SSH, an acronym for Secure SHell, is a method to securely connect to servers where all data, even the userid and password is encrypted.SSH on iSeries can be used in several scenarios:
- As a server to enable encrypted file transfer and secure remote commands
- As a client to use with other secure servers
- As a secure tunnel to encrypt your regular 5250 telnet sessions
- 1Using the iSeries SSH client
- 1.3Getting and storing the remote server public key
- 1.4Transferring Files
- 3Diagnosing Problems
Aug 20, 2010. However, after the 70-day trial period, you must load a license key to continue to use the licensed program. The 70-day period starts from the day of the first use of the IBM licensed program. If you have lost your license key or need an emergency license key, you can order these through the software key center for your country or region.
Using the iSeries SSH client
These are instructions on how to use the IBM i ssh client for automatic, secure file transfer. Your business partner has assigned you a remote user account called yourRemoteUser.
Your local system i process will run as user RUSER.
System Requirements
Full instructions can be found here Tech note N1012710 - Configuring the IBM i SSH, SFTP, and SCP Clients to Use Public-Key Authentication.
- IBM i 5.4 or higher.
- Portable App Solutions Environment also known as PASE must be installed on the iSeries server to use ssh. Check the existence of licensed program 57xx-SS1 option 33.
- Portable Utilities for i 5733-SC1 must be installed.
- A user profile name that is 8 characters or less in length.
- See also #External links for the IBM Redbook.
Creating the public/private key pair
Iseries License Keys For Sale
- Sign on as RUSER
- CALL QP2TERM to enter the PASE environment
- mkdir /home/ruser to create a HOME directory for the user
- chmod 755 /home/someuser to set permissions
- ssh-keygen -t rsa -N ' for RSA keys
- F3 to exit back to the command line
- CHGUSRPRF USRPRF(ruser) HOMEDIR('/home/ruser') to set the home directory in the user profile
- Sign off and back on
- The key pair will be in /home/ruser/.ssh
- The public key will have a .pub extension
- The private key will not have an extension
- It is very important to secure the private key! Use IFS authorities to limit access to the private key only to RUSER.
Getting and storing the remote server public key
- Sign on as user RUSER
- Send the public key (.pub file) to the remote site
- (The public key is added by the sever admin to '~/.ssh/authorized_keys' file on the SSH server.)
To test:
- CALL QP2TERM - Start the PASE shell
- ssh -T yourRemoteUser@somehost
Using a key issued by someone else
Your business partner may have issued you a key, and now you should use it and not create your own. In this case, copy the key file that you received into the .ssh folder.
Transferring Files
- A critical difference between most implementations of SCP/SFTP and the PASE environment version is that the commands do _not_ support the -T (tty terminal) switch. This means that authentication by password is _not_ supported.
Instead, you must place your public key on the remote server you intend to connect with.
Copying files with SCP
To copy all xml files from the IN directory on the remote server to the /b2b/incoming IFS folder:
(replace 'id_rsa' with the actual name of the private key that you are to use) (The /b2b/incoming folder must exist prior to the copying.)
To run batch file transfer via scp, create a script file like this (called examplescp.sh)
Execute it in batch via command
Copying files with SFTP
- Note: the SFTP is not equivalent to the OS/400 FTP client: implicit data conversion is not done (all transfers are binary), nor is there any integration with system security.
We want to copy all xml files from the IN directory (inside our homedir) on the remote server to the /b2b/incoming folder and delete them from the remote server.
Create a text file called ssh-input.txt that contains:
To run batch file transfer via sftp, create a script file like this (called examplesftp.sh)
Execute it in batch via command
Placing your own public key on the remote server
- These instructions will not work: if your public key is not on the remote server there is no way to log on to that server. It may be possible to do this using a windows or linux based client, that permits password entry.
Sometimes you work with a clueless operator who does not or will not help you to place your public key on the remote server. There is a workaround that requires you to have a valid password for your account (you do have a password, don't you?).You also need write permissions you your home directory, and hopefully it does not have any public authority.
Start the PASE shell
Circle y saddles serial numbers. Connect to the remote server using your password.
Check to see if there is a .ssh folder in your home directory.
If it does not exist , create it now, and switch to it.
If the authorized_keys file already exists, then you will have to get it to your system and append your public key to it, and then send it back. If it does not exist, then the following will suffice:
Setting up an IBM i SSHD server
To run the sshd daemon on i5/OS:
- The userid that starts the daemon must have *ALLOBJ special authority
- The userid that starts the daemon must be 8 or fewer characters long
- Before starting sshd for the first time, you will need to generate host keys:
- You can start the sshd daemon with either one of these CL commands:
- You can stop the sshd daemon at V5R4 by starting the PASE command shell:
The SSHD configuration file should be reviewed for fitness to your security policy. In particular, the following items should be decided upon:
- The AllowUsers directive by default allows ALL active users to connect and execute PASE and system commands, even if they are limited users. Check the AllowUsers, AllowGroups, DenyUsers and DenyGroups directives to see what is good for you.
