BSTTSCPY SSH Secure Copy Facility
Over the
years, Barnard Software, Inc., has received a number of requests to
provide SSH or SSH like functionality. However, VSE/ESA and z/VSE
does not provide the basic foundation for this type of function.
At the same
time we have wondered “What exactly would you do with SSH on
z/VSE?” It is a good question since z/VSE does not have a 'shell'
or interactive command environment. When we ask this question more
often that not we hear “Well, we have to transfer data to someone
that requires we use SSH.”
For this we can provide a solution.
The
IPv6/VSE BSTTSCPY SSH Secure Copy Facility uses a Linux Pass-through
image to facilitate an SSH connection to remote hosts providing for
secure file transfer using SSH to and from z/VSE.
SSH
SSH is the
standard world wide for secure access to systems.
Secure
Shell, or SSH, is a cryptographic (encrypted) network protocol for
initiating text-based shell sessions on remote machines in a secure
way.
This allows a user to run commands on a machine's command prompt without them being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees use on Windows as well. In 2015 Microsoft announced that they would include native support for SSH in a future release.
SSH was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.
This allows a user to run commands on a machine's command prompt without them being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2.
The most visible application of the protocol is for access to shell accounts on Unix-like operating systems, but it sees use on Windows as well. In 2015 Microsoft announced that they would include native support for SSH in a future release.
SSH was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.
Secure Copy
Secure copy
or SCP is a means of securely transferring computer files between a
local host and a remote host. It is based on the Secure Shell (SSH)
protocol.
SFTP vs. FTPS
FTPS (also
known as FTP-ES, FTP-SSL and FTP Secure) is an extension to the
commonly used File Transfer Protocol (FTP) that adds support for the
Transport Layer Security (TLS) and the Secure Sockets Layer (SSL)
cryptographic protocols.
FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from FTP over SSH, the practice of tunneling FTP through an SSH connection.
FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from FTP over SSH, the practice of tunneling FTP through an SSH connection.
In the
past, CSI and IBM have written manuals describing a “Secure FTP
Facility” for z/VSE. This facility is FTPS (FTP using SSL). It is
not SFTP (FTP over SSH). IPv6/VSE
provides FTPS (FTP over SSL) also.
The Secure Copy facility provided by IPv6/VSE is not SFTP or FTPS.
Secure Copy Concepts
The
following diagram shows how the BSTSTSCPY Secure Copy Facility
transfers data to and from z/VSE using a Linux Pass-through image.
BSTTSCPY using a Linux Pass-through Image
This is the
basic overview of the IPv6/VSE Secure Copy Facility and the Linux
Pass-through Image.
The BSTTSCPY application running on z/VSE connects to the bsttscpyd
(BSTTSCPY Daemon) running on the Linux Pass-through image. From
there, the bsttscpyd uses SSH to connect to the destination remote
host. Data transferred from BSTTSCPY running on z/VSE to the
bsttscpyd is clear text. The data transferred by SSH is, of course,
encrypted.
BSTTSCPY Using Linux on System z
This is the
recommended configuration.
In this
configuration we suggest using a Hipersockets connection between
z/VSE and the Linux Pass-through image. This is very fast. This
configuration also guarantees no clear text data ever leaves the
System z machine.
Linux Fast Path (LFP)
IBM's Linux
Fast Path (LFP) can also be used in this configuration. Using LFP,
BSTTSCPY can communicate with bsttscpyd running on the Linux
Path-Tthough image using IUCV.
LFP also
provides access to z/VM IP Assist which can be used to access the
network on supported System z hardware, providing access to bsttscpyd
running on an x86_64 Linux Pass-through image.
BSTTSCPY Using x86_64 Intel
If you do
not have a Linux on System z machine available to run the bsttscpyd,
you still can use this feature. You can use one of these options.
-
An x86_64 Intel Linux machine
-
A 64-bit Windows 7 (or newer) machine
Running either ...-
64-bit Cygwin
-
Virtual Box
Running an x86_64 Intel Linux image
-
Some
customers have suggested that this is not a 'secure' configuration
and I have been mystified by these comments.
A good network
administrator can easily make this configuration completely secure.
First, the
subnet used by the BSTTSCPY facility in z/VSE would be different than
the usual production subnet. E.g., If the production subnet is
192.168.0.0/16 then the subnet used by the BSTTSCPY facility might be
172.16.1.0/24.
