home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
kermit.columbia.edu
/
kermit.columbia.edu.tar
/
kermit.columbia.edu
/
public_html
/
ibm_ie.old
< prev
next >
Wrap
Text File
|
2002-07-22
|
32KB
|
1,067 lines
<html><head>
<title>Accessing IBM Information Exchange with Kermit</title>
</head><body bgcolor="#ffffff" text="#000000">
<h2><a name="top">Accessing IBM Information Exchange with Kermit</a></h2>
[ <a href="index.html">Kermit Home</a> ]
[ <a href="k95.html">Kermit 95</a> ]
[ <a href="ckermit.html">C-Kermit</a> ]
[ <a href="security.html">Security</a> ]
[ <a href="ckscripts.html">Kermit Scripts</a> ]
[ <a href="ftpscripts.html">FTP Scripts</a> ]
<p>
<i>Most Recent Update:</i>
Tue Jul 23 10:18:26 2002
<p>
<a href="http://edi.services.ibm.com/ie/">IBM Information Exchange</a> (IE) is
a key component of IBM's Interchange Services for e-business that facilitates
secure interchange of data among its trading partners. For this, a <b>secure
FTP client</b> is required. Several of these are listed on IBM's Information
Exchange
<a href="https://pki.services.ibm.com/ieftp/webdocs.shtml">Support Page</a>.
Among them is Columbia University's <a href="index.html">Kermit software</a>.
This document explains how to use Kermit with IBM Information Exchange.
<p>
<blockquote>
<i>
These notes should also apply (perhaps with minor differences) to IBM
Advantis, IBM Global Exchange, and IBM Internet Data and Document Exchange
(IDDX).
<p>
These notes are developed in consultation with IBM and its customers, but
since we do not have access to the IBM services discussed here,
most of the information is second-hand. If you have questions, corrections,
or suggestions for improvement, please
<a href="mailto:kermit@columbia.edu">contact us</a>.
</i>
</blockquote>
<h3><hr>CONTENTS</h3>
<ul>
<li><a href="#alerts">BULLETINS</a>
<li><a href="#software">WHICH KERMIT SOFTWARE SHOULD I USE?</a>
<li><a href="#certs">WHAT DO I DO WITH MY CERTIFICATE FILES?</a>
<li><a href="#access">HOW DO I ACCESS IBM INFORMATION EXCHANGE?</a>
<li><a href="#using">USING THE CONNECTION</a>
<li><a href="#trouble">TROUBLESHOOTING</a>
<li><a href="#automation">HOW DO I AUTOMATE THE CONNECTION?</a>
<li><a href="#ibmhandout">APPENDIX: IBM HANDOUT</a>
</ul>
<h3><a name="alerts"><hr>BULLETINS</a></h3>
<b>If you are using Kermit 95 2.0</b> on Windows and find that your connection
to IBM Info Exchange is closed by the server, this is because of a
bug in the server (see the
<a href="ftp://kermit.columbia.edu/kermit/k95/newbugs.txt">New Bugs List</a>,
item 680), which was reported to IBM 27 June 2002 and should be fixed soon.
In the meantime, the workaround is to tell Kermit to:
<p>
<blockquote>
<pre>
set auth tls cipher-list EXP1024-RC4-SHA
</pre>
</blockquote>
<p>
before giving the FTP OPEN command (note: cipher names are case-sensitive).
Version 2.04 (and later) of the <a
href="ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange">sample
script</a> includes this workaround. If you are using the K95 Dialer's IBM
Info Exchange entry, place the string:
<p>
<blockquote>
<pre>
EXP1024-RC4-SHA
</pre>
</blockquote>
<p>
(uppercase) into the Cipher List field on the entry's SSL/TLS Settings page.
<h3><a name="software"><hr>Which Kermit Software Should I Use?</a></h3>
The latest Kermit software releases include a new integrated FTP client;
<a href="ftpclient.html">CLICK HERE</a> for an overview. The Kermit programs
and versions that have this feature are:
<p>
<ul>
<li><a href="k95.html">Kermit 95 2.0</a>
for Windows 95/98/ME/NT/2000/XP; and:
<li><a href="ckermit.html">C-Kermit 8.0</a>
for Unix (Linux, AIX, Solaris, HP-UX, FreeBSD, and all other Unix varieties)
</ul>
<p>
If you don't have Kermit software, you can download it from the links above.
