Host FTPS on IBMi.  Can't connect

stevebowdoin
stevebowdoin used Ask the Experts™
on
I need my 400 to host FTPS.  I have had FTP running for decades.  I am familiar with DCM and I have a certificate assigned to the FTP app.  This is the same cert we use for HTTPS and it works great.  It is from a well know Certificate Authority.

To get started, I am testing from inside the network or thru a point to point VPN to avoid any firewall issues.

To make it even easier to configure, I am testing from at 7.3 box to a 7.3 box.  Both are current with PTFs.
This command yields the below results: FTP RMTSYS('10.1.1.1') PORT(*SECURE)  

  Connecting to remote host 10.1.1.1 using port 990.                        
  Connection is secure.                                                      
  220-QTCP at FTP.HICKSINC.COM.                                              
  220 Connection will close if idle more than 5 minutes.                    
> bows                                                                      
  331 Enter password.                                                        
  230 BOWS logged on.                                                        
   OS/400 is the remote operating system. The TCP/IP version is "V7R3M0".    
  250  Now using naming format "1".                                          
  257 "/home/BOWS" is current directory.                                    
> ls                                                                        
  227 Entering Passive Mode (10,1,1,1,109,149).                              
  125 List started.                                                          
  Secure connection error, return code -16.                                  
  522 Security negotiation failed, connection closed; error code -97.        

I have yet to find the -16 and -97 return code documented.  Rochester tells me there is a problem with the cipher suites.  They have not yet provided a solution.

I have had WS-FTP Pro connect a few times but it is not reliable.  (no fault of WS-FTP!!)
You will find the relevant system values below.
Does anybody have any suggestions?

Steve

                                                   System Values              
5770SS1 V7R3M0  160422                                                        
                Current                         Shipped                        
 Name           value                           value                          
 QSSLCSL        *ECDHE_ECDSA_AES_128_GCM_SHA25  *ECDHE_ECDSA_AES_128_GCM_SHA25
                  6                               6                            
                *ECDHE_ECDSA_AES_256_GCM_SHA38  *ECDHE_ECDSA_AES_256_GCM_SHA38
                  4                               4                            
                *ECDHE_RSA_AES_128_GCM_SHA256   *ECDHE_RSA_AES_128_GCM_SHA256  
                *ECDHE_RSA_AES_256_GCM_SHA384   *ECDHE_RSA_AES_256_GCM_SHA384  
                *RSA_AES_128_GCM_SHA256         *RSA_AES_128_GCM_SHA256        
                *RSA_AES_256_GCM_SHA384         *RSA_AES_256_GCM_SHA384        
                *ECDHE_ECDSA_AES_128_CBC_SHA25  *ECDHE_ECDSA_AES_128_CBC_SHA25
                  6                               6                            
                *ECDHE_ECDSA_AES_256_CBC_SHA38  *ECDHE_ECDSA_AES_256_CBC_SHA38
                  4                               4                            
                *ECDHE_RSA_AES_128_CBC_SHA256   *ECDHE_RSA_AES_128_CBC_SHA256  
                *ECDHE_RSA_AES_256_CBC_SHA384   *ECDHE_RSA_AES_256_CBC_SHA384  
                *RSA_AES_128_CBC_SHA256         *RSA_AES_128_CBC_SHA256      

                *RSA_AES_128_CBC_SHA            *RSA_AES_128_CBC_SHA          
                *RSA_AES_256_CBC_SHA256         *RSA_AES_256_CBC_SHA256      
                *RSA_AES_256_CBC_SHA            *RSA_AES_256_CBC_SHA          
                *ECDHE_ECDSA_3DES_EDE_CBC_SHA   *ECDHE_ECDSA_3DES_EDE_CBC_SHA
                *ECDHE_RSA_3DES_EDE_CBC_SHA     *ECDHE_RSA_3DES_EDE_CBC_SHA  
                *RSA_3DES_EDE_CBC_SHA           *RSA_3DES_EDE_CBC_SHA        
 QSSLCSLCTL     *OPSYS                          *OPSYS                        
 QSSLPCL     >  *TLSV1.2                        *OPSYS
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary PattersonVP Technology / Senior Consultant

Commented:
Hi Steve,

Run an FTP client trace.  https://www-01.ibm.com/support/docview.wss?uid=nas8N1016504

Suggest though that you clean up logs like this of sensitive info before posting - you disclosed host name and user ID above.

Also if you want to PM me with a valid user/pw, I'll try to connect - don't post credentials here.

- Gary
Commented:
In the IBM FTP exit program documentation, it indicates that certain parameters are “input only”.  This appears not to be the case.  My exit program was moving blanks to those parameters.  FTPS works great now.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial