Operating System - OpenVMS
1839158 Members
4840 Online
110136 Solutions
New Discussion

Re: Batch mode FTP over SSL?

 
Duane Sadowski
Frequent Advisor

Batch mode FTP over SSL?

Hi. I'm trying to find a good way to securely copy data files across the Internet from a VMS system to another organization's non-VMS system. I seek to use a batch job to do the copying, to eliminate the need for human intervention. Two alternative protocols that I'm investigating are SSH and SSL.

Can someone please tell me whether it's feasible to use a VMS 7.3-2 TCP/IP 5.4 system as an FTP-over-SSL (FTPS) client to copy files in batch mode? Would I need to buy an SSL-enabled FTP client program for the VMS system? Is the SSL / FTPS learning curve worse than the SSH learning curve?

I looked at a December 2004 thread in this forum ("SSL Enabled FTP Client for OpenVMS") that sounded relevant, but I didn't find that thread helpful. It seemed to talk about SSH more than SSL. I also did a Google search on comp.os.vms, but I didn't see anything in the threads that I looked at that answered my questions.

- Duane


12 REPLIES 12
Joseph Huber_1
Honored Contributor

Re: Batch mode FTP over SSL?


Have a look at the free cURL program
http://curl.haxx.se/download.html#VMS

It claims to support FTPS.
(And no, I have no experience with it).
http://www.mpp.mpg.de/~huber
Arch_Muthiah
Honored Contributor

Re: Batch mode FTP over SSL?

Hi,

There are certain limitations using SFTP and SCP with TCPIP V5.3 and V5.4.

But TCPIP V5.5 seems working fine.

I have pasted those para below which talks about those limitations.

=======================================
3.5.2 SSH File Copy Restrictions
â ¢ On OpenVMS, setting the ForcePTTYAllocation keyword to YES in the
SSH2_CONFIG. file can result in failures when performing file copy operations. (In other implementations of SSH, setting the keyword ForcePTTYAllocation to YES in the SSH2_CONFIG. file has the same effect as using the -t option to the SSH command.)

â ¢ Using the scp and sftp commands from an OpenVMS SSH client to a UNIX
server running OpenSSH is not fully supported because certain operations
cause the OpenVMS client to hang. The hang cannot be terminated by
entering Ctrl/C and Ctrl/Y.

â ¢ File transfer is limited to OpenVMS files with the following record formats
(as displayed by the DIRECTORY/FULL command): STREAM_LF
Fixed-length 512-byte records

â ¢ Not all variants of UNIX path names are supported when referring to files on
OpenVMS clients and servers.

â ¢ Using the SCP and SFTP commands from a non-OpenVMS client may have
unpredictable results, depending on how the client formats the target file
name and whether the client is SSH2 compatible.
============================

And you can also find this filecopy restrictions with SFTP of TCPIP V5.4 from the link below.

http://h71000.www7.hp.com/doc/732FINAL/DOCUMENTATION/PDF/TCPIP054_RELNOTES.PDF

Archunan
Regards
Archie
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Joseph:

Thank you for telling me about the cURL program.

I would interested to hear about other people's experiences with cURL on the VMS/Alpha platform.

- Duane
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Archunan:

Thanks for including that excerpt from the TCP/IP release notes. I will check whether those restrictions are relevant in my configuration. I understood most of the restrictions, and I'll look in the SSH documentation to learn what ForcePTTYAllocation is.

One thing that the excerpt mentions is the file format. I get the sense from other things that I've read that a variety of products ported to VMS favor that file format, so I will also "read the friendly manual" for CONVERT /FDL.

- Duane
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

A follow-up question:

Does it sound fair to say that in the VMS environment, when people want to copy files securely over an insecure medium, it's more common for people to use SSH than to use SSL? I'm getting that impression from the things that I've read on-line, but I want to avoid misrepresenting things.

- Duane
Joseph Huber_1
Honored Contributor

Re: Batch mode FTP over SSL?

In my environment (research institutes with international connections), it's scp/sftp mainly because that's what is available on almost every system (mostly Linux).

In the days before ssh/sftp was available, I sometimes used another method maybe of interest to You: using the STUNNEL software, established an SSL encrypted port on both sides, then used standard FTP between these ports.

Knowing the restrictions of sftp, having the full capabilities of FTP maybe an advantage.
It needs setup on both systems/sides though.
Find stunnel on HPs VMS side (I think on open source tools page).
http://www.mpp.mpg.de/~huber
Andy Bustamante
Honored Contributor

Re: Batch mode FTP over SSL?


Do you have the latest ECO 5 patch update? Check with

$ TCPIP SHOW VERSION

You can download this kit from this site under "suport from Compaq products" if needed.

Andy
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Joseph:

Thanks for discussing the reason that you favor scp / sftp in your environment. You mentioned that it's a Linux environment. I think that it might be a Windows system with which I need to communicate, and my impression is that these products are also available for Windows as well.

As for stunnel, I had read about that, in John Wisniewski's book, but I noticed in the release notes for stunnel that "Stunnel cannot be used to secure FTP with TCP/IP v5.3 ECO 2 or later versions". Since I'm running TCP/IP v5.4, I interpret that to mean that I can't use stunnel with the FTP client that comes with HP's TCP/IP and would instead need to find an SSL-enabled FTP client such as the cURL that you mentioned.

- Duane
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Andy:

Thanks for your reply. No, I don't have ECO 5 installed, and I'm planning to install it soon, since I understand that it's necessary if I want to use SSH to do batch mode copying.

One reason that your reply was helpful is because I was trying to figure out the proper command to tell which TCP/IP ECOs are installed on my system. I had done both a TCPIP SHOW VERSION /ALL and a PRODUCT SHOW HISTORY, and the output of both commands suggested that no ECO has been applied.

- Duane

Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Ian:

Thanks for your help. I'm getting ready to install the TCP/IP v5.4 ECO 5 for which you provided the links.

As for stunnel, as I wrote in a reply above, I read in the release notes that "Stunnel cannot be used to secure FTP with TCP/IP v5.3 ECO 2 or later versions", so it sounds like I can't use that on my system (TCP/IP v5.4).

- Duane
Duane Sadowski
Frequent Advisor

Re: Batch mode FTP over SSL?

Thanks again for the comments. We ended up using SSH (SFTP).