<p>
Kermit software comes in secure and non-secure versions due to United States
export law. <b>A secure version of Kermit 95 or C-Kermit is required</b> to
access IBM IE; that is, one that supports <b>SSL/TLS</b> transport with
authentication via <b>X.509 certificates</b>. If you already have a copy of
Kermit, but you don't know whether it is a secure version, type the following
commands at its prompt (sorry; we'll have an easier way to do this in a
future release):
<p>
<blockquote>
<pre>
define test if avail ssl echo AVAILABLE
test
</pre>
</blockquote>
<p>
If the response is:
<p>
<blockquote>
<pre>
AVAILABLE
</pre>
</blockquote>
<p>
then you have a secure version. If you do not have a secure version, then:
<p>
<ul>
<li>For <a href="k95.html">Kermit 95</a>, you can install the
<a href="k95upgrade.html">security upgrade</a> if you are in the USA
or Canada (a license for export to other countries is pending).
<p>
<li>For <a href="ckermit.html">C-Kermit</a>, you can download the source
code and build a secure version on your Unix system (because export of
certain types of source code is allowed); see the
<a href="security.html">Kermit Security Reference</a> for instructions.
</ul>
<h3><a name="certs"><hr>What Do I Do With My Certificate Files?</a></h3>
<blockquote><i>
For a tutorial on X.509 Certificates,
<a href="http://www.columbia.edu/kermit/security.htm#xa3">CLICK HERE</a>.
</i></blockquote>
<p>
<tt>\v(appdata)</tt>,
<tt>\v(common)</tt>, and
<tt>\v(exedir)</tt>
are Kermit variables denoting Windows directories that
can vary from one version of Windows to another: <tt>\v(exedir)</tt> is
Kermit's program directory; <tt>\v(common)</tt> is Kermit's Application Data
directory for all users; <tt>\v(appdata)</tt> is your personal Kermit
Application Data directory. <a href="k95readme.htm#x9">CLICK HERE</a> for a
more detailed explanation.
<p>
Before you can log in to IBM Info Exchange, you must have two Certificate
files provided to you by IBM:
<p>
<ol>
<li>The IBM InfoExchange Root CA Certificate. If you have Kermit 95 2.0,
this certificate is already installed as part of the Kermit 95
<tt>\v(common)ca_certs.pem</tt> file.
<p>
<li>The Personal File containing the Client Certificate
signed by the IBM Root CA and your Private Key. This file
is called <tt>ibm_ie_personal.pem</tt>.
</ol>
<p>
The IBM certificates come in in PKCS#12 format, but OpenSLL (which Kermit
uses) requires them to be in PEM format. You can convert them to PEM format
with the <tt>openssl</tt> program, which in Windows is in your Kermit 95
program directory, and in Unix is in <tt>/usr/local/ssl/bin/</tt> or whatever
other directory OpenSSL was installed in:
<p>
<blockquote>
<pre>
openssl pkcs12 -in <i>pkcs12file</i> -out <i>pemfile</i>
</pre>
</blockquote>
<p>
More about converting certificates to PEM format
<a href="https://pki.services.ibm.com/ieftp/convert2pem.shtml">HERE</a>.
<p>
<b>If you have Kermit 95 2.0</b>, you also already have the IBM IE root
certificate, since it is included in the <tt>ca_certs.pem</tt> file in Kermit
95's All Users Application Data directory.
<p>
<b>If you have Kermit 95 1.1.21</b>, note that you can upgrade it to version
2.0 <a href="k95upgrade.html">HERE</a>.
<p>
<b>If you have Kermit 95 1.1.21 or C-Kermit</b>, then you must specify the
location (full path) of the IBM IE root certificate with the SET AUTH TLS
VERIFY-FILE command. In Windows, this file should go in Kermit 95's
All Users Application Data directory:
<p>
<blockquote>
<pre>
set auth tls verify-file \v(common)ibm_ie_ca.pem
</pre>
</blockquote>
<p>
In Unix, there is no standard place to put certificates, so put them wherever
you wish and use the SET AUTH TLS VERIFY-FILE command to let C-Kermit know
where it is.
