Step-by-Step Guide for Setting up Secure FTP
By Merville Cumberbatch
This article assumes that you have
four basics elements in place:
o
IBM’s Digital Certificate Manager (DCM)
o
TCP/IP on your I-Series
o
HTTP Server on your I-Series
o
An appropriate IBM Cryptographic Access Provider
product on your I-Series for encryption
For full, detailed information, visit the following IBM site,
or any equivalent or updated site that covers the subject: http://publib.boulder.ibm.com/iseries/v5r1/ic2924/info/rzain/rzainrzainftp.htm#HDRRZAINFTP
- Topic: Securing FTP
Step
1 – Get a Certificate (if needed)
When
performing secure FTP transactions, you may need to obtain a security
certificate. The business with which you
are trading will provide details on the specific certificate and may provide
instructions for you to obtain it. Note: The certificate already may be on your system
– see Step 4
Step
2 – Export the Certificate
After downloading the
certificate, you can export it via a browser.
E.g. using Internet Explorer (IE), go Tools – Internet Options
– Content – Certificates.
Select the appropriate
certificate, click on Advanced and check
“Client Authentication”.
DER Encoded X.509 is commonly used as the export format. An Export Wizard will then guide you.
Note: You can perform the export using either the Combined
or Separate Certificate and CA (Certificate
Authority) method. For
I-series application, Separate is the preferred option. For Separate exporting, first select
the Private Key option, provide an easily recalled password and save as
a .PFX file. Perform the export
again, but this time, do NOT select the private key. Save as a .CER document. The result of your export will be 2 items – a
.CER and a .PFX document.
We recommend using the Operations
Navigator. In the IFS, create a new
directory (e.g. CERTS) in Root and simply drag and drop your certificate
documents to it. Finally, you will need
to import the documents into the DCM (Digital Certificate Manager).
Step
4 – Import Certificates to the I-Series DCM ( Digital Certificate Manager)
a.
First, ensure
that you have an *Admin instance of your TCP server started. If not, use command STRTCPSVR SERVER(*HTTP)
HTTPSVR(*ADMIN) to start it
b.
At your browser’s
address field, enter your I-Series system name (or IP address) and port, using
the format http://MyMachine:2001 (or
http://123.456.7.890:2001)
c.
At the popup
prompt, log in (preferably) as QSECOFR
d.
Select the link
that says Digital Certificate Manager
There are 5 basic tasks in
navigating the Digital Certificate Manager
1. Select a Certificate Store
2. Import the Certificate Authority
3. Import the Certificate
4. Define what applications trust the certificate
5. Define what CA’s the I-Series trusts
1. Click on “Select a Certificate
Store”
n
Select *SYSTEM
and continue
n
Put in a
password. If unknown, you can reset it
here, since you are QSECOFR. (Take appropriate precautions if automated
processes elsewhere use this password hard coded)
n
Select “Fast Path”
on the left. This displays all the
sub-links that you will need
n
Select “Work
with CA certificates” and continue.
Now you see what is in your DCM
2. Import the
Certificate Authority
n
Select “IMPORT”
at the bottom of this page if you wish to import a new certificate
n
Enter the path
(location and name) of the .CER document you saved to the CERTS Dir
n
When prompted,
provide an intelligent name, such as the CA’s name + imported date
n
If updating an
existing authority, you may need to delete the old CA first
3. Import the
Certificate
n
From your expanded
“Fast Path” links at left, select “Work with Server and Client Certificates”
n
Again, if
working with a new certificate, select “Import”
n
Now enter the
path (location and name) of the .PFX document
If
you get an error concerning “validity period,” your DST (Daylight
Savings Time) system offset value may not be set correctly. Using the WRKSYSVAL QUTCOFFSET command
on your I-Series command line, enter the correct value, paying careful
attention to the current DST period.
1.
Define What Applications Trust Your New Certificate
n
From “Fast Path,”
select “Work with Client Applications”
n
Select “OS/400
TCP/IP FTP Client” and click “Work
with Application”
n
Select “Update
Certificate Assignment”
n
Choose your
desired certificate and click “Assign
new certificate”
n
Using “Cancel,”
return to the previous screen. Your new
certificate is now assigned
2.
Define What CA’s the I-Series Trusts
n
From the second
step of (4), make the radio button for “Define the CA trust list” Yes,
and click “Apply”
n
Click “
n
Check (select)
the appropriate CA, and “OK”
n
Go back one
screen with “Cancel” The new
trusted authority should be listed
At this stage your security
certificate has been applied to your I-Series FTP application. You are through with the DCM and ready to
perform secure FTP
Scripting and operating secure FTP are fundamentally the same as for
regular FTP. The two basic differences
are likely to be the communication method and the port used. These two factors, in concert with the
encryption and certificates, ensure the security. Here are a few brief notes.
a.
For secure Internet FTP, you can use the SSL (Secure Socket Layer)
or SSH (Secure Shell) protocol. SSL is also sometimes
called TLS (Transport Security Layer) or TLS-P (TLS Protocol). Find out from your trading partner exactly
which protocol you need to use and which port you need to transact on. Though port 21 is the most commonly used and
is the default, some may require transactions via port 990.
b.
Enter the I-series FTP command on a command line, and hit the F4
or enter key. When the “Start TCP/IP File
Transfer (FTP)” prompt comes up, hit the F10 function key to bring up the “Port”
and “Secure Connection” parameter fields. Use the F1 help key on each one to read about
the defaults and available options.
c.
If you use a third party FTP application that does not provide full
flexibility for port selection etc, you can substitute the common FTP command
of “Open” for “SOpen” to start a secure FTP session. The SOpen command accepts 2 optional
parameters: port and Communication method,
so this will facilitate those two key elements – e.g. Sopen 123.456.78.90 ‘21’ ‘SSL’
. If the 2 parms are left blank, the I-Series assumes port 21 and *SSL
method. [This of course, assumes
that the appropriate certificate needed during the FTP transaction has
already been set up correctly and assigned to the FTP application in the DCM (See
Part 1- Implementing a Security Certificate).]
d.
Caveat: The I-Series limits users to
a single active certificate per application. This means that if you have multiple secure
FTP destinations that require different certificates, you will have to assign
the applicable certificate through the DCM each time before a different FTP
session. This obviously hinders
automation in a serious way, so you may want to contact IBM and request a
method (e.g. API) of programmatically hot-swapping your certificates, else you
may have to manage your certificates outside of the I-Series environment.
Please send any
comments or corrections for this article to dambrine@tylogix.com