Sep 04

FTP Guard4i gets new feature

One of our clients was interested in the FTP Guard4i product and wanted to secure their FTP environment from unauthorized access. We installed the product and set the security so that all FTP access would now be monitored and restricted. Unfortunately after a few minutes we had to turn off the security because the client had not understood just how much FTP activity was carried out on his system. This was a problem because they did see some attempts to access the system using FTP from unauthorized users yet they could not identify all the authorized users until they hit the site and were rejected by the security settings. At first we were just adding users as they showed up in the log after checking that they were in fact authorized, but that gave a number of issues because the FTP access used by the users was not built to recover when the request was rejected. So we eventually turned off the security and left it up to the normal object security to handle the issues until we came up with a solution.

This concerned us as we did not like the fact that FTP activity was going on and the client was unable to see just how bad the problem was. So we started to think about how we can show the problem exists while not affecting the existing processes. Eventually we made a change to the programs that would allow the security to circumvented while still logging exactly what and who used the FTP services. Now the client is able to see all activity and we can build the FTP security using the log information before implementing the fully secured environment.

FTP is very unsecure and should be turned off where possible, if you must have FTP services turned on we suggest you investigate the installation of a security and logging package such as our FTP Guard4i. Just understanding the level of FTP activity that is going on could help you determine just how exposed to data theft you are.

Chris…

Apr 24

FTP Guard4i Log Viewer

As promised we have now developed the log viewer which shows the events which have been logged by the FTP processes. The log view has a number of columns each of which is sortable but the default sort is done by the Date and Time with the latest entry at the top. Here is sample view of the log on our test server.

FTP Guard4i log view

A sample of the events logged by FTP Guard4i.

A couple of interesting things came about while generating the log, you will see that we deleted a file ‘/home/CHRISH/??_???????`%??>?>????????’, one of the issues we all come across from time to time is where a file in the IFS has a strange name, deleting the file using the normal IFS commands is not possible as it will always return ‘File not found’ errors. Using FTP (actually we used FileZilla) you can see that we successfully deleted the file in question. The log also shows a ‘Send File’ operation, that was actually a get operation from the FTP client but the event gets logged as a ‘Server Send File’ operation..

The PHP interface is now pretty much complete but we need to do some more work on the UIM interface to align the data store with the actual output to the UIM Manager. Once that is finished and we have done some more testing FTP Guard4i will be available for download.

Chris…

Apr 23

FTP Guard 4i Take 2

We had been discussing the FTP Guard 4i with a prospect and they mentioned that they would like to be able to monitor the FTP Server and SFTP Server from the FTP interface. So we have added a couple of new features to the status screen that allow the user to administer the FTP Server and the SSHD server which is used for the SFTP connections.

Here is the new status screen

New FTP Guard 4i status screen

FTP Guard 4i take 2

One of the things we did notice when we added the new features and checked they functioned was the SFTP connection takes on the QSECOFR profile in the job and drops the original user profile. We need to take a look at this to see exactly what effect this has? We don’t allow the QSECOFR profile to connect via FTP or SFTP so the security we have set for the user as far as FTP is concerned still applied.

Let us know if you are interested in this kind of solution and what if any additional features you would like to see. The Log viewer is coming along and will be the subject of our next post.

Chris…

Jan 07

iLook shows promise

We finally received our download links and licenses for the LookSoftware iLook product just before Christmas. I have attached a couple of screen shots to show you the results obtained simply by running the product out of the box.

iLook is a technology preview for the main LookSoftware products, there are some screens which will not convert to a GUI even if they are IBM screens, if you try to display an unsupported screen a message is sent stating that the conversion process will not work. There are also a number of features which appear to be clumsy on first use, but reading the manual (yes we do have to sometimes) soon points the user in the right direction. If you find any issues you can always lodge them with support or add posts to the forums to get updates or answers.