<p>
Now you must specify the location of your <b>personal certificate and key
files</b> with the following commands:
<p>
<blockquote>
<pre>
set auth tls rsa-cert-file <i>filename</i>
set auth tls rsa-key-file <i>filename</i>
</pre>
</blockquote>
<p>
Note: the RSA-CERT-FILE and the RSA-KEY-FILE can be the same file, and in the
case of IBM IE, they typically are: <tt>ibm_ie_personal.pem</tt>.
In Windows, we recommend you place this file in the CERTS subdirectory of
your personal Kermit 95 Application Data directory, <tt>\v(appdata)</tt>:
<p>
<blockquote>
<pre>
set auth tls rsa-cert-file \v(appdata)certs/ibm_ie_personal.pem
set auth tls rsa-key-file \v(appdata)certs/ibm_ie_personal.pem
</pre>
</blockquote>
<p>
because that is where the IBM Info Exchange entry preloaded in K95 2.0 Dialer
looks for it. If you put this file in a different location, and still wish
to use the Dialer entry, you must edit the SSL/TLS Settings page to show the
new location (in the Client Certificate File and Client Private Key file
boxes).
<p>
<blockquote>
<i>
In fact the correct location for your personal certificate files is in
<tt>\v(appdata)</tt> and not in its CERTS subdirectory, but the K95 2.0 Dialer
entry for IBM Info Exchange mistakenly looks for them in the CERTS
subdirectory, which is why we recommend you put them there. The
<tt>ibm_infoexchange</tt> sample script finds them in either place. The
actual purpose for the CERTS subdirectories is to hold certificate files whose
names have a special encoding.
</i>
</blockquote>
<h3><a name="access"><hr>How Do I Access IBM Information Exchange?</a></h3>
<b>If you have Kermit 95 2.0</b>, you can use the Dialer's
preloaded IBM Info Exchange entry, which has the connection details and
SSL/TLS Settings mostly filled out for you (<a href="#alerts">BUT FIRST CHECK
ANY BULLETINS</a>). Before first using this entry, you must edit it
to supply your username and password: Right-click on this entry, Choose Edit,
then choose Login, fill in the user ID and password for your IBM IE
account, and then click OK.
<p>
<blockquote>
<i>
NOTE: The FTP User ID for IBM Information Exchange is in the format
ACCOUNT.USERID. For example if your IE account is IBM1 and your IE User ID
is OLGA, your FTP user ID is IBM1.OLGA. The FTP user ID is not case sensitive.
</i>
</blockquote>
<p>
You only have to edit the Dialer entry once; from now you can use it simply by
double-clicking on it, or by highlighting it and clicking on CONNECT in the
Dialer's Toolbar.
<p>
<b>In C-Kermit 8.0 or Kermit 95 1.1.21</b>, or (if you wish) K95 2.0,
you can use the following <a href="ckscripts.html">Kermit script</a> to
make secure connections to IBM Information Exchange:
<p>
<blockquote>
<pre>
<a href="ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange">ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange</a>
</pre>
</blockquote>
<p>
You must modify the script to specify the full path for your certificate files
if they differ from those used in the script (use a plain-text editor such
as Notepad to do this).
<p>
Kermit scripts can be executed by any of the methods described <a
href="ckscripts.html">HERE</a>. For example, you can store the script file on
your Windows desktop with a filetype of <tt>.KSC</tt> (which is associated
with Kermit 95), and then launch the connection by clicking on its icon. From
the command line or a batch file, you can use:
<p>
<blockquote>
<pre>
k95 ibm_infoexchange.ksc <i>username</i>
</pre>
</blockquote>
<p>
This assumes <tt>K95.EXE</tt> is in your PATH; if not, specify its full
pathame. Ditto for the script filename.
<p>
Once the script or Dialer entry is launched:
<p>
<ol>
<li>If your private key file is encrypted, you are prompted for the decryption
passphrase.
<p>
<li>If you are using the script, but you did not supply a username on the
command line, you are prompted for a username. (If you are using the Dialer,
you must supply your username on the IBM Info Exchange entry's Login page.)
<p>
<li>If you did not supply a host password (on the script command line or
in the Dialer entry), you are prompted for one. The username and password
are encrypted for transmission to the server.
