IBM Support

SSL FTP Client Configuration

Technote (troubleshooting)


Problem(Abstract)

This document describes how to configure the SSL FTP client.

Resolving the problem

This document describes how to configure the SSL FTP client.

SSL FTP uses digital certificates to encrypt data end to end. Passwords, FTP subcommands, and the data transferred are all
encrypted by this means. You will need the following products:

5722SS1 Opt 34 DCM (Digital Certificate Manager)
5722AC3 AC3 (Crypto Access Provider 128-bit) This is part of the base operating system in R540

To configure the SSL FTP client, first get the Certificate Authority (CA) from the user. If it is a Public CA (for example, VeriSign,
Thawte, and so on), the server ADMIN may not have to send you anything. Proceed to Step 3.

However, in some cases, the server may send you something because of the use of chained CAs by some of the certificate issuers.

After receiving the CA, to import it and to set the FTP client to trust it, do the following:

Step 1: FTPing the CA to the IBM System i System
a. Detach the CA to your PC. Often it will have a .cer extension (or it may not have one at all). Then, we will FTP
it to the IBM System i system Integrated File System in Binary format.

b. Bring up a DOS command prompt on the PC and type: ftp <system name or IP address>

c. Sign on with your standard operating system user ID and password.

d. At the FTP prompt, run the following command: QUOTE SITE NAMEFMT 1

e. To change the directory to the root directory on the System i system, run the following command: CD /

f. Issue the PUT command. For example, if the CA is detached to the C:/ (root on PC) and it was called ca.cer,
PUT ca.cer would transfer the file.

Note: Normally ascii mode ftp will be used (base64 encoded certificates), if the import fails (step 2L) try FTPing the
CA to the system in BIN mode.
This screen shot shows an example of a PUT of the CA to the IFS.


Step 2: Importing the CA Using Digital Certificate Manager

The CA will be imported using Digital Certificate Manager (which is part of the HTTP ADMIN server). Do the following:

a. Open a Web browser, and type:

http: //system_name:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

For example, to go to the ADMIN server on system RCHASCLC. The following would be typed in the address bar:

http: //rchasclc:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

If an error is displayed such as "Page cannot be displayed", ensure port 2001 is active using NETSTAT *CNN and press 14 to
see if port 2001 is active. If the port is not found, issue the STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) command.

b. Sign on with a user ID that has *SECOFR authority. Then click on i5 OS tasks.

c. Click on the Digital Certificate Manager link.

d. Click Select a Certificate Store button on the left.
This screen shot shows an example of the initial DCM page.

e. Click the radio button for *SYSTEM (continue).
This screen shot shows an example of choosing the *system cert store.

f. Type the password for the certificate store.
This screen shot shows an example of signing into the *system cert store.

g. If the password is correct, you are now signed on and can import the CA.

h. Click on Fast Path.

i. Click the radio button for Work with CA Certificates (continue).
This screen shot shows an example of choosing the work with CA Certificates option.

j. The list of all the current CAs on the system is shown. Scroll all the way to the bottom, and click the IMPORT button.
This screen shot shows an example importing a CA.

k. Next, the full path of the CA that was transferred to the system using FTP will be entered. In this example, it is ca.cer.
This screen shot shows an example of entering the CA path.

l. Click Continue. It will then ask for a certificate label. This can be anything that you can use to identify this CA. In this
example, TestCA was used.
This screen shot shows an example giving the CA a label.


A message is displayed indicating that the CA was imported successfully.
This screen shot shows an example of a successful importation of a CA.


The CA is now successfully imported. The next step is to set the FTP SSL client to trust the CA we just imported.

Step 3: Setting the FTP Client to Trust This CA

a. Click on Manage Applications in the left navigation pane. Then, click the radio button for Define CA Trust List, and
click Continue.
This screen shot shows an example of going into the Define a CA trust list.


b. Click the Client radio button, and click Continue.
This screen shot shows an example of choosing the CLIENT application list.


c. Click the radio button for OS/400 TCP/IP FTP Client.
This screen shot shows an example of choosing the FTP client.

d. Click Define CA Trust List at the bottom.

e. Find the CA you imported in Step 2 (in this example, it is TestCA), and click the box next to it. You could also select Trust
All at the top and set the client to trust all the CAs in the list.
This screen shot shows an example of choosing the correct CA for the FTP client.

f . Scroll to the bottom, and click OK. A message is then posted indicating that the changes have been applied.
This screen shot shows an example of a successful config.

The FTP client is now set to use this certificate authority when prompted by the FTP server. Additional CAs can also be trusted
by clicking the check box next to them.

Only new jobs will be able to use this new configuration. This means that interactive sessions running batch jobs or persistent
applications must be ended and started again to be able to use the changes made to the SSL FTP client.

Historical Number

425060441

Document information

More support for: IBM i
Communications-TCP

Software version: Version Independent

Operating system(s): IBM i

Reference #: N1014798

Modified date: 31 July 2013


Translate this page: