDATA) to its associated z/OS TCP sockets. The information can be viewed via NETSTAT command and stored in SMF Type 119 subtype 2 (TCP connection termination record).

(ZOS #343) Server program sshd2 is optimized for allocating pseudo terminal for ssh terminal connection.

(ZOS #340) If zIIP processor is enabled on the z/OS system and server program sshd2 is running in authorized mode, mainframe CPACF instructions will be shifted to be executed in zIIP processor.

(ZOS #306) New option, -M, --destination-home-directory, is added to ssh-keydist-g3 program. The option allows user to specify the user home directory path in the destination system.

(ZOS #301) Filetype IDCAMS is added to sftp ft advice string. This permits the definition of several kinds of datasets not otherwise possible. This phase handles the entry of commands and retrieval of results, in a JES filetype way.

(ZOS #265) Default XML and DTD files are compiled into Tectia for z/OS client programs.

(ZOS #263) Compression method zlib@openssh.com is supported in Tectia for z/OS server and client programs. The compression method zlib@openssh.com will exploit the benefit of z15 in-core compression facility running on z/OS v2.4 or later.

(ZOS #262) Random_seed file is no longer required by Tectia for z/OS client programs.

(ZOS #261) Plugin module i18n_iconv.so is not packed into product package file. Code page translation function is merged into Tectia for z/OS server and client programs.

(ZOS #246) Permit Tectia for z/OS server program to start on a RDONLY mount point. PidFile configuration option in ssh_certd_config is removed.

 

4. Bug Fixes

The following fixes have been implemented in Tectia SSH Server for IBM z/OS:

Bug Fixes in 6.6.11

(ZOS #353) Tolerate empty extended attribute returned from SSH sftp server.

(ZOS #290) A bug in reading MVS dataset for ft advice string J=MVS-FTP is fixed. The bug leads to a record being splited into two records.

(ZOS #284) Bugs relating to operation on sftp JES spool files are fixed.

(ZOS #283) A bug in Tectia for z/OS client program sshg3 on filtering escape character is fixed.

(ZOS #271) A bug in Tectia for z/OS server program debug record is fixed.

 

5. Known Issues

The following issues are currently known to exist in Tectia SSH Server for IBM z/OS:

- Certd client certificate validation not working properly. As a workaround use SAF validation.

- ssh-keydist-g3 does not work with servers that have only CTR mode ciphers such as aes128-ctr, aes192-ctr, and aes256-ctr enabled.

- The socks proxy function to reload the configuration file has been temporarily disabled due to problems it was creating; restart the socks proxy instead.

- Remote translation tables only work when the ftadv/site command X=BIN is used. Local translation tables work as intended.

- All Platforms: FTP-SFTP Conversion does not support IPv6.

- All Platforms: The usage of IPv6 addresses in certificates is not yet
supported.

- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

- The current server cannot read the authorization file that is used in public key authentication if the file is tagged to a TEXT file.

If the authorization file is created e.g. on a Windows host and then transferred to z/OS, it will be automatically tagged as TEXT, and the public key setup fails. In this case, the file must be manually untagged.

If the authorization file is created on a z/OS server, the file is by default untagged and can be used without modifications.

- The write operation to a PDS member locks the PDS and no other connections to that PDS are possible during the transfer.

- IBM-EUCJC code set conversion is not possible on z/OS 1.8 and earlier. Tectia uses iconv() for character set conversions. In z/OS 1.8 and earlier releases, iconv does not have a translation between IBM-EUCJC and UTF-8 or UCS-2.

z/OS 1.9 supports the new Unicode services providing translations between IBM-EUCJC and all other codesets that support the same character set.

Workaround for conversion from IBM-EUCJC and UTF-8 or UCS-2 on z/OS 1.8 and earlier is to manually generate new translation tables for iconv.

- Sftpg3 client fails to suspend (Ctrl-Z) gracefully when run from /bin/sh. Use tcsh or bash instead of /bin/sh or avoid suspending the client.

- Sftpg3 does not accept HFS batch files if addressed by using the DD card. HFS batch files can be used by entering the path of the batch file directly to the sftpg3 command. Alternatively, MVS datasets can be used, either by entering the dataset name directly to the sftpg3 command or by addressing it by using the DD card.

- Multiple files cannot be transferred in parallel into a PDS. If sftp client transfers files in parallel into a PDS, only the first file is copied successfully. The rest fail because PDS is in use by the first file copy.

This happens with third-party and older SSH Tectia (4.x, 5.1) clients.

In Tectia 5.2, file transfer clients can detect the type of the dataset and transfer the members correctly.

When using third-party and older Tectia Clients, the workaround is to use PDSE datasets.

- When browsing MVS data sets in Tectia Client SFTP Windows GUI, data set sizes are shown as 0 (for VSAM files the High Used RBA is shown; it is a good estimate of the number of data bytes).

- If password on command line is used, process listing shows the password as a part of the running process. Use either public key authentication or use password on file.

- On some occasions, Tectia Client 4.x and OpenSSH clients do not report errors if a file transfer to Tectia Server for IBM z/OS fails. The client informs that the transfer was OK, but in reality the transfer might have failed.

This error happens when the actual file transfer is completed successfully, but writing the data to the dataset of HFS file fails for some reason.

For example, the file transfer might fail if the pre-allocated dataset size is not big enough. When the client closes the file, the server de-stages the data to the dataset. This fails, but Tectia Client 4.x and OpenSSH clients ignore the return value of the close operation.

Tectia Client 5.x can report the error correctly.

 

6. Further Information

More information can be found on the man pages and in the Tectia SSH manuals that are also available at:

https://www.ssh.com/manuals/

Additional licenses can be purchased from our online store at: http://www.ssh.com/