«
»

Using the i5/OS FTP Client with self signed certificates doesn’t work

8. March, 2007

I tried to get the i5/OS FTP Client to connect to a Linux machine, running vsftpd with an SSL certificate signed by a self signed CA created using OpenSSL. I wasn’t able to get it to work against that, but at least i was able to get it to work between two System i.

What i wasn’t able to accomplish is disabling the certificate check (yes, this defeats several advantages of SSL, but it might not be an issue).

Here are the general steps you have to perform:

  • Connect to the administrative HTTP server on the destination system (https://System:2001/, if you didn’t enable HTTPS access it’s http://System i:2001/)
  • Go into DCM, download the CA certificate from the destination system, save it to a local file, and upload it to the IFS on the source system
  • Connect to the administrative HTTP server on the source system
  • Go into DCM, load the CA certificate from the IFS into DCM, assign the newly imported as a trusted cert to the FTP application
  • Connect to the destination system using SECCNN(*SSL)

Here’s how to get the CA cert out of the destination system:

Downloading a CA cert from DCM

Here’s how you import the CA cert into the source system:

Importing a CA cert into DCM

Here’s how you assign the newly imported CA cert to an application on the source system:

Assigning a CA cert to an application in DCM

The interesting thing here is that disabling the defined list doesn’t disable CA checking. Also, the same procedure should work with other CAs, but when i tested it with an OpenSSL generated cert, i just received Error code -99 when trying to connect.

And here’s a working, secure FTP connection from one system to another:

Secure FTP connection between two System i

You will receive Message TCP3D2C with Error Code “-23″ if you didn’t install the CA cert correctly. And under some circumstances, you will receive Error Code “-99″, when you’ve installed a CA cert which IBM’s software doesn’t like.

The text for this error is:

Fehler bei sicherer Verbindung, Rückkehrcode -23.

Category: IBM i, POWER  |  Comment (RSS)  |  Trackback

4 Comments

  1. reto:

    Was war eigentlich so schlecht an der alten Art Fotos zu verlinken?

    8. March, 2007, 20:07

  2. Lukas Beeler:

    Ich find das praktischer ;)

    Weil das ganze via CSS realisiert ist funktioniert im übrigen auch ein Rechtsklick, Mittelklick “richtig”.

    8. March, 2007, 20:19

  3. Chris Bipes:

    Before a server will accept a certificate from a non-trusted certificate authority, (Self signed Cert.), you will have to import the CA certificate. Then the SSL FTP server will accept the SSL client certificate. If you used a commerical certificate such as Verisign, you would not have had an issue. Some servers will validate a client certificate if available while others will ignore them. You can configure the iSeries FTP server to ignore, validate if available, or require the client certificate.

    31. July, 2007, 22:12

  4. Lukas Beeler:

    The problems I had were twofold:

    a) I wasn’t able to import an OpenSSL CA certificate into DCM. I didn’t investigate this closely. I was able to import the CA of another i5/OS instance.

    b) I was unable to disable the certificate check of the client – the client always verified the SSL certificate.

    And I never used client-side certificates, they’re just too much work.

    31. July, 2007, 22:21

Leave a comment