</ol>
<p>
If the IBM server responds to your connection attempt with:
<p>
<blockquote>
<tt>Service not Available, Connection Closed by Server.</tt>
</blockquote>
<p>
it probably means that Kermit did not find your certificate file; please
reread previous section.
<p>
If you see a complaint regarding missing CRL files, you can ignore it.
This means that Kermit looked to see if any Certificate Revocation Lists
are present, which revoke any of the certificates you have. Normally, there
are no CRLs, thus Kermit does not find any CRL files.
<p>
Once you are logged in to the Info Exchange server, you can give regular FTP
client commands like DIRECTORY, CD, PUT, GET, and MGET, and when done, you can
give a BYE command to disconnect from the server and EXIT from Kermit.
Throughout your session, all commands and data are encrypted.
<p>
For thorough documentation of the Kermit FTP client and its commands and
options, <a href="ckermit80.html#ftp">CLICK HERE</a>.
<h3><a name="using"><hr>Using the Connection</a></h3>
Once you have a connection to the IBM server, you can use it according to
the instructions you received from IBM. Please note that the IBM server is
not a normal FTP server. It implements only the following FTP protocol
commands:
<p>
<blockquote>
<pre>
TYPE, MODE, STRU, USER, QUIT, PORT, RETR, STOR, SITE, NOOP, CWD,
ALLO, PASS, PASV and AUTH
</pre>
</blockquote>
<p>
Note: No LIST, NLST, MDTM, or SIZE; thus you can't get directory listings
from the server in the normal way (and since there is no NLST command, I don't
see how MGET could work either; thus I think you probably can only GET
single files, one per GET command). If you give a client command (such as
DIR) that is not supported by the server, the server simply closes the
data connection and you'll see no response. If you turn on debugging messages
(next section) you'll see something like this:
<p>
<blockquote>
<pre>
[c:\] K-95> <u>set ftp debug on</u>
[c:\] K-95> <u>dir</u>
---> PASV
227 Entering Secured Passive Mode (32,96,130,20,234,198)
ftp: connect: No error
[c:\] K-95>
</pre>
</blockquote>
<p>
Instead of regular FTP commands, you must use FTP SITE commands to send
Info-Exchange-specific commands to the server,
which are documented here:
<p>
<blockquote>
<pre>
<a href="http://edi.services.ibm.com/interchange/tb9901.shtml">http://edi.services.ibm.com/interchange/tb9901.shtml</a>
</pre>
</blockquote>
<p>
In Kermit, the SITE command is given with "FTP SITE". Here's a table that
should clarify matters (words in brackets are optional):
<p>
<blockquote>
<table border>
<tr>
<th>FTP Protocol Command
<th>FTP Client Command
<th>Kermit Client Command
<th>Description
<tr>
<td>CWD
<td>CD or CWD
<td>[FTP] CD or CWD
<td>Change (Working) Directory on server
<tr>
<td>PASV
<td>PASSIVE
<td>SET FTP PASSIVE
<td>Client chooses TCP port for data connection
<tr>
<td>QUIT
<td>BYE
<td>[FTP] BYE
<td>Break connection with server
<tr>
<td>RETR
<td>GET
<td>[FTP] GET
<td>Get (Retrieve) one file
<tr>
<td>SITE
<td>SITE
<td>FTP SITE
<td>Send a site-specific command to the server
<tr>
<td>STOR
<td>PUT
<td>[FTP] PUT
<td>Put (Send, Store) one file
<tr>
<td>TYPE
<td>TYPE
<td>FTP TYPE
<td>Specify type of next file, "ascii" or binary.
<tr>
<td>USER
<td>USER
<td>[FTP] USER
<td>Specify user name
</table>
</blockquote>
<p>
<p>
Here the IBM server lists its SITE commands:
<p>
<blockquote>
<pre>
[C:\] K-95> <u>ftp site</u>
The following SITE commands are available:-
HELP, IDLE, EDICHECK, CONFIRM, SYSTEM,
MSGCHRG, MSGRCPTS, ARCREFID, GETARCHIVE, GETAUDIT,
PROBE, XLATE, EDICRLF, EDIONLY, MSGRETN,
SESSKEY, MSGNAME, MSGSEQN, EDIALIASONLY, SHOWOPTS,
RESETOPTS, LISTSTYLE, RESP226, PASSTHRU, PTRESPNAME,
LIBREPLACE, EDIREPLYBUF, EDIREPLIES, EDICDHONLY,
EDICLASS, UNIQUEID, SPACECHR, EDIALIASPROBE, COMPRESS
get site.README from support directory for usage information.
