Comments on the use of ftp server/client on OS/400 AS/400

Just got Carol Woodsbury latest IBM i Security book: a quick browse showed
OS/400 uses ftp (it has telnet & ftp servers in it).

I've been hearing for the past ten years that ftp should not be used anymore
from security point of view as data as well as credentials of ftp are not
encrypted; likewise for telnet

Q1:
So under what circumstances is ftp's use still justified for OS/400?
Or there are legacy IBM products that require ftp & if so which ones?

Q2:
Is it possible to sftp/scp for OS/400?  From the index of the book, there's
no mention of sftp/scp, so I'm curious if sftp/scp is the way to go for
OS/400?  Or there's 3rd parties  sftp servers out there for OS/400 that
we ought to install?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Q1: IBM i FTP server supports TLS encryption.  FTP over TLS is secure.  Unencrypted FTP sends credentials in plaintext, so the only time it is a appropriate is when potential disclosure of the user ID and password that you are using to log on, and all of the commands and data you send doesn't matter.  From a practical standpoint, it is best to just avoid unencrypted FTP altogether.  FTPS (FTP over SSL/TLS) was available in V5R1, and possible further back than that.

I'm not aware of any IBM products that require unencrypted FTP connections to the IBM i.

Q2: Yes, since V5R4, sftp/scp is part of PASE.  

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710

There are also 3rd party products.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Gary PattersonVP Technology / Senior Consultant Commented:
BTW, IBM i also provides TLS encryption for Telnet connections.
sunhuxAuthor Commented:
Thanks v much.

In versions prior to V5R1, can we specify which version of TLS (specifically V1.2) to use and to disable SSL?  Or starting which version of Ibm i is this feature to specify TLS version available?
Member_2_276102Commented:
Versions prior to V5R1 are far too old to be concerned about the security of network protocols. It's similar to being concerned about Windows pre-2000. And technically, at least some of the concern over SSL is still misplaced unless you're involved with perhaps military secrets and interception. See, e.g., SSL is broken. So what? (2014) and many others.

Simple FTP might be justified any time simple, unsecured transfers will be done or perhaps when a VPN is used. Of course, only a dedicated user profile should do transfers, one authorized only for transfers and only to specific source/destination directories or libraries. If your organization has someone sniffing traffic, there are probably other problems anyway.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IBM System i

From novice to tech pro — start learning today.