The following sections describe how to install and customize the Co:Z FTP-SSH Proxy.
The Co:Z FTP-SSH Proxy is a Java application which is typically run on the client host. In order to use it, the FTP client must be configured to use:
Co:Z FTP-SSH as a SOCKS5 proxy
passive mode FTP connections
This section will describe how to configure the z/OS Communications Server FTP client. Users of other operating systems should refer to their FTP client documentation for details.
Download the
ftpsshproxy-v.r.m.paxfile and upload it it binary to a temporary HFS/zFS file on your z/OS system.Create an installation target directory of your choice and unpack the pax file:
mkdir /usr/local/ftpsshproxy cd /usr/local/ftpsshproxy pax -rf /tmp/ftpsshproxy-v.r.m.paxThe directory should contain the following files:
ftpsshproxy.jar- executable Java archivejsch-0.1.40.jar- JCraft JSch librarylog4j-1.2.14.jar- Apache Log4J logging frameworkftpsshproxy.sh- shell script to run under a Unix shellftpsshproxy.jcl- sample JCL to run as z/OS job (task)license/- license information
Configure the FTP client to use Co:Z FTP-SSH as a SOCKS5 proxy. On z/OS, this can be configured on a system-wide, per user, or per job basis using the z/OS Communications Server FTP configuration files. [4]
For example, to configure the FTP client for a specific userid to use passive mode and a SOCKS proxy, add the following lines to the dataset
userid.FTP.DATAFWFRIENDLY TRUE SOCKSCONFIGFILE 'userid.FTP.SOCKS.CONF'Next, you must create an FTP SOCKS configuration file that enables the SOCKS proxy for selected destination FTP server ip addresses. For example, to use direct connections for selected local subnets and the proxy for everything else, create a dataset
userid.FTP.SOCKS.CONFwith the following:direct 127.0.0.1/32 ; loopback adapter direct 10.0.0.0/8 ; private subnet direct 192.168.0.0/16 ; private subnet sockd5 @=127.0.0.1 0.0.0.0 0.0.0.0 ; Anything elseThis assumes that the Co:Z FTP-SSH Proxy will run on the same machine as the FTP client, and listen on the loopback address (127.0.0.1), port 1080. Note that the z/OS Communications Server FTP client can only use SOCKS proxies on port 1080, so if you have another service already running on 127.0.0.1:1080, you will need to define an alternate loopback adapter, say "127.0.0.2" in your z/OS TCP/IP profile dataset.
The z/OS FTP client will select the first line in the socks configuration file that matches the destination address. If you wanted to proxy only selected networks and addresses a sample configuration might be:
sockd5 @=127.0.0.1 216.34.181.0/24 ; class C subnet sockd5 @=127.0.0.1 216.239.120.99/32 ; a single address direct 0.0.0.0 0.0.0.0 ; Anything elseIt is also possible to run the Co:Z FTP-SSH Proxy on another machine in the client network, but note that communications between the FTP client and the FTP-SSH Proxy machine are not encrypted.
An SSH2 compatible server, such as OpenSSH must be installed on the same host as the target FTP server.
The SSH server must allow "port forwarding" to the FTP server via the loopback interface ("localhost").
The SSH server must be running on the default SSH port - 22. There is currently no way to configure the Co:Z FTP-SSH proxy to connect to alternate SSHD ports.
The SSH server must allow logins using the same userid and password that will be used for the FTP server.
Note: The default configuration for OpenSSH supports the above requirements.
[4] See the IBM publication: "z/OS Communications Server: IP Configuration Reference - File Transfer Protocol (FTP)" for details.