IBM Support

SSL/TLS FTP Client Configuration using Heritage Digital Certificate Manager

Troubleshooting


Problem

This document describes how to configure the SSL/TLS FTP client using Heritage Digital Certificate Manager.

Resolving The Problem

This document describes how to configure the SSL/TLS FTP client using Heritage Digital Certificate Manager.  For instructions on how to use the updated Digital Certificate Manager for i see the following documentation:

SSL/TLS FTP uses digital certificates to encrypt data end to end. Passwords, FTP subcommands, and the data transferred are all encrypted by this means. 

To configure the SSL/TLS FTP client, first get the Certificate Authority (CA) from the remote server.
If you are unable to get the CA from the remote server use QMGTOOLS to extract the CA


After receiving the CA, to import it and to set the FTP client to trust it, do the following:

Step 1: FTPing the CA to the IBM System i System
a. Detach the CA to your PC. Often it will have a .cer extension (or it may not have one at all). Then, we will FTP it to the IBM System i system Integrated File System in Binary format.

b. Bring up a DOS command prompt on the PC and type: ftp <system name or IP address>

c. Sign on with your standard operating system user ID and password.

d. At the FTP prompt, run the following command: QUOTE SITE NAMEFMT 1

e. To change the directory to the root directory on the System i system, run the following command: CD /

f. Issue the PUT command. For example, if the CA is detached to the C:/ (root on PC) and it was called ca.cer,
PUT ca.cer would transfer the file.

Note: Normally ascii mode ftp will be used (base64 encoded certificates), if the import fails (step 2L) try FTPing the
CA to the system in BIN mode.
This screen shot shows an example of a PUT of the CA to the IFS.


Step 2: Importing the CA Using Digital Certificate Manager

The CA will be imported using Digital Certificate Manager (which is part of the HTTP ADMIN server). Do the following:

a. Open a Web browser, and type:

http: //system_name:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

For example, to go to the ADMIN server on system RCHASCLC. The following would be typed in the address bar:

http: //rchasclc:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0

If an error is displayed such as "Page cannot be displayed", ensure port 2001 is active using NETSTAT *CNN and press 14 to see if port 2001 is active. If the port is not found, issue the STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) command.

b. Sign on with a user ID that has *SECOFR authority. Then click i5 OS tasks.

c. Click the Digital Certificate Manager link.

d. Click Select a Certificate Store button on the left.
This screen shot shows an example of the initial DCM page.

e. Click the radio button for *SYSTEM (continue).
This screen shot shows an example of choosing the *system cert store.

f. Type the password for the certificate store.
This screen shot shows an example of signing into the *system cert store.

g. If the password is correct, you are now signed on and can import the CA.

h. Click Fast Path.

i. Click the radio button for Work with CA Certificates (continue).
This screen shot shows an example of choosing the work with CA Certificates option.

j. The list of all the current CAs on the system is shown. Scroll all the way to the bottom, and click the IMPORT button.
This screen shot shows an example importing a CA.

k. Next, the full path of the CA that was transferred to the system using FTP will be entered. In this example, it is ca.cer.
This screen shot shows an example of entering the CA path.

l. Click Continue. It will then ask for a certificate label. This can be anything that you can use to identify this CA. In this example, TestCA was used.
This screen shot shows an example giving the CA a label.


A message is displayed indicating that the CA was imported successfully.
This screen shot shows an example of a successful importation of a CA.


The CA is now successfully imported. The next step is to set the FTP SSL/TLS client to trust the CA we just imported.

*Optional Step 3: Setting the FTP Client to Trust This CA. 

a. Click Manage Applications in the left navigation pane. Then, click the radio button for Define CA Trust List, and click Continue.
This screen shot shows an example of going into the Define a CA trust list.


b. Click the Client radio button, and click Continue.
This screen shot shows an example of choosing the CLIENT application list.


c. Click the radio button for OS/400 TCP/IP FTP Client.
This screen shot shows an example of choosing the FTP client.

d. Click Define CA Trust List at the bottom.

e. Find the CA you imported in Step 2 (in this example, it is TestCA), and click the box next to it. You could also select Trust All at the top and set the client to trust all the CAs in the list.
This screen shot shows an example of choosing the correct CA for the FTP client.

f . Scroll to the bottom, and click OK. A message is then posted indicating that the changes have been applied.
This screen shot shows an example of a successful config.

The FTP client is now set to use this certificate authority when prompted by the FTP server. Additional CAs can also be trusted by clicking the check box next to them.

Only new jobs will be able to use this new configuration. This means that interactive sessions running batch jobs or persistent applications must be ended and started again to be able to use the changes made to the SSL/TLS FTP client.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0"}]

Historical Number

425060441

Document Information

Modified date:
21 December 2022

UID

nas8N1014798