[C:\] K-95>
</pre>
</blockquote>
<p>
For further information, see IBM's list of Info Exchange related publications:
<p>
<blockquote>
<pre>
<a href="http://edi.services.ibm.com/ie/publications.shtml">http://edi.services.ibm.com/ie/publications.shtml</a>
</pre>
</blockquote>
<p>
and in particular, the <cite>Information Exchange via TCP/IP FTP Gateway
User's Guide</cite>:
<p>
<blockquote>
<pre>
<a href="http://publib.boulder.ibm.com/edi/pdfs/c3423451.pdf">http://publib.boulder.ibm.com/edi/pdfs/c3423451.pdf</a>
</pre>
</blockquote>
<p>
<h3><a name="trouble"><hr>Troubleshooting</a></h3>
Secure FTP connections can be complicated and confusing. If your connection
did not proceed smoothly, first read any <a href="#alerts">BULLETINS</a> at
the top of this page. Beyond that, the main problem areas tend to be:
<p>
<ol>
<li>Firewalls that block the connection. Kermit uses FTP Passive Mode by
default to get around the most common firewall problems, but if your firewall
blocks outbound FTP connections, you might still be able to push through
by using Kermit's support for SOCKS or HTTP Proxy servers
(type "help set tcp" at the K-95> prompt for further info).
<a href="ftp://ftp.isi.edu/in-notes/rfc1579.txt">CLICK HERE</a> to read about
the difficulties of using FTP through firewalls, and
<a href="ftp://kermit.columbia.edu/kermit/k95/draft-fordh-ftp-ssl-firewall-01.txt">HERE</a>
to read more about using secure FTP and firewalls. IBM says:
<i>"For Information Exchange users, the biggest problem we run
into is with their Firewalls. The IBM server will dynamically pick any of
the upper ports to ask the client to establish the data connection on
(1025-65,000). This is not the case with the IBM Data and Document Exchange
service. That port range is only 9000 - 9999."</i>
<p>
<li>Your certificates are in the wrong format. OpenSSL (which Kermit uses)
requires them to be in PEM format. IBM gives them to you in PKCS#12
format. Use the OpenSSL program to convert them as described
<a href="#certs">above</a>.
<p>
<li>Kermit must be told where to find the certificate and key files if they
are not in the default locations. If you are using the Dialer's IBM
Info Exchange entry, the locations for these files are given on the
SSL/TLS Settings page. If you are using the sample script from our FTP site,
the locations are given in the script. You must make certain the specified
locations agree with the actual locations.
<p>
<li>You did not decrypt your private key file, or you gave an incorrect
decryption passphrase.
</ol>
<p>
<b>If you have trouble making the connection:</b>
<p>
<ol>
<li>Download the latest copy of the <tt>ibm_infoexchange</tt> sample
script from
<a href="ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange">HERE</a>.
<p>
<li>At the <tt>K-95></tt> prompt:
<blockquote>
<pre>
K-95> <u>cd <i>xxx</i></u> ; CD to directory where script is.
K-95> <u>clear command scrollback</u> ; Clear away old messages (optional).
K-95> <u>define debug 1</u> ; Enable debugging messages.
K-95> <u>take ibm_infoexchange</u> ; Execute the script.
</pre>
</blockquote>
<p>
<li>When the script has terminated:
<blockquote>
<pre>
K-95> <u>save command scrollback trouble.log</u>
</pre>
</blockquote>
<p>
<li>Look through the <tt>trouble.log</tt> file and/or
<a href="mailto:kermit-support@columbia.edu">send it to us</a>
for analysis.
</ol>
<p>
Note: You can also copy and paste from the K95 Command window. Just hold
down the left mouse button and drag over the material you want to copy.
If you push the mouse pointer against the top edge of the screen, K95 scrolls
back automatically, so you can copy multiple screensful this way. The copied
material goes to the Windows Clipboard, from which you can paste it using
Shift-Insert on the keyboard or <i>Edit→Paste</i> in any application's
menu.
<p>
When debugging, a successful connection looks like this:
<p>
<blockquote>
<pre>
[C:\Some Path\] <u>k95 ibm_infoexchange ibm1.xyz123</u>
IBM INFO EXCHANGE ACCESS SCRIPT VERSION 2.05
Connected to ieftpint2.services.ibm.com.
220 ieftpint2 IE-FTP server (v4r1m0.d) ready on system USA.
---> AUTH SSL
234 AUTH command accepted - proceed with Negotiation.
SSL accepted as authentication type
Certificate[1] subject=/C=US/O=IBM/OU=Interchange Services for e-business
/CN=PKI Services Root CA
Certificate[1] issuer =/C=US/O=IBM/OU=Interchange Services for e-business
/CN=PKI Services Root CA
Certificate[0] subject=/C=US/O=IBM/OU=Interchange Services for e-business:
Server/CN=ieftpint2.services.ibm.com
Certificate[0] issuer =/C=US/O=IBM/OU=Interchange Services for e-business
/CN=PKI Services Root CA
FTP Command channel is Private (encrypted)
---> PBSZ 0
200 Protection buffer size successfully set.
---> PROT P
200 Data protection level now set to 'P' (Protected).
FTP Data channel is Private (encrypted)
---> USER ibm1.xyz123
331 Enter Password.
---> PASS XXXX
---> REST 0
502 Command not supported.
---> SYST
502 Command not supported.
Default transfer mode is TEXT ("ASCII")
---> MODE S
200 Mode now set to S.
---> STRU F
200 Structure now set to F.
---> PBSZ 0
200 Protection buffer size successfully set.
---> PROT P
200 Data protection level now set to 'P' (Protected).
Connected to IBM InfoExchange
Kermit 95 2.0.1, 7 June 2002, for 32-bit Windows
Copyright (C) 1985, 2002,
Trustees of Columbia University in the City of New York.
Type ? or HELP for help.
[C:\Certs\] K-95> _
</pre>
</blockquote>
<p>
The lines starting with "<tt>---></tt>" are commands sent by Kermit to
the FTP server; the lines starting with numbers are responses from the server
to Kermit. Any "Command not supported" messages in response to SYST, REST,
MODE, or STRU are harmless.
<p>
If you want to log FTP file transfers, use LOG TRANSACTIONS ("help log"
for details). If you want to log FTP client and server protocol messages,
use "log debug"; this actually logs quite a bit more than that, but you
can extract the desired messages as follows:
<p>
<ul>
<li>Messages from the client to the server are in lines that start with
"ftp reply".
<li>Messages from server to client are in lines that start with
"ftpcmd buf2".
</ul>
<p>
Or in Unix notation:
<p>
<blockquote>
<pre>
egrep "(ftp reply|ftpcmd buf2)" debug.log
</pre>
</blockquote>
<h3><a name="automation"><hr>How Do I Automate the Connection?</a></h3>
Kermit's script language lets you elaborate the <a
href="ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange">sample
script</a> (or write your own script) to automate any desired task, as
explained in <a href="ck60manual.html">the manual</a>, and on the <a
href="ckscripts.html">Scripts Library</a> page, and also in the <a
href="ftpscripts.html">Kermit FTP Scripting Tutorial</a>.
<p>
IMPORTANT: Please don't try to automate your connection until after it is
working interactively. First make it work, then automate it.
<p>
<blockquote>
<i>
<b>WARNING: There is an intrinsic tradeoff between automation and safety.</b>
The more automated the procedure, the less secure. To illustrate, the obvious
way to automate access from one computer to another is to script entry of the
authentication information, including the password. But then anyone who gains
access to your script also gains access to the other computer. If you change
the script to require manual entry of the password each time you run it, it
becomes more secure but less automatic.
These considerations apply doubly when automating an FTP connection secured
by TLS, since your private key file is protected by a passphrase and
your host account is protected by second passphrase. That's how FTP-TLS
works. Automating such a connection introduces new elements of risk.
</i>
</blockquote>
<p>
When scripting an unattended operation, you must take special measures
to avoid or handle the password prompts:
<p>
<ol>
<li>If your private key file is encrypted, you are always prompted for the
passphrase when using it. The only way to avoid this is to create an
unencrypted version of the private key file and then specify the filename of
the unencrypted private key file in the SET AUTH TLS RSA-KEY-FILE command.
