Troubleshooting
Problem
This document describes how to configure the SSL/TLS FTP client using Heritage Digital Certificate Manager.
Resolving The Problem
This document describes how to configure the SSL/TLS FTP client using Heritage Digital Certificate Manager. For instructions on how to use the updated Digital Certificate Manager for i see the following documentation:
SSL/TLS FTP uses digital certificates to encrypt data end to end. Passwords, FTP subcommands, and the data transferred are all encrypted by this means.
To configure the SSL/TLS FTP client, first get the Certificate Authority (CA) from the remote server.
If you are unable to get the CA from the remote server use QMGTOOLS to extract the CA
After receiving the CA, to import it and to set the FTP client to trust it, do the following:
Step 1: FTPing the CA to the IBM System i System
a. Detach the CA to your PC. Often it will have a .cer extension (or it may not have one at all). Then, we will FTP it to the IBM System i system Integrated File System in Binary format.
b. Bring up a DOS command prompt on the PC and type: ftp <system name or IP address>
c. Sign on with your standard operating system user ID and password.
d. At the FTP prompt, run the following command: QUOTE SITE NAMEFMT 1
e. To change the directory to the root directory on the System i system, run the following command: CD /
f. Issue the PUT command. For example, if the CA is detached to the C:/ (root on PC) and it was called ca.cer,
PUT ca.cer would transfer the file.
Note: Normally ascii mode ftp will be used (base64 encoded certificates), if the import fails (step 2L) try FTPing the
CA to the system in BIN mode.
Step 2: Importing the CA Using Digital Certificate Manager
The CA will be imported using Digital Certificate Manager (which is part of the HTTP ADMIN server). Do the following:
a. Open a Web browser, and type:
http: //system_name:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
For example, to go to the ADMIN server on system RCHASCLC. The following would be typed in the address bar:
http: //rchasclc:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
If an error is displayed such as "Page cannot be displayed", ensure port 2001 is active using NETSTAT *CNN and press 14 to see if port 2001 is active. If the port is not found, issue the STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) command.
b. Sign on with a user ID that has *SECOFR authority. Then click i5 OS tasks.
c. Click the Digital Certificate Manager link.
d. Click Select a Certificate Store button on the left.
e. Click the radio button for *SYSTEM (continue).
f. Type the password for the certificate store.
g. If the password is correct, you are now signed on and can import the CA.
h. Click Fast Path.
i. Click the radio button for Work with CA Certificates (continue).
j. The list of all the current CAs on the system is shown. Scroll all the way to the bottom, and click the IMPORT button.
k. Next, the full path of the CA that was transferred to the system using FTP will be entered. In this example, it is ca.cer.
l. Click Continue. It will then ask for a certificate label. This can be anything that you can use to identify this CA. In this example, TestCA was used.
A message is displayed indicating that the CA was imported successfully.
The CA is now successfully imported. The next step is to set the FTP SSL/TLS client to trust the CA we just imported.
*Optional Step 3: Setting the FTP Client to Trust This CA.
a. Click Manage Applications in the left navigation pane. Then, click the radio button for Define CA Trust List, and click Continue.
b. Click the Client radio button, and click Continue.
c. Click the radio button for OS/400 TCP/IP FTP Client.
d. Click Define CA Trust List at the bottom.
e. Find the CA you imported in Step 2 (in this example, it is TestCA), and click the box next to it. You could also select Trust All at the top and set the client to trust all the CAs in the list.
f . Scroll to the bottom, and click OK. A message is then posted indicating that the changes have been applied.
The FTP client is now set to use this certificate authority when prompted by the FTP server. Additional CAs can also be trusted by clicking the check box next to them.
Only new jobs will be able to use this new configuration. This means that interactive sessions running batch jobs or persistent applications must be ended and started again to be able to use the changes made to the SSL/TLS FTP client.
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CISAA2","label":"Digital Certificate Manager"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0"}]
Historical Number
425060441
Was this topic helpful?
Document Information
Modified date:
21 December 2022
UID
nas8N1014798