FTPS between Mainframe and IBM i

We would like to set up FTPS (SSL FTP) between our mainframe and IBM i (V7R1 currently). Our mainframe system programmer sent me a certificate (MAINFRAME.CER).  I went into the digital certificate manager on our IBM i and imported the certificate and then added it to the "access" list for FTP.

Does anyone know what else is needed to be able to do FTPS between the IBM i and Mainframe?

I appreciate any help
LVL 1
Matthew RoessnerSenior Systems ProgrammerAsked:
Who is Participating?
 
Gary PattersonVP Technology / Senior Consultant Commented:
Yes, that's a CA certificate.  You don't use a CA certificate to secure an FTP server.  You use it to tell your IBM i that you trust the CA that issued it.  Suggest you remove it from all the places you installed it to avoid confusion, and start over.

SSL error -23 = -23:  The system certificate is not signed by a trusted certificate authority. The system certificate assigned to the application must be trusted, signed by a certificate authority, and used within the valid time period.  Change the CA certificate to Trusted. For instructions, see Manage applications in DCM.

https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_71/rzaiw/rzaiwsslre.htm

Definitions:

Server certificate:  Installed on a server, and used to validate server identity to any clients that connect.  Clients verify the server certificate with the CA listed in the server certificate, IF the client is configured to trust the CA (anyone can set up a CA).  You use a server certificate to secure FTPS, HTTPS, Telnet over SSL, etc.

Client certificate.  Installed on a client, and used to validate client identity to a server.  Servers validate the client certificate with the CA listed in the client certificate, IF the server is configured to trust the CA.  You use a client certificate when you configure two-way (mutual) SSL/TLS authentication.

CA Certificate:  Installed on a CA, and also installed on any clients or servers that you want to trust that CA.  Third-party CA certificates are usually installed as part of the SSL product, but private (self-signed) CAs need to be installed on any clients or servers that need to trust that CA.  In this case, you want the IBM i to trust certificates issued by the mainframe CA, so you have to add the CA certificate as a trusted CA.

Install that CA certificate in DCM, as a CA certificate:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012543

Then you need to go into Manage Applications, and trust the CA you just added for the FTP server.

When you want to go the other way (IBM i as server), you'll need to create or acquire a host certificate for the IBM i, add it via DCM, and assign it to any IBM i server applications you want to use it.  Any trusted CA can create the certificate.  Mainframe probably doesn't yet trust the IBM i CA, so if you create a self-signed certificate on the IBM i, you'll have to send your IBM i CA certificate to the mainframe administrator so they can add it as a trusted CA.  Or you can ask the mainframe admin to generate a host certificate for your IBM i FTP server for you, since both the mainframe and the IBM i already are set up to trust the mainframe CA.

http://www-01.ibm.com/support/docview.wss?uid=nas8N1012980
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
Look at the certificate that you were given:  Is it a host certificate, a client certificate, or a CA certificate?

Generally, you need to install a host certificate on the system running the FTPS server, and with a self-signed certificate, you would probably need to install a the issuing CA's certificate (mainframe) on the client system, so that it know it can trust certificates signed by that system.

Most of the time SSL is configured for "host authentication".  This means that the FTP client validates the host's certificate, but the host does not request a certificate from the client.  Sometimes when you receive a certificate from a trading partner (in this case, an internal trading partner), it might be a clue that they are implementing two-way authentication:  Client validates host certificate, and host validates client certificate.  This is more secure, but requires that you issue a cert to each client that might connect to your host.

In this relationship. is the IBM i host (receives connection requests), or client (initiates connections), or do the systems each perform both roles?  Is the mainframe FTP admin specifying host authentication, or host and client authentication?

http://www.ossmentor.com/2015/03/one-way-and-two-way-ssl-and-tls.html
0
 
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
Ultimately we want to be able to FTP both ways, but for the large majority of the time - the IBM i will be the client (we will be initiating the FTP and SENDING data to the mainframe).  Our MF system programmer sent me a mainframe.cer certificate - which I am assuming is a CA certificate (although I am not sure if there is a way to tell the difference or not).

I went into DCM and imported the mainframe .cer certificate and then added that new certificate to the Trust list via Fast Path / Work with Client certificates (I also added to the server certificates section too).  Then I restarted FTP on our iSeries.

I attempted to connect to the mainframe server by doing the following:

FTP RMTSYS(MAINFRAME) SECCNN(*IMPLICIT)
FTP RMTSYS(MAINFRAME) SECCNN(*SSL)

I never got anything when trying the *IMPLICIT

When I tried the SSL - I got the following:

 220 Connection will close if idle for more than 10 minutes.    
 234 Security environment established - ready for negotiation    
Secure connection error, return code -23.                      

Thanks for any help you might have...

Matt
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I did verify that it was a CA Certificate:

mainframe_certificate.gif
0
 
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
So that was all a lot to process...

You initially said that I need to remove that CA cert that I added...but then later in the description - it sounds like I am just adding it in there again.

Basically this is what I did: (after I deleted the previous certificate I had imported)

1. Manage Certificates - Import Certificate... Certificate Authority (CA)...  (I labeled the certificate MVS. It was imported successfully)
2. Manage Applications - Define CA trust list - Client - IBM i TCP/IP FTP Client - and then added the MVS to the list
3. Ended and Restarted FTP on iSeries

After doing that - I am still getting the error message about being able to connect:

234 Security environment established - ready for negotiation
Secure connection error, return code -23.  
                 

Is there something else required that I am not doing?
0
 
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I found out that the certificate that our Mainframe System Programmer sent was not the correct one - which is why things were not working.  After importing the correct certificate - I was able to assign it to the FTP client and was able to securely connect to our mainframe.

Sorry for the hassle! The process I was using worked as it was supposed to - I just had the wrong certificate.

Thank you for all your help

Matt
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.