Host FTPS on IBMi. Can't connect

I need my 400 to host FTPS.  I have had FTP running for decades.  I am familiar with DCM and I have a certificate assigned to the FTP app.  This is the same cert we use for HTTPS and it works great.  It is from a well know Certificate Authority.

To get started, I am testing from inside the network or thru a point to point VPN to avoid any firewall issues.

To make it even easier to configure, I am testing from at 7.3 box to a 7.3 box.  Both are current with PTFs.
This command yields the below results: FTP RMTSYS('10.1.1.1') PORT(*SECURE)  

  Connecting to remote host 10.1.1.1 using port 990.                        
  Connection is secure.                                                      
  220-QTCP at FTP.HICKSINC.COM.                                              
  220 Connection will close if idle more than 5 minutes.                    
> bows                                                                      
  331 Enter password.                                                        
  230 BOWS logged on.                                                        
   OS/400 is the remote operating system. The TCP/IP version is "V7R3M0".    
  250  Now using naming format "1".                                          
  257 "/home/BOWS" is current directory.                                    
> ls                                                                        
  227 Entering Passive Mode (10,1,1,1,109,149).                              
  125 List started.                                                          
  Secure connection error, return code -16.                                  
  522 Security negotiation failed, connection closed; error code -97.        

I have yet to find the -16 and -97 return code documented.  Rochester tells me there is a problem with the cipher suites.  They have not yet provided a solution.

I have had WS-FTP Pro connect a few times but it is not reliable.  (no fault of WS-FTP!!)
You will find the relevant system values below.
Does anybody have any suggestions?

Steve

                                                   System Values              
5770SS1 V7R3M0  160422                                                        
                Current                         Shipped                        
 Name           value                           value                          
 QSSLCSL        *ECDHE_ECDSA_AES_128_GCM_SHA25  *ECDHE_ECDSA_AES_128_GCM_SHA25
                  6                               6                            
                *ECDHE_ECDSA_AES_256_GCM_SHA38  *ECDHE_ECDSA_AES_256_GCM_SHA38
                  4                               4                            
                *ECDHE_RSA_AES_128_GCM_SHA256   *ECDHE_RSA_AES_128_GCM_SHA256  
                *ECDHE_RSA_AES_256_GCM_SHA384   *ECDHE_RSA_AES_256_GCM_SHA384  
                *RSA_AES_128_GCM_SHA256         *RSA_AES_128_GCM_SHA256        
                *RSA_AES_256_GCM_SHA384         *RSA_AES_256_GCM_SHA384        
                *ECDHE_ECDSA_AES_128_CBC_SHA25  *ECDHE_ECDSA_AES_128_CBC_SHA25
                  6                               6                            
                *ECDHE_ECDSA_AES_256_CBC_SHA38  *ECDHE_ECDSA_AES_256_CBC_SHA38
                  4                               4                            
                *ECDHE_RSA_AES_128_CBC_SHA256   *ECDHE_RSA_AES_128_CBC_SHA256  
                *ECDHE_RSA_AES_256_CBC_SHA384   *ECDHE_RSA_AES_256_CBC_SHA384  
                *RSA_AES_128_CBC_SHA256         *RSA_AES_128_CBC_SHA256      

                *RSA_AES_128_CBC_SHA            *RSA_AES_128_CBC_SHA          
                *RSA_AES_256_CBC_SHA256         *RSA_AES_256_CBC_SHA256      
                *RSA_AES_256_CBC_SHA            *RSA_AES_256_CBC_SHA          
                *ECDHE_ECDSA_3DES_EDE_CBC_SHA   *ECDHE_ECDSA_3DES_EDE_CBC_SHA
                *ECDHE_RSA_3DES_EDE_CBC_SHA     *ECDHE_RSA_3DES_EDE_CBC_SHA  
                *RSA_3DES_EDE_CBC_SHA           *RSA_3DES_EDE_CBC_SHA        
 QSSLCSLCTL     *OPSYS                          *OPSYS                        
 QSSLPCL     >  *TLSV1.2                        *OPSYS
LVL 5
stevebowdoinOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
Hi Steve,

Run an FTP client trace.  https://www-01.ibm.com/support/docview.wss?uid=nas8N1016504

Suggest though that you clean up logs like this of sensitive info before posting - you disclosed host name and user ID above.

Also if you want to PM me with a valid user/pw, I'll try to connect - don't post credentials here.

- Gary
stevebowdoinOwnerAuthor Commented:
In the IBM FTP exit program documentation, it indicates that certain parameters are “input only”.  This appears not to be the case.  My exit program was moving blanks to those parameters.  FTPS works great now.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ftps

From novice to tech pro — start learning today.