Or as the grey haired folks would say “How to configure the ISERIES FTP server to use SSL” or as the geriatric brigade would say “making the AS400 talk using that newfangled secure FTP nonsense“. But of course, we know those old computers dont exist anymore and we know that some old people are crazy… so let’s look at how this years IBM i System does this stuff 😉
First things first – to use SSL FTP we need a certificate.
The IBM manual says: Use following steps to configure the iSeries FTP server to use SSL. This document was created under the assumption that the user has already assessed Digital Certificate Manager (DCM) and has already either purchased a third-party certificate, or has created their own certificate to assign to the FTP server.
So, before we start let’s make sure our ADMIN server is running:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
Since this is a playground setup lets create our own certificate and have a little play.
Set FTP Environment to allow SSL
CHGFTPA AUTOSTART(*YES) ALWSSL(*YES)
This will set the Allow secure sockets layer option to *YES. The *ONLY option will also allow SSL FTP connections; however, it will not allow regular non-secure connections to come through.
After making the change, restart the FTP server (ENDTCPSVR *FTP and then STRTCPSVR *FTP).
Use the IBM i Digital Certificate Manager
Now, lets use the DCM to assign a certificate to the FTP server application ID. You will need to make sure the HTTP Admin server is active and that it can be accessed. In the QHTTPSVR subsystem, there should be an ADMIN job. If Admin is not active, use the command
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
to start it.
The Admin page can be accessed by going to
http://<systemname or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
PS: IBM have you thought about updating this page so it doesn’t look like a Netscape throwback to the 1990’s?
Certificate Store
Click on the Select a Certificate Store button and choose the *SYSTEM store. Enter your store password when it prompts you (this was created by the individual who created the *SYSTEM store).
Once you are signed in, choose the Fast Path > Work with server and client certificates.
You will see the certificates you have to choose from on the right-hand side. Select the one you want to assign to the FTP server and click
Or lets just create one for ourselves to test with:
MANAGE CERTIFICATES
Preferably you will use an authorized certificate from an established CA (Certificate Authority) but we are going to cheat and use the ones that come with IBM i.
We will also stick in the *SYSTEM CERTIFICATE STORE for this example.
Manage Certificate Store > Populate with CA certificates
Just because I like to cheat I am going to POPULATE ALL
SO, that she easy bit done.
Now we can assign these certificates to the FTP SSL application and test it 🙂
Select a CERTIFICATE
Enable it
Check the box for IBM i TCP/IP FTP Server and click Continue.
Click OK on the Application Status screen.
And that.. as they say… is that.
Now we just restart the FTP server application ENDTCPSVR *FTP and then STRTCPSVR *FTP.
Check NETSTAT option 3 to verify the FTP secure port is listening.
You can use F13 to sort by local port and then F14 to display the local port to make it easier to find the secure FTP listener:
Anyone who wants to connect to the FTP server securely will need the CA (Certificate Authority) of the certificate that was used to secure the FTP server.
You can export this CA and send it to whomever requires it.
In DCM again, click on the Work with CA certificates option in Fast Path.
Select the CA certificate you wish to export. If it was a locally signed certificate, you will see LOCAL_CERTIFICATE_AUTHORITY.
Select the appropriate radio button and click the Export button below.
Make sure the File radio button is selected and click Continue.
Fill in the Export to File name: field. This file will go to the IFS, and you must include the path and name of the file you are creating.
For example, to export to your personal home directory in the IFS, you could specify /home/myprofilename/cert.cer where myprofilename is your directory and cert.cer is whatever you want to call the certificate file.
The extension can be .txt, .cer, .crt, or just about whatever you choose
Note: Windows OS recognizes the .cer extension as a certificate and is probably a good choice to use.
So, I am going to use my home folder and export this
/home/littenn/DigiCert-Global-Root-G2
Send the file to who ever wants to use SSL FTP to connect to your box!
They can import the CA to whatever application they use for client side FTP and connect to the FTP server securely.
Work with Server Applications
You can Work with Server Applications to check that the FTP app is defaulting to a specific certificate:
Nick,
We have a nightly job that is running fine from our iSeries V7R2 to a Windows Server… Unsecured…
Now my company wants to move this to a LINUX server and they want me to use port 990 (Which is implicit Secure FPT).
When I attempt to connect to the Linux box on port:990 I get this error:
Secure connection error, return code -23.
Additional message info:
“-23 Certificate is not signed by a trusted certificate authority.”
I am scratching my head trying to understand what I need to do to get this to work…
Do I need to export a signed cert to the Linux server to make a successful connection…?
PS – I followed your steps in this article, but no dice…
Thanks,
Jeff
Hi Nick,
We were able to connect using SFTP, but now I notice that we do not need to use the BIN command any more. Any thoughts on this?
Thanks,
Suhail