Second, the
NIC's used by the System z machine and the PC would be connected to
the same layer 2 switch. This means traffic from these systems would
never go outside of the switch being used.
Next,
traffic from these systems would use a special/unique VLAN.
And, this
is the key. By using a special VLAN for this traffic, it is
physically separate from all other traffic on the LAN. This
provides excellent security for the data transfers.
Why Use a Linux Pass-through Image?
The SSH
connections from the Linux Pass-through image use public key
authentication. Public key authentication allows you to login to a
remote host via the SSH protocol without a password and is more
secure than password-based authentication.
Password
authentication is not supported and can not be used with the BSTTSCPY
Secure Copy facility.
There are
several benefits to using a Linux Pass-through image.
-
SSH is basic to all Linux OS installations.
-
SSH and Linux are Open Source
-
Support and updates are provided by the Linux distributionE.g., SUSE, Red Hat.
-
FIPS 140-2 Certification of OpenSSH and OpenSSL
-
All cryptographic overhead is offloaded to the Linux Pass-through image.
CPU overhead of cryptographic functions can be very high. -
No data is stored on the Linux Pass-through image.
The last
item is critical. The Linux Pass-through image is used only for SSH
(and its functionality). No data is stored on the Linux Pass-through
image at any time.
The Linux
Pass-through image can be a Linux on System z (zLinux) image, an
x86-64 Intel Linux image or a Windows system hosting a Linux
Pass-through image. When using a Windows host both Cygwin and
VirtualBox Linux images are supported.
Linux Pass-through Image
Once you
have access to the Linux Pass-through image, you will want to create
the user that will run the bsttscpyd daemon. This can be root but it
is not required. Since no data is stored on the Linux Pass-through
image the user used can be a normal user.
Authentication
The SSH
connections from the Linux Pass-through image to destination remote
hosts use public key authentication. Public key authentication allows
you to login to a remote host via the SSH protocol without a password
and is more secure than password-based authentication.
Password
authentication is not supported and can not be used with the BSTTSCPY
Secure Copy facility.
SSH keys
provide a more secure way of logging into a virtual private server
with SSH than using a password alone. While a password can eventually
be cracked with a brute force attack, SSH keys are nearly impossible
to decipher by brute force alone. Generating a key pair provides you
with two long string of characters: a public and a private key. You
can place the public key on any server, and then unlock it by
connecting to it with a client that already has the private key. When
the two match up, the system unlocks without the need for a password.
BSTTSCPY
The basic
structure of the z/VSE BSTTSCPY application is similar to the
IPv6/VSE BSTTFTPC application. Remember, SSH transfers all data in
binary form. So, if translation of the data is necessary you must
tell BSTTSCPY to handle this function.
BSTTSCPY
requires IPv6/VSE Build 256pre17 (or later).
Feature
code 'S' is required for use of the IPv6/VSE BSTTSCPY application. If
your IPv6/VSE license key does not have feature code 'S' in it, you
will need to contact Barnard Software, Inc. for an updated license
key.
The
IPv6/VSE BSTTSCPY application (like BSTTFTPC, BSTTMTPC, etc.)
requires a minimum 8M partition for execution.
BSTTSCPY
can use the IPv6/VSE BSTTINET/BSTT6NET TCP/IP stacks as well as the
TCP/IP for VSE TCP/IP stack.
The Basic Process
Identify
the stack and connect to the bsttscpyd you want to access.
Define the
INPUT or OUTPUT data.
Specify
options. E.g., TYPE A (Convert to ASCII) etc. Most of the options
used for a BSTTFTPC FTP client data transfer can be used with
BSTTSCPY also.
Define the
destination remote host, userid and port.
STOR or
RETR the data.
And,
finally QUIT.
Basic JCL
// EXEC BSTTSCPY,SIZE=BSTTSCPY
ID nn
OPEN ...
*
INPUT ...
TYPE A
*
PORT 22
HOST user@host
STOR file.name
*
QUIT
/*
Just like
BSTTFTPC, BSTTSCPY commands are used in pairs. The INPUT command is
paired with the STOR command and the OUTPUT command paired with the
RETR command.
IPv6/VSE for VSE/ESA and z/VSE
More information about the IPv6/VSE SSH Secure Copy facility is available in the IPv6/VSE SSH Secure Copy Supplement Guide. This manual is part of the IPv6/VSE download available from the BSI website.
No comments:
Post a Comment