<p>
You can create an unencrypted PEM file from the original PKCS#12-format
key file with the following command:
<p>
<blockquote>
<pre>
openssl pksc12 -in <i>encrypted-pkcs12-keyfile</i> -out <i>unencrypted-pem-keyfile</i> -nodes
</pre>
</blockquote>
<p>
or you can decrypt a PEM-format key file with:
<p>
<blockquote>
<pre>
openssl rsa -in <i>encrypted-pem-keyfile</i> -out <i>unencrypted-pem-keyfile</i>
</pre>
</blockquote>
<p>
Now your private key is stored in an unencrypted file, so you must ensure that
the file's permissions allow access only to the person to whom the certificate
was issued (this is possible in Unix, and in Windows NT, 2000, and XP, but
not in Windows 95, 98, or ME). Check very carefully that your key file is
not accessible from outside, including by disk sharing.
<p>
<li>You have to supply a password on this type of connection; this is a
limitation of the SSL/TLS / X.509 / FTP protocol combination.
The <a href="ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange">sample
script</a> accepts your IBM IE username and password on the command line, thus
avoiding the interactive prompts. These command-line arguments are used in
the FTP OPEN command:
<p>
<blockquote>
<pre>
ftp open ieftpint2.services.ibm.com ftp /user:\%1 /password:\%2
</pre>
</blockquote>
<p>
(<tt>\%1</tt> and <tt>\%2</tt> are the command line arguments.)
<p>
You should not put the password in your script, because then anybody who can
access the script file <i>and</i> your unencyrpted private key file can access
your IE account directly (it must be said, however, that even when you omit
the password from you script, the unencrypted key file gives intruders the
bigger piece of the puzzle -- cracking a password is light work for today's
average hacker). If you don't put the password in your script, however,
you can't run run the script unattended because the FTP OPEN command prompts
you for the password.
</ol>
<p>
Let's say you agree it is unwise to store a password in your script, but you
still want the script to run unattended. For example, you want to start the
script before you go home for dinner, but have it run at midnight. Just have
the script prompt wait until midnight before opening the connection:
<p>
<blockquote>
<pre>
sleep 23:59:59 ; wait until just before midnight
ftp open ieftpint2.services.ibm.com ftp /user:\%1 /password:\%2
...
</pre>
</blockquote>
<p>
In case you're worried about spies coming into your office and reading
the password off your screen, also add the following command to your script:
<p>
<blockquote>
<pre>
clear command scrollback
</pre>
</blockquote>
<p>
This erases the screen and the entire scrollback buffer. Also note that
if an interloper interrupts the script, the variables containing the username
and password disappear from memory automatically.
<p>
<b>Questions?</b> Send them by e-mail to: <a href="mailto:kermit-support@columbia.edu"><tt>kermit-support@columbia.edu</tt></a>
<h3><a name="ibmhandout"><hr>APPENDIX: IBM Handout</a></h3>
The following message is sent by email from IBM to new FTP users
<i>(the remainder of this section is IBM's message):</i>
<p>
Hello,
<p>
Here are some of the guideline for connecting to IBM over the
Internet.
<p>
<ul>
<li>Must be using an FTP Client that supports SSL ,Passive FTP and conforms
to the RFC
<a href="http://www.ietf.org/internet-drafts/draft-murray-auth-ssl-08.txt">
<tt>draft-murray-auth-ssl-08.txt</tt></a> standard.
<p>
<li>Must have the IBM user number and challenge token to create an IBM
signed certificate from
<a href="https://pki.services.ibm.com/ieftp/webdocs.shtml"><tt>https://pki.services.ibm.com/ieftp/webdocs.shtml</tt></a>.
<p>
<li>Must have all upper ports enabled for Passive FTP on outgoing messages
to <tt>ieftpint2.services.ibm.com</tt> (32.96.130.20).
<p>
<li>Must have an account and userid on IBM.
The certificates are userid specific.
IE/FTP access is not required for connecting over the Internet.
