Speedware kicks off HP 3000 migration for Top 10 insurance supplier
New eFORMz adds XML, HTML for e-forms

More notes on 3000 SFTP, and HP's advice

We got expert response from the community for our Monday story about Secure File Transfer Protocol (SFTP), something that UK-based Adrian Hudson wants to manage from his HP 3000. Hudson checked in with us after hearing from consultant Mark Ranft of Pro 3k as well as the NewsWire. It turns out Hudson is a contractor working at Europ Assistance, a company using an HP 3000 to "provide insurance and assistance (e.g. motor breakdown, travel) cover across the world."

They have a need for SFTP to transfer new policy details from the Internet. I have a feeling that if Europ Assistance can’t do SFTP from the 3000, or if there is a cost involved, they will simply use one of their non-3000 servers as a piggyback to do the SFTP on the 3000's behalf. But with me being a nostalgic old soul, I would like to see it done from the 3000.

So, last week I started to look around for a zero-cost solution and found a Beechglen web page about it. This web page all seems perfectly okay, so I started to see if I could source the components mentioned on the web page, namely Openssl, Openssh, perl and a GNU C compiler.

On the openssl list server, I also started to independently look for versions of ssl and ssh which had been ported to the 3000 and I also sent an email to Tracy Johnson of OpenMPE to try and get a logon to the invent3k2 server to see what I might find on there.

Hudson offered some career history, which includes a seven-year stint at HP. "I worked on 3000s and 9000s on and off from 1986 until 2003 and was lucky enough to work at HP between 1997 and 2003 as a 3000 ‘expert’ in their Storage Division. Since then I’ve spent seven years or so on lots of different flavours of Unix and Linux and, to be honest, until 7 weeks ago I thought I had done my last LISTF. It has been a strange but warming experience to get back onto a 3000, especially one with vanilla TurboIMAGE!"

Separately, Ranft got back to us on the specifics of running SFTP on a 3000, something he doesn't recommend as highly as getting the services from another environment.

I have recently completed the instructions for installing sftp on Pro 3K’s server and on a customer’s server. It was not easy, but I managed to gather all the files needed.  Some of the components were extremely difficult to track down. I have them all stored in a single 100MB store-to-disk file that can be transferred to [Hudson's] system and restored.

The instructions have you install the GNU C compiler and make the components needed for SFTP client to function. As with following any instructions, we ran into a few issues along the way with syntax and typos. Most of these were pretty straightforward caused by slightly different names for the newer digest files.

When complete, your system will be capable of acting as an SFTP client, but not as an SFTP server. If you are not familiar with SFTP and how it works, another issue is the key exchange. SFTP depends on a public/private key exchange for security. The procedure for generating the key and storing it on the server is another complex portion of the project.

After completing the SFTP installation and key exchange, I am confident that you will have a solution that will work. But this HP 3000 SFTP solution will not be ‘supported’. [Ed. note: At least not supported by HP; independent companies have an option to support it.] Basically, if you or your customer have trouble down the road, once again you will be dependent on consulting to guide you to the solution.

In truth, using a non-HP 3000 server to be the intermediary SFTP solution is an excellent choice. This solution can provide additional security. The server running SFTP can be both a client (to send files) and a server (to receive files). The SFTP server can be placed in the DMZ of your customer's network. (A DMZ, or demilitarized zone, is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, such as the internet.) This is a good solution.

Ranft added that the secure FTP white paper that HP referred us toward doesn't really detail how to get SFTP working on a 3000. "It's about making regular old FTP/iX more secure," Ranft said. "It has very little or nothing to do with SFTP."

HP states in the 2008 paper that it covers the enhancements HP applied to FTP/iX for security, a request voted No. 2 in the final Systems Improvement Ballot.

Briefly, these security enhancements are:

  • Restricting unauthorized users from logging on to an FTP server,
  • Restricting unauthorized users from retrieving certain files on an FTP server
  • Quarantining certain FTP/iX users to single directory roots,
  • Logging all FTP commands and all file transfers from both the server and client side
  • Preventing FTP users from rename, delete, and overwrite file operations
  • Disallowing read access of the NETRC configuration file (which contains sensitive logon data)
  • Password hiding when running FTP/iX in debug mode.

Another section describes a few methods to enhance security of FTP/iX in addition to the recent security enhancements. Some of the alternatives discussed are

  • An envelope FTP/iX script that provides encryption of the data transfer between hosts
  • Using non-MPE intermediaries like HP-UX to facilitate secure FTP communication
  • Porting of Open SSH on MPE/iX to provide secure data transfer
  • Use of a firewall for sockisified FTP
  • Hardware solutions for enhanced security

 

Comments