Having played with the product we feel it is a good first pass at explaining the basic re-facing capabilities of the LookSoftware products. However it is just a preview and should be viewed as such the main LookSoftware products offer a lot more functionality. Luckily our screens from the FTP Client converted automatically and gave a nice new look to the product. iLook is free, you simply have to register your interest on the LookSoftware website and they will ship you download instructions and licenses by email.

If you have downloaded our FTP Client Version 6.1 this could be a nice easy (and free) way to add a GUI interface to it! I am sure our other products will have the same effect.

To get a copy of the software register your interest here http://www.looksoftware.com/ilook/ilook-application.aspx

The forum related to the product can be accessed once you register here http://www.looksoftware.com/register.aspx?returnurl=%2fuser-login.aspx

Here are the sample screens using the iLook product.

System Control Panel

iLook System Control Panel

Here is the FTP Client Version 6.1 sample screen using the iLook product.

FTP Client running under iLook

FTP Client running under iLook interface

I hope that is enough to wet your appetite, get going and register for the product now!

Chris…

Nov 17

How to remove invalid IFS names

We had a client call after he had managed to create an IFS directory which could not be deleted using the WRKLNK interface or the RMDIR command using our new FTP Client. We didn’t realize that the IBM OS based commands could not delete items on the IFS under certain circumstances, but we also found that those same commands would refuse to create the objects as well.

The client had created a directory called c:\ftpclnt in the root directory, trying to delete the item using option 4 from the WRKLNK command failed as did the RMDIR command with a message stating the object could not be found.

Here is a sample of the message sent

Additional Message Information

Message ID . . . . . . : CPFA0A9 Severity . . . . . . . : 40
Message type . . . . . : Diagnostic
Date sent . . . . . . : 11/17/09 Time sent . . . . . . : 18:09:12

Message . . . . : Object not found. Object is /c:/testdir.
Cause . . . . . : Object /c:/testdir, or a directory in the object path,
could not be found, or its type cannot be resolved by this function.
Recovery . . . : Correct the name or specify an object of the correct type.
To determine if the object exists, use the Work with Object Links (WRKLNK)
command. If the name exists, check the type of the object. If the name
contains symbolic link objects, ensure the path names they resolve to exist.
Retry the operation.

Bottom
Press Enter to continue.

F3=Exit F6=Print F9=Display message details
F10=Display messages in job log F12=Cancel F21=Select assistance level

Apparently this is because the OS commands interpret the \ character differently,as can be see above it created a path of /c:/testdir which reversed the ‘\’ and called it a directory yet didn’t create a subdirectory of /testdir under c:….
We looked at the code which allowed the object to be created and it was the Unix API mkdir(). We also tested the delete of the link using our product and it did as we expected and successfully deleted the object. The question was why did the IBM commands refuse to find the object.

We logged a call with IBM support and they sent us to the following information . Talking with support we explained that we had Googled the problem and didn’t find the document they had sent, they explained this was because the document is contained in a knowledge base that is not viewable by web robots.

So if you are having the same problems, hopefully Google will find this reference and save you some time.

I have also copied the content below just in case the link doesn’t work for some? The customer said his link was only able to be deleted by using Navigator or our program, so make sure you try a few options.

Document Title: Renaming or Removing Files from the Integrated File System That Have Names That Are Not Valid

Abstract

This document provides tips on how to delete documents and directories in the Integrated File System that were created with invalid names.

Document Description:
Certain applications may create invalid file names in the operating system Integrated File System. For example, a file name containing slashes or quotes is not valid and cannot be removed by the operating system file system code. When trying to rename or delete these files, the iSeries interprets the slashes and quotes as part of the file name and generates an error, CPFA0A9 Object not found, because this naming convention is not valid for the iSeries system.

Note: When this problem is encountered, the best way to remove or access these files is to use the same application that created them.

If the original application is not available or it is not able to remove these objects, there are some other options that can be used. These options include FTP, QShell, iSeries Navigator, IFS tools DLTIFSF, and CleanNames.

FTP:

FTP can be used to rename or delete files and directories with invalid names that contain only standard ANSI characters. For example, FTP can be used to delete or rename files with names containing a backslash (‘\’), but cannot handle names with embedded nulls or Unicode characters.

FTP Commands: REN (rename) and DEL (delete) for files, RMDIR (remove directory) for directories.

Note: Directories must be empty before they can be removed with the RMDIR command.

For example, a file was created in the root of the Integrated File System. The files is called \MYFILE.TXT and must be deleted. Below is a WRKLNK showing how this file looks in the operating system Integrated File System.
Work with Object Links

Directory . . . . : /

Type options, press Enter.
3=Copy 4=Remove 5=Next level 7=Rename 8=Display attributes
11=Change current directory …

Opt Object link Type Attribute Text
QPWXGRB DIR
QPWXGUM DIR
QSR DIR
QSYS.LIB DIR PROD System Library
QTCPTMM DIR
QVGN DIR
RONTEST DIR
\MYFILE.TXT STMF
Snyder DIR
More…
Parameters or command
===>
F3=Exit F4=Prompt F5=Refresh F9=Retrieve F12=Cancel F17=Position to
F22=Display entire field F23=More options

Take the following steps to remove the file:

Note: An FTP session may be started either from the iSeries Command Line (on the same iSeries system or on a different iSeries system) or it may be started from a PC DOS Command Prompt.
1 To start an FTP session to the IBM System i system, on the operating system command line type the following command:

FTP

Press the Enter key. You are prompted to sign on and type your password.
2 Once signed on, change the naming format from operating system to UNIX by issuing the NAMEFMT 1 command (quote site namefmt 1, and press the Enter key). The FTP session should respond with 250 Now using naming format “1″.
3 To change to the root of the Integrated File System, type the following:

CD /

Press the Enter key. Response from the iSeries family system should be 250 “/” is current directory.

If the file is located in a directory or a subdirectory rather than on the root of the Integrated File System, issue CD dirname, and press the Enter key. Response from the iSeries family system should be 250 “/dirname” is current directory.
4 Type the following:

DEL \MYFILE.TXT.

Press the Enter key. The response is 250 Deleted file /\MYFILE.TXT. This also works with the RENAME command.
Note: Remember that this is a UNIX format. Therefore, file names are case-sensitive.

The same steps may be used for removing directories with invalid names (such as \MYDIR). To do so, follow the steps above substituting the RMDIR command in place of the DEL command used in the example. If the directory which has the invalid character in the name contains other DIRs or STMFs, you will probably need to do a REN on the directory with the invalid character in the name and give it a valid name. At this point, you can use normal methods to delete the contents of the directory and remove it as you normally would.

QShell:

QShell can be used to remove some invalid file names, including those that contain a backslash as part of the name. To remove a name with a backslash, escape the character with an additional backslash or double quote the name.

Example: To remove “myfi\le” use ‘rm myfil\\le’ or ‘rm “myfi\le”‘

To use QSHELL to remove the files, do the following:
1 From an operating system command line, type the following:

STRQSH

Press the Enter key.
2 To change directory to the directory containing the invalid file name, type the following: CD mydir
3 To remove the file, type the following: RM “invalid file name”

Note: Double-quotes are required in the RM command.
4 Press F3 to end QSHELL.
iSeries Navigator:

The iSeries Navigator File Systems | Integrated File Systems option can be used to delete or rename files and directories with names that Windows considers invalid (and hence network drives can’t handle). This includes names like *.* or *dir and many special ANSI characters such as the trademark symbol (TM) and so on.

To use iSeries Navigator to remove or rename the files, do the following:
1 Open iSeries Navigator.
2 Expand My Connections.
3 Expand File Systems.
4 Expand Integrated File systems and locate the directory or file containing the invalid file name.
5 Right click on the directory or file name and chose the option to delete or rename the file.

IFSTOOLS DLTIFSF and RNMIFSF:

DLTIFSF and RNMIFSF can be used to delete or rename files or directories with names that contain a backslash.