</ul>
<p>
Commands. IBM uses the standard FTP commands on the network:
<p>
<blockquote>
<tt>AUTH</tt><br>
<tt>LS -L</tt> = list (only available in home folder)<br>
<tt>GET</tt><br>
<tt>CD</tt> = Change Directories<br>
<tt>PUT</tt>
</blockquote>
<p>
<dl>
<dt>To LOGON</dt>
<dd>Your user name should be formatted as Acct.Userid (period in between)
Your password is your Information Exchange password and cannot be the same
as your userid.
<p>
<dt>Sending and Receiving Files.
<dd>The FTP server is setup similar to a directory tree. When you are logged
in you are in your home directory and are able to receive any files that
have been sent to you. This is the only folder that you would be able to
LIST and have read access to. When ever you want to send a file to someone,
you would Change Directories to their home folder and PUT the file.
<p>
<dt>To Receive Files
<dd>LOG in to the FTP server.<br>
Issue a LS -L to give you a list of all of the file in your mailbox<br>
Issue a GET to receive the first file listed in your mailbox<br>
Issue a MGET to receive all the file in your mailbox.<br>
(*Note - most FTP clients handle most of these commands as background
processes and you are able to just drag and drop your files. Check with
your software supplier on how to do this. Also note, the files hold no
significant name, so you may be asked to supply a name for the file you are
receiving - <tt>GET C:\INCOMING\TEST.TXT</tt>)
<p>
<dt>To Send a flat file.
<dd>To send a flat file the trading partner must be on the IE network and you
must know their account and userid.
Issue a CD to their Acct.Userid (period between) or set your remote
directory or folder to the Acct.Userid.
Issue a PUT command on the file you want to send - <tt>PUT
C:\OUTGOING\TEST.TXT</tt>
(*Note - most FTP clients handle most of these command as background
processes and you are able to drag and drop your file. Check with your
software supplier on how to do this.)
<p>
<dt>To Send an EDI file
<dd>When sending EDI files, the network is going to resolve the receiver from
the ISA header and therefore must use an Alias table. To do this use the
command - SITE EDIALIASONLY 1. Issue this command right after logon. This
will tell the FTP server to reference the alias tables to find out who the
receiver is.<br>
Issue a CD to the EDI folder or set your remote folder to EDI<br>
Issue a PUT command on the file you want to send - <tt>PUT C:\OUTGOING\TEST.TXT</tt>
or drag your file over.
(*Note - some software packages have a place or field for initializing
commands. The site command will probably be placed there but again you will
want to check with your software vendor for verification. )
<p>
<dt>TO LOGOFF
<dd>Issue the BYE command or Close your FTP session. This is important ,
because any files you have received out of your folder, may not be flagged
as received until the session is successfully ended.
</dl>
<p>
Insight on how the session works for Passive FTP:
<p>
<ul>
<li>A session is started by an FTP client with IBM by creating a Control Port
to the IBM Server on port 21.
<p>
<li>The Client then issues an Authorization command or AUTH on that Control
Port.
<p>
<li>The IBM Server responds with a ping and then a :
<p>
<blockquote>
<pre>
234 AUTH command accepted - proceed with Negotiation.
</pre>
</blockquote>
<p>
<li>At that point, IBM is waiting for a second port to be created by the FTP
Client.
<p>
<li>The FTP Client will then create a data port on a Dynamically picked port
from 1025 - 65,000 to negotiate the SSL connection.
<p>
<li>Once that has been established, your FTP Session can begin by sending in
your LOGON information.
</ul>
<p>
More Documentation:
For a complete manual on Using FTP on the Information Exchange network,
please visit
<a href="http://edi.services.ibm.com/ie/publications.shtml"><tt>http://edi.services.ibm.com/ie/publications.shtml</tt></a>.
<p>
[ <a href="#top">Top</a> ]
[ <a href="index.html">Kermit Home</a> ]
[ <a href="k95.html">Kermit 95</a> ]
[ <a href="ckermit.html">C-Kermit</a> ]
[ <a href="security.html">Security</a> ]
[ <a href="ckscripts.html">Scripts</a> ]
[ <a href="ftpscripts.html">FTP Scripts</a> ]
<p>
<hr>
<address>
The Kermit Project /
Columbia University /
<a href="mailto:kermit@columbia.edu">kermit@columbia.edu</a> /
22 July 2002
</address>
</body>
</html>
