Requiring client authentication for the File Transfer Protocol server

If you need the File Transfer Protocol (FTP) server to authenticate clients, you can change the application specifications in IBM® Digital Certificate Manager (DCM). This step is optional.

Note: With the FTP server you can authenticate clients, but you cannot do so with the i5/OS FTP client. You can require client authentication, but it will exclude connections that are for i5/OS FTP clients.

If an FTP client connects and client authentication is enabled for the FTP server, the client must still send a USER subcommand. After the USER subcommand information is sent, the FTP server will check that the user matches the profile associated with the client certificate sent during the SSL handshake. If the user matches the client certificate, no password is needed and the FTP server will log the user onto the system. The USER subcommand is needed because there is no mechanism in the FTP protocol to inform the client that it is logged on without the command.

  1. Start IBM Digital Certificate Manager. If you need to obtain or create certificates, or otherwise set up or change your certificate system, do so now. See Configure DCM for information about setting up a certificate system.
  2. Click the Select a Certificate Store button.
  3. Select *SYSTEM. Click Continue.
  4. Enter the appropriate password for *SYSTEM certificate store. Click Continue.
  5. When the left navigational menu reloads, expand Manage Applications.
  6. Click Update application definition.
  7. On the next screen, select Server application. Click Continue.
  8. Click i5/OS TCP/IP FTP Server.
  9. Click Update Application Definition.
  10. In the table that displays, select Yes to require client authentication.
  11. Click Apply.
  12. DCM reloads to the Update Application Definition page with a confirmation message. When you are finished updating the application definition for the FTP server, click Done.