Table of Contents

[ Up To Main Index]

User profile HARRY will be used in this example as the user profile that will do the transmission.

Using sFTP With Positive Pay

Requirements

5733SC1 Option *BASE: IBM Portable Utilities for i5/OS
5733SC1 Option 1: OpenSSH, OpenSSL, zlib

Install and Verify Secure Connectivity

Generate Your Key

Check User Profile

First check that the user profile that will actually do the transmission has a home directory defined and that it exists.

DSPUSRPRF HARRY

On the last page of the display verify that a home directory exists: Home directory . . . . . . . . . . . . . . : /home/harry

Also note the full path, and the case of the directories. The sFTP procedure is case sensitive.

If there is no home directory defined add one:
CHGUSRPRF HARRY HOMEDIR('/home/harry')

Then start the shell and verify that the directory exists:
call qp2term
cd /home/harry
pwd

If the directory that prints is not /home/harry then create it:
mkdir /home/harry
chmod 700 /home/harry

Lastly verify that the $HOME environment variable is set to the home directory:
echo $HOME

Note that this directory should be the default directory in the transmission job. You should check that job descriptions do not set it differently.

Generate Your Certificate

Run these commands from the greenscreen command line to create your server's certificate:

call qp2term
cd /home/harry
mkdir .ssh
chmod 700 .ssh

ssh-keygen -t rsa
Press <enter> for the certificate passphrase, leaving it empty. Positive Pay does not presently support a passphrase for the certificate.

chmod 600 .ssh/*

You should now have a directory /home/harry/.ssh that contains two files:
id_rsa ( your private key )
id_rsa.pub ( your public key )

Use ftp to retrieve the public key id_rsa.pub ( not the private key!! ) from the IBM server
and send it to the remote processor.

Note that possession of the private key ( id_rsa ) is a security issue.

Anyone possessing just your private key ( id_rsa ) can authenticate on the remote server.

Install the Remote Server's Key

The bank or processor may send you their public key, which will be given as bank.pub in this example.

FTP this file to /home/harry/.ssh

Then install the key:
call qp2term
cd /home/harry/.ssh
cat bank.pub » authorized_keys
chmod 600 authorized_keys

You should now have the contents of bank.pub appended to the authorized_keys file so that your SSH client can find it.

Final Check

As a last step verify that the transmitting user ( harry ) owns all the certificate files in the .ssh directory and that the permissions are rw for only the file owner:

ls -l /home/harry/.ssh

-rw-------   1 harry  0               227 Jan 14 13:29 authorized_keys  
-rw-------   1 harry  0               887 Nov 17 12:52 id_rsa           
-rw-------   1 harry  0               241 Nov 17 12:52 id_rsa.pub       
The permissions are the first column.
The file owner is the third column.

If you need to set the file ownership use: chown harry id_rsa id_rsa.pub authorized_keys
If you need to set the permissions use: chmod 600 id_rsa id_rsa.pub authorized_keys

Test the Key Handshake

Presuming that the bank's login url is sshFtp.bigBank.com and that your login id is customer:

Create a text file to upload as a test:
call qp2term
cd /home/harry
echo 'hi there' > test.txt
sftp -v customer@sshFtp.bigBank.com

you should then get an sFTP command prompt:
sftp>

then upload the file:
put test.txt

then end the session if the remote system does not automatically disconnect:
quit

Notes:
1. It is sometimes easier to test the connectivity using the SSH client, however the bank may not support an interactive ssh connection.

2. sFTP / SSH default port is 22 and no provision for port 22 need be made in the above test. If a non-standard port is used by the bank
( for example port 10022 ) the test connection command is: sftp -v -oPort=10022 customer@sshFtp.bigBank.com.

3. At the start of the first manual connection test the local client may prompt the user to add the remote server to the
known_hosts file. You should allow it to do so by responding with 'yes' to this prompt:

The authenticity of host <bankHost> can't be established.
RSA key fingerprint is …
Are you sure you want to continue connecting (yes/no)?

Configure Positive Pay for sFTP

In the Positive Pay application definition F8 invokes the FTP configuration screen.

                           Configure FTP                        
                                                                
       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP               
                                                                
       Domain. . . : sshFtp.bigBank.com
       User Name . : customer
       Password. . :                                            
       Confirm . . :                                            
                                                                
       
       Target Path :                                           
       Target File : upload.txt
       Remote File :                                    
       Retrv File  :            /            Lib/File    
                                                                
       Port:         *SECURE     *SECURE *DFT 1-65535           
       Encryption .: *SSL        *SSL *NONE                     
       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
                                                                
  F1=Help   F12=Previous  F23=Delete                            

For sFTP you will need to specify the following items:

Note that you should not supply a password since authentication is done via certificate.

Receiving a File Using sFTP

                           Configure FTP                        
                                                                
       Use FTP  . .: H   Y=Yes N=No S=FTPS H=sFTP               
                                                                
       Domain. . . : sshFtp.bigBank.com
       User Name . : customer
       Password. . :                                            
       Confirm . . :                                            
                                                                
       Target Path :                                           
       Target File : upload.txt
       Remote File : acct100.txt                                   
       Retrv File  : FMG        / ACCT100     Lib/File    
                                                                
       Port:         *SECURE     *SECURE *DFT 1-65535           
       Encryption .: *SSL        *SSL *NONE                     
       FTP Mode . .: *PASSIVE    *ACTIVE *PASSIVE               
                                                                
  F1=Help   F12=Previous  F23=Delete                            

Once uploading works you can configure downloading.

Specify the remote file name and target db2 library / file as marked in blue above.
The remote file is the path of the object on the bank's system to be retrieved.
The db2 file is the library and file name of the physical file on your system to receive the data.
The db2 file must separately exist and must have an adequate record length.

To download the file, prompt the command RCVSFTP and enter the name of the Positive Pay application.
The target file's first member will be overwritten with the downloaded data.

Known Issues

If PPR3032, the sFTP transmission program, abends during transmission temporary files can be left in the /tmp directory. Depending on the point of abend these files can include a copy of the transmitted data. If the program completes successfully it will remove these files. The data copy in /tmp is protected with read and write permission restricted to the user profile running the transmission.

In general you should clear your temporary directory periodically.
You can use this command to setup a scheduled job to clear the directory of all files older than one day:

ADDJOBSCDE JOB(CLRTMP) CMD(STRQSH CMD('find /tmp/* -atime +1 -print  | xargs rm')) 
FRQ(*WEEKLY) SCDDATE(*NONE) SCDDAY(*ALL) SCDTIME('17:00:00') RCYACN(*NOSBM) TEXT('Clear /tmp')

You should adjust the run date and time as appropriate.

This command does not remove directories and a periodic manual inspection of /tmp is a good idea.


[ Up To Main Index]