- The PermitRootLogin directive allows QSECOFR to login via SSH
Diagnosing Problems
General Debugging
You can invoke the sshd server manually to help diagnose problems.
- Shut down the SSHD server if it's already running ( ENDTCPSVR SERVER(*SSHD) )
- Open a QP2TERM command line shell (call QP2TERM)
- Invoke the sshd server with the '-d' parameter: /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/sbin/sshd -d
- Try to connect from your ssh client.
- The sshd server will generate copious diagnostic information to the console.
NOTE: The sshd server will terminate as soon as this connection attempt is completed.
Public Key Permissions
- The permissions on the ~/.ssh directory should be 700 or shown as 'drwx------' when you do 'ls -ld ~/.ssh'.
- The permissions on the authorized_keys or authorized_keys2 file, in ~/.ssh, should be 600 or shown as '-rw-------' when you do 'ls -l .ssh'
Diagnosing Unknown User
If, while debugging the SSHD server, you get a message indicating the user profile is unknown, similar to this:
Check the length of the user profile.
Due to the AIX origins of the SSH server, user profiles have to be 8 characters or less. A profile that is 9 characters or longer will result in an unknown user error.
Iseries License Keys 2017
This limitation can be eliminated.
IBM i 6.1 requires PTF SI43594.
IBM i 7.1 requires PTF SI43709.
Add the following to your sshd_config file..
See http://www-01.ibm.com/support/docview.wss?uid=nas8N1011847 for more details.
Non-English Environments
If you unable to start the SSH server in a non-english environment using STRTCPSVR *SSHD, try adding the following to the sshd_config file (usually located in /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.8.1p1/etc/):
Security implications of using SSH on iSeries
External links
- PDF of Securing Communications with OpenSSH on IBM i5/OS (redp4163) at IBM Redpapers
- How to set up SSH client on iSeries for password-less connections from midrange-l
- SSHSetup at YiPs Wiki
Categories
DigiPro2 is distributed as a trial version. The trial version starts with advanced features enabled for 45 days. After 45 days, the advanced features are disabled and only basic features remain.
DigiPro2 'basic' is free to use and still provides database management and simple plotting. DigiPro2 basic can be converted to 'advanced' at any time by entering a valid license key code.
License key codes must be purchased. Contact DGSI or a distributor to purchase license key codes. At the time of purchase, we enter information into our license server to generate the key codes. Then we email the key codes to you. If you purchased keys through a distributor, we typically email them to the distributor.
The steps below tell how to enter a key code and how to manage keys.
Installing a License KeyStep1: Start DigiPro2 and click the License button. |
Step 2: Cut and paste the key code from your email into the License Key field. Then click 'Install. |
Step 3: DigiPro2 validates the key code via the internet.When the validation succeeds, you can see 'License Installed' in the license status field. Click 'Close' to complete the process |
Moving a License Key
Suppose you want to move the license key to a new computer. Follow these steps:
- Check that you have the original license key that was emailed to you.
- Start DigiPro2 on the old computer.
- Click License -> Uninstall License -> Yes. DigiPro2 on this computer now reverts to the basic version.
- Install DigiPro2 on your new computer. Then follow instructions here.
Error Messages
Invalid License Key
The most common reason for this error: the key has been used too many times.Contact DGSI or your distributor to correct the situation.
Authentication Error
This message appears when DigiPro2 cannot access the authentication server.
If you see this message, please try the manual authentication method, as explained below.
Manual Authentication Process
- If you see the authentication error message above, click Yes to create a license file.
- The Save As dialog appears. Specify a path and name for the license file. We recommend that you change the default filename (license.lic) to a name that you can associate with this computer. This is especially important if you must generate a number of license files.
- Click this link: http://licenseservice.slope.com/AuthenticateFile.aspx
- Click 'Browse' and locate the license file you just saved.
- Click 'Authenticate'. A new, authenticated license file will be downloaded.
- Save the file onto the computer with DigiPro2.
- Start DigiPro2 and click License.
- Click Load License, navigate to the authenticated license file, and click Open. DigiPro2 loads the license and changes the license status to: 'License Installed.'
Ibm Iseries Software License Keys
Alternative Authentication Process
If you do not have permissions to download files, follow this process which offers validation by email.
- Click Yes to create a license file.
- The Save As dialog appears. Specify a path and name for the license file. We recommend that you change the default filename (license.lic) to a name that you can associate with this computer. This is especially important if you must generate a number of license files.
- Attach the file to an email addressed to solutions@slope.com or to your distributor.
- We will return an email to you or to your distributor with 'authenticated license' attached.
- Save the attachment onto the computer with DigiPro2.
- Start DigiPro2 and click License.
- Click Load License, navigate to the authenticated license file, and click Open. DigiPro2 loads the license and changes the license status to: 'License Installed.'