February 2

2 comments

Playing with Secure (SSL) FTP on IBM i Power System

By NickLitten

February 2, 2018

IBM i, Certificate, DCM, Digital, FTP, FTPS, manager, SSL

Or as the grey haired folks would say “How to configure the ISERIES FTP server to use SSL” or as the geriatric brigade would say “making the AS400 talk using that newfangled secure FTP nonsense“. But of course, we know those old computers dont exist anymore and we know that some old people are crazy… so let’s look at how this years IBM i System does this stuff 😉

First things first – to use SSL FTP we need a certificate.

The IBM manual says: Use following steps to configure the iSeries FTP server to use SSL. This document was created under the assumption that the user has already assessed Digital Certificate Manager (DCM) and has already either purchased a third-party certificate, or has created their own certificate to assign to the FTP server.

So, before we start let’s make sure our ADMIN server is running:

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

Since this is a playground setup lets create our own certificate and have a little play.

Set FTP Environment to allow SSL

CHGFTPA AUTOSTART(*YES) ALWSSL(*YES)

This will set the Allow secure sockets layer option to *YES. The *ONLY option will also allow SSL FTP connections; however, it will not allow regular non-secure connections to come through.

Ssl ftp on ibm i

After making the change, restart the FTP server (ENDTCPSVR *FTP and then STRTCPSVR *FTP).

Use the IBM i Digital Certificate Manager

Now, lets use the DCM to assign a certificate to the FTP server application ID. You will need to make sure the HTTP Admin server is active and that it can be accessed. In the QHTTPSVR subsystem, there should be an ADMIN job. If Admin is not active, use the command

STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)

to start it.

The Admin page can be accessed by going to

http://<systemname or IP address>:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
Ibm i dcm

PS: IBM have you thought about updating this page so it doesn’t look like a Netscape throwback to the 1990’s?

Certificate Store

Click on the Select a Certificate Store button and choose the *SYSTEM store. Enter your store password when it prompts you (this was created by the individual who created the *SYSTEM store).

Playing with secure (ssl) ftp on ibm i power system 1
Playing with secure (ssl) ftp on ibm i power system 2

Once you are signed in, choose the Fast Path > Work with server and client certificates.

Playing with secure (ssl) ftp on ibm i power system 3

You will see the certificates you have to choose from on the right-hand side. Select the one you want to assign to the FTP server and click

Or lets just create one for ourselves to test with:

Playing with secure (ssl) ftp on ibm i power system 4

MANAGE CERTIFICATES

Preferably you will use an authorized certificate from an established CA (Certificate Authority) but we are going to cheat and use the ones that come with IBM i.

We will also stick in the *SYSTEM CERTIFICATE STORE for this example.

Manage Certificate StorePopulate with CA certificates

Playing with secure (ssl) ftp on ibm i power system 5

Just because I like to cheat I am going to POPULATE ALL

Playing with secure (ssl) ftp on ibm i power system 6

SO, that she easy bit done.

Now we can assign these certificates to the FTP SSL application and test it 🙂

Select a CERTIFICATE

Enable it

Playing with secure (ssl) ftp on ibm i power system 7

Check the box for IBM i TCP/IP FTP Server and click Continue.

Playing with secure (ssl) ftp on ibm i power system 8

Click OK on the Application Status screen.

And that.. as they say… is that.

Now we just restart the FTP server application ENDTCPSVR *FTP and then STRTCPSVR *FTP.

Playing with secure (ssl) ftp on ibm i power system 9

Check NETSTAT option 3 to verify the FTP secure port is listening.

You can use F13 to sort by local port and then F14 to display the local port to make it easier to find the secure FTP listener:

Playing with secure (ssl) ftp on ibm i power system 10
Playing with secure (ssl) ftp on ibm i power system 11

Anyone who wants to connect to the FTP server securely will need the CA (Certificate Authority) of the certificate that was used to secure the FTP server.

You can export this CA and send it to whomever requires it.

In DCM again, click on the Work with CA certificates option in Fast Path.

Select the CA certificate you wish to export. If it was a locally signed certificate, you will see LOCAL_CERTIFICATE_AUTHORITY.

Select the appropriate radio button and click the Export button below.

Playing with secure (ssl) ftp on ibm i power system 12

Make sure the File radio button is selected and click Continue.

Fill in the Export to File name: field. This file will go to the IFS, and you must include the path and name of the file you are creating.

For example, to export to your personal home directory in the IFS, you could specify /home/myprofilename/cert.cer where myprofilename is your directory and cert.cer is whatever you want to call the certificate file.

The extension can be .txt, .cer, .crt, or just about whatever you choose

Note: Windows OS recognizes the .cer extension as a certificate and is probably a good choice to use.

So, I am going to use my home folder and export this

/home/littenn/DigiCert-Global-Root-G2
Playing with secure (ssl) ftp on ibm i power system 13

Send the file to who ever wants to use SSL FTP to connect to your box!

They can import the CA to whatever application they use for client side FTP and connect to the FTP server securely.

Work with Server Applications

You can Work with Server Applications to check that the FTP app is defaulting to a specific certificate:

Playing with secure (ssl) ftp on ibm i power system 14
Playing with secure (ssl) ftp on ibm i power system 15
  • Nick,
    We have a nightly job that is running fine from our iSeries V7R2 to a Windows Server… Unsecured…
    Now my company wants to move this to a LINUX server and they want me to use port 990 (Which is implicit Secure FPT).
    When I attempt to connect to the Linux box on port:990 I get this error:

    Secure connection error, return code -23.
    Additional message info:
    “-23 Certificate is not signed by a trusted certificate authority.”

    I am scratching my head trying to understand what I need to do to get this to work…
    Do I need to export a signed cert to the Linux server to make a successful connection…?

    PS – I followed your steps in this article, but no dice…

    Thanks,
    Jeff

  • Hi Nick,
    We were able to connect using SFTP, but now I notice that we do not need to use the BIN command any more. Any thoughts on this?
    Thanks,
    Suhail

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Join the IBM i Community for FREE Presentations, Lessons, Hints and Tips

    >