Playing with Secure (SSL) FTP on IBM i Power System

Or as the grey haired folks would say “How to configure the ISERIES FTP server to use SSL” or as the geriatric brigade would say “making the AS400 talk using that newfangled secure FTP nonsense“. But of course, we know those old computers dont exist anymore and we know that some old people are crazy… so let’s look at how this years IBM i System does this stuff 😉

First things first – to use SSL FTP we need a certificate.

The IBM manual says: Use following steps to configure the iSeries FTP server to use SSL. This document was created under the assumption that the user has already assessed Digital Certificate Manager (DCM) and has already either purchased a third-party certificate, or has created their own certificate to assign to the FTP server.

So, before we start let’s make sure our ADMIN server is running:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Since this is a playground setup lets create our own certificate and have a little play.

Set FTP Environment to allow SSL

CHGFTPA AUTOSTART(*YES) ALWSSL(*YES)

This will set the Allow secure sockets layer option to *YES. The *ONLY option will also allow SSL FTP connections; however, it will not allow regular non-secure connections to come through.

SSL FTP on IBM i

After making the change, restart the FTP server (ENDTCPSVR *FTP and then STRTCPSVR *FTP).

Use the IBM i Digital Certificate Manager

Now, lets use the DCM to assign a certificate to the FTP server application ID. You will need to make sure the HTTP Admin server is active and that it can be accessed. In the QHTTPSVR subsystem, there should be an ADMIN job. If Admin is not active, use the command

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

to start it.

The Admin page can be accessed by going to

http://<systemname or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

IBM i DCM

PS: IBM have you thought about updating this page so it doesn’t look like a Netscape throwback to the 1990’s?

Certificate Store

Click on the Select a Certificate Store button and choose the *SYSTEM store. Enter your store password when it prompts you (this was created by the individual who created the *SYSTEM store).

dcm system 800x544 - Playing with Secure (SSL) FTP on IBM i Power System

dcm system password 800x544 - Playing with Secure (SSL) FTP on IBM i Power System

Once you are signed in, choose the Fast Path > Work with server and client certificates.

dcm system fastpath 800x589 - Playing with Secure (SSL) FTP on IBM i Power System

You will see the certificates you have to choose from on the right-hand side. Select the one you want to assign to the FTP server and click

Or lets just create one for ourselves to test with:

dcm system Work with Server and Client Certificates - Playing with Secure (SSL) FTP on IBM i Power System

MANAGE CERTIFICATES

Preferably you will use an authorized certificate from an established CA (Certificate Authority) but we are going to cheat and use the ones that come with IBM i.

We will also stick in the *SYSTEM CERTIFICATE STORE for this example.

Manage Certificate StorePopulate with CA certificates

Populate with CA certificates 800x602 - Playing with Secure (SSL) FTP on IBM i Power System

Just because I like to cheat I am going to POPULATE ALL

Populate with CA certificates populate all 800x602 - Playing with Secure (SSL) FTP on IBM i Power System

SO, that she easy bit done.

Now we can assign these certificates to the FTP SSL application and test it 🙂

Select a CERTIFICATE

Enable it

enable certificate 800x602 - Playing with Secure (SSL) FTP on IBM i Power System

Check the box for IBM i TCP/IP FTP Server and click Continue.

select TCP IP SSL Server 800x602 - Playing with Secure (SSL) FTP on IBM i Power System

Click OK on the Application Status screen.

And that.. as they say… is that.

Now we just restart the FTP server application ENDTCPSVR *FTP and then STRTCPSVR *FTP.

end start ftp 800x602 - Playing with Secure (SSL) FTP on IBM i Power System

Check NETSTAT option 3 to verify the FTP secure port is listening.

You can use F13 to sort by local port and then F14 to display the local port to make it easier to find the secure FTP listener:

ftplistener netstat 800x556 - Playing with Secure (SSL) FTP on IBM i Power System

ftplistener 800x556 - Playing with Secure (SSL) FTP on IBM i Power System

Anyone who wants to connect to the FTP server securely will need the CA (Certificate Authority) of the certificate that was used to secure the FTP server.

You can export this CA and send it to whomever requires it.

In DCM again, click on the Work with CA certificates option in Fast Path.

Select the CA certificate you wish to export. If it was a locally signed certificate, you will see LOCAL_CERTIFICATE_AUTHORITY.

Select the appropriate radio button and click the Export button below.

Export Destination 800x663 - Playing with Secure (SSL) FTP on IBM i Power System

Make sure the File radio button is selected and click Continue.

Fill in the Export to File name: field. This file will go to the IFS, and you must include the path and name of the file you are creating.

For example, to export to your personal home directory in the IFS, you could specify /home/myprofilename/cert.cer where myprofilename is your directory and cert.cer is whatever you want to call the certificate file.

The extension can be .txt, .cer, .crt, or just about whatever you choose

Note: Windows OS recognizes the .cer extension as a certificate and is probably a good choice to use.

So, I am going to use my home folder and export this

/home/littenn/DigiCert-Global-Root-G2

home littenn DigiCert Global Root G2 800x663 - Playing with Secure (SSL) FTP on IBM i Power System

Send the file to who ever wants to use SSL FTP to connect to your box!

They can import the CA to whatever application they use for client side FTP and connect to the FTP server securely.

Work with Server Applications

You can Work with Server Applications to check that the FTP app is defaulting to a specific certificate:

Work with Server Applications 800x663 - Playing with Secure (SSL) FTP on IBM i Power System

Certificate Authority CA certificates in the application trust list 800x663 - Playing with Secure (SSL) FTP on IBM i Power System