Example (delete): CALL DLTIFSF ‘[filepath]‘

Example (rename): CALL RNMIFSF PARM(‘[filepathold]‘ ‘[filepathnew]‘

Information about downloading and installing IFSTOOLS is in Rochester Support Center knowledgebase document 19175649, Integrated File System Tools: DEL, DELTREE, CMDALL, CHGAUTALL, CHGOWNALL, QRYIFSLIB, DLTIFSF, RNMIFSF:

CleanNames:

CleanNames is a Java toolbox utility. It is the best option to use when cleaning up thousands of files or when file names include embedded nulls. CleanNames can clean up invalid directory and file names such as: “*.*”, “*name”, “\name”, name with embedded null, name with a Unicode character, and so on. It does not work for names of “.”, “..”, or names that include a forward slash (‘/’).

Command syntax:

CleanNames SystemName TargetDir [option]

SystemName – AS/400 system name as entered in DNS or local hosts table
or the AS/400 system IP address. The name “localhost”
is a valid name when run from the AS/400 jvm.
TargetDir – The directory from which to start work. This is the
directory to delete all files from or the directory
to search for other directories with invalid names.
[option] – The menu option to execute. If not supplied, the user
is prompted for one of following options:

1 Rename all files in the target directory to a valid name.
The names are qfrecov1, qfrecov2, etc…
2 Rename all directories in the target directory to a valid name.
The names are qdrecov1, qdrecov2, etc…”
3 List all objects in the target directory. Prompt to rename.

WRKLNK Option 4=Remove:

The WRKLNK command is not Unicode-enabled. It cannot work with files or directories that have ANSI or Unicode characters that do not exist in the operating system CCSID.

EDTF:

EDTF STMF(/) will list Stream Files and Directories on the root of the IFS. Normal IFS commands (5 to display, and so on) can be used to locate the Stream File with the invalid name.

Use opt 4 to delete file or opt 9 to delete a directory and its contents.

Chris…

Nov 13

FTP Client Version 6.1 available for free 30 day trial

As part of the revitalization of the FTP Security Manager which is now available for download, we took the opportunity to update the FTP client which has the same FTP functionality as the one shipped in the FTP Security Manager without the security controls.

This version provides a much smoother interface to the previous incarnation, it also recognizes the CCSID of the system allowing the conversion of EBCDIC to ASCII to be carried out correctly. We have added some new features which allow the user to switch between remote and local directory listings with the press of a key and removed some of the old screens making navigation of the product much easier. Options have been aligned with the options used when navigating the IFS using the WRKLNK command reducing some of the confusion when first using the product.

This version also brings a new feature which allows the user to edit a local file or display a remote file locally. This is carried out using the IBM supplied EDTF and DSPF commands. We have made many other changes in this release and continue to develop new ones such as SSL support which we hope to have in the next version.

If you want to check it out you can do so with a 30 day free trail which can be downloaded from our members section.

Those who have tried it so far love the ease of use it brings and the ability to remove the practice of moving objects via a PC to get them to the IBM ‘i’ because users prefer a better interface than the IBM FTP Client provides today.

Please take the time to download the product and try it out, we look forward to any comments you have..

Chris…

Nov 05

Refaced FTP Manager with a few minor changes using Newlook

HI

The following are a couple of pictures of the new refacing done with Newlook. They show the very basic out of the box look with a few changes which we made to replace the Vertical Scroll Bar with an UpDown Control. This is the very first stage of the exercise but shows what is possible after a very short period of time! These can be compared with the original screen shots taken below to show you how a very quickly you can transform existing 5250 screen into fairly reasonable GUI screens. We have a long way to go with the project and we are learning all the time, writing VBScript and Macro’s is not something we have done before so we are seeing a lot of stupid errors creeping in.. But we eventually get the way of doing things and then we can move forward very quickly.

Anyhow here are a couple of the pictures

NewLook Site List

NewLook Site List

NewLook Object Attribute Display

NewLook Object Attribute Display

NewLook Log View

NewLook Log View

NewLook File edit

NewLook File edit

NewLook Directory Display

NewLook Directory Display

If you would like to reface your application lets us know, we would be more than happy to share our experiences so far..

Chris…