Step-by-Step Guide for Setting up Secure FTP
By Merville Cumberbatch
This article assumes that you have four basics elements in place:
o IBM’s Digital Certificate Manager (DCM)
o TCP/IP on your I-Series
o HTTP Server on your I-Series
o An appropriate IBM Cryptographic Access Provider product on your I-Series for encryption
For full, detailed information, visit the following IBM site, or any equivalent or updated site that covers the subject: http://publib.boulder.ibm.com/iseries/v5r1/ic2924/info/rzain/rzainrzainftp.htm#HDRRZAINFTP - Topic: Securing FTP
Step 1 – Get a Certificate (if needed)
When performing secure FTP transactions, you may need to obtain a security certificate. The business with which you are trading will provide details on the specific certificate and may provide instructions for you to obtain it. Note: The certificate already may be on your system – see Step 4
Step 2 – Export the Certificate
After downloading the certificate, you can export it via a browser. E.g. using Internet Explorer (IE), go Tools – Internet Options – Content – Certificates.
Select the appropriate certificate, click on Advanced and check “Client Authentication”. DER Encoded X.509 is commonly used as the export format. An Export Wizard will then guide you.
Note: You can perform the export using either the Combined or Separate Certificate and CA (Certificate Authority) method. For I-series application, Separate is the preferred option. For Separate exporting, first select the Private Key option, provide an easily recalled password and save as a .PFX file. Perform the export again, but this time, do NOT select the private key. Save as a .CER document. The result of your export will be 2 items – a .CER and a .PFX document.
We recommend using the Operations Navigator. In the IFS, create a new directory (e.g. CERTS) in Root and simply drag and drop your certificate documents to it. Finally, you will need to import the documents into the DCM (Digital Certificate Manager).
Step 4 – Import Certificates to the I-Series DCM ( Digital Certificate Manager)
a. First, ensure that you have an *Admin instance of your TCP server started. If not, use command STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) to start it
c. At the popup prompt, log in (preferably) as QSECOFR
d. Select the link that says Digital Certificate Manager
There are 5 basic tasks in navigating the Digital Certificate Manager
1. Select a Certificate Store
2. Import the Certificate Authority
3. Import the Certificate
4. Define what applications trust the certificate
5. Define what CA’s the I-Series trusts
1. Click on “Select a Certificate Store”
n Select *SYSTEM and continue
n Put in a password. If unknown, you can reset it here, since you are QSECOFR. (Take appropriate precautions if automated processes elsewhere use this password hard coded)
n Select “Fast Path” on the left. This displays all the sub-links that you will need
n Select “Work with CA certificates” and continue. Now you see what is in your DCM
2. Import the Certificate Authority
n Select “IMPORT” at the bottom of this page if you wish to import a new certificate
n Enter the path (location and name) of the .CER document you saved to the CERTS Dir
n When prompted, provide an intelligent name, such as the CA’s name + imported date
n If updating an existing authority, you may need to delete the old CA first
3. Import the Certificate
n From your expanded “Fast Path” links at left, select “Work with Server and Client Certificates”
n Again, if working with a new certificate, select “Import”
n Now enter the path (location and name) of the .PFX document
If you get an error concerning “validity period,” your DST (Daylight Savings Time) system offset value may not be set correctly. Using the WRKSYSVAL QUTCOFFSET command on your I-Series command line, enter the correct value, paying careful attention to the current DST period.
1. Define What Applications Trust Your New Certificate
n From “Fast Path,” select “Work with Client Applications”
n Select “OS/400 TCP/IP FTP Client” and click “Work with Application”
n Select “Update Certificate Assignment”
n Choose your desired certificate and click “Assign new certificate”
n Using “Cancel,” return to the previous screen. Your new certificate is now assigned
2. Define What CA’s the I-Series Trusts
n From the second step of (4), make the radio button for “Define the CA trust list” Yes, and click “Apply”
n Check (select) the appropriate CA, and “OK”
n Go back one screen with “Cancel” The new trusted authority should be listed
At this stage your security certificate has been applied to your I-Series FTP application. You are through with the DCM and ready to perform secure FTP
Scripting and operating secure FTP are fundamentally the same as for regular FTP. The two basic differences are likely to be the communication method and the port used. These two factors, in concert with the encryption and certificates, ensure the security. Here are a few brief notes.
a. For secure Internet FTP, you can use the SSL (Secure Socket Layer) or SSH (Secure Shell) protocol. SSL is also sometimes called TLS (Transport Security Layer) or TLS-P (TLS Protocol). Find out from your trading partner exactly which protocol you need to use and which port you need to transact on. Though port 21 is the most commonly used and is the default, some may require transactions via port 990.
b. Enter the I-series FTP command on a command line, and hit the F4 or enter key. When the “Start TCP/IP File Transfer (FTP)” prompt comes up, hit the F10 function key to bring up the “Port” and “Secure Connection” parameter fields. Use the F1 help key on each one to read about the defaults and available options.
c. If you use a third party FTP application that does not provide full flexibility for port selection etc, you can substitute the common FTP command of “Open” for “SOpen” to start a secure FTP session. The SOpen command accepts 2 optional parameters: port and Communication method, so this will facilitate those two key elements – e.g. Sopen 123.456.78.90 ‘21’ ‘SSL’ . If the 2 parms are left blank, the I-Series assumes port 21 and *SSL method. [This of course, assumes that the appropriate certificate needed during the FTP transaction has already been set up correctly and assigned to the FTP application in the DCM (See Part 1- Implementing a Security Certificate).]
d. Caveat: The I-Series limits users to a single active certificate per application. This means that if you have multiple secure FTP destinations that require different certificates, you will have to assign the applicable certificate through the DCM each time before a different FTP session. This obviously hinders automation in a serious way, so you may want to contact IBM and request a method (e.g. API) of programmatically hot-swapping your certificates, else you may have to manage your certificates outside of the I-Series environment.
Please send any comments or corrections for this article to firstname.lastname@example.org