Re: SSL FTP from V5R2 AS/400 to BellSouth

["Brad Stone" <brad@xxxxxxxxxxxx>]

I believe if you imported them into your system store and
they are in fact the CAs required, then it should work.

this could be a PTF issue.  I know that this is the first
SSL client that IBM has made available.

You didn't mention if they said you were to be using client
authetication or not.  I doubt they require that, but it
would be good to know for sure.

I would double check that the two CAs are in the *SYSTEM
store.  I also assume that you are using *SSL on the FTP
command...  just wanted to make sure.

Finally, could you describe the "path" you took to import
the CAs?  I want to make sure you didn't import the certs
and server or client certs.

Feel free to contact me offline if you want to dive deeper
into this. you can find my email at
www.bvstools.com/contact.html.  This one is so loaded with
spam its a crapshoot if I'll get the email.  :)

Brad

On Wed, 18 May 2005 16:26:55 -0400
 Patrick L Archibald
<mailinglists4pla@xxxxxxxxxxxxxxxxxxxx> wrote:
> Brad
> 
> You are correct, the AS400 is the client and BellSouth is
> the server. So I'll forget about ending and starting the
> FTP server.
> 
> They sent me a file with two certificates, which I
> separated into two files. The certificates had the
> following above them:
> 
> GeoTrust True Credential CA 2: (expires 4/13/20)  
> and
> 
> Equifax eBusiness CA-1 Root certificate: (expires
> 6/21/20)
> 
> I imported both as Certificate Authority Certificates.
> What should I have done?
> 
> Thanx, PLA
> 
> 
> Brad Stone wrote:
> 
> >I thought in your original post you were FTPing to a
> >server.. if that's the case, then the FTP server really
> >doesn't play a role here.  You're using the FTP client.
> >
> >You said bell south sent you a certificate.  Did they
> send
> >a certificate or a CA (or both).  If they require that
> you
> >do client authentication then you'll need to assign the
> >cert they sent (which I assume is the one for the client
> >authentication) to the FTP client, not the server.
> >
> >If not, and this is "simple SSL", then you should try
> and
> >find out for sure if you have the CA in the *SYSTEM
> store
> >or have the right CA assigned to the FTP client
> >application.
> >
> >NOT TRUSTED ROOT is pretty specific of an error.  So I'd
> >make sure you have the CA installed properly, at least
> in
> >the system store.  If you have the cert on your PC, you
> >should be able to double click on it to see the
> hierarchy
> >of  authorities.
> >
> >Brad
> >
> >
> >On Wed, 18 May 2005 15:19:24 -0400
> >Patrick L Archibald
> ><mailinglists4pla@xxxxxxxxxxxxxxxxxxxx> wrote:
> > 
> >
> >>Chris
> >>
> >>I ended and started the FTP server since making the
> >>changes in the DCM.
> >>
> >>Here is a summary of what I've done in the DCM:
> >>
> >>1. Selected the certificate store of *SYSTEM
> >>
> >>2. Keyed the password and hit Continue.
> >>
> >>3. Manage Certificates
> >>
> >>4. Import certificate
> >>
> >>5. Selected Certifcate Authority and pressed Continue.
> >>
> >>6. Keyed in the IFS file path and name containing the
> >>certificate from BellSouth.
> >>
> >>7. Gave it a label.
> >>
> >>8. Manage Applications.
> >>
> >>9. Define CA Trust List
> >>
> >>10. Selected Server, pressed Continue (Also did this
> for
> >>Client).
> >>
> >>11. Selected OS/400 TCP/IP FTP Server, Define CA Trust
> >>List button.
> >>
> >>12. Checked the certificate labels for BellSouth and
> >>pressed OK.
> >>
> >>13. ENDTCPSVR *FTP
> >>
> >>14. STRTCPSVR *FTP
> >>
> >>15. Get same error.
> >>
> >>Am I doing something wrong?
> >>
> >>Thanx, PLA
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>Chris Bipes wrote:
> >>
> >>   
> >>
> >>>You have to end/restart the FTP server.  Did you add
> the
> >>>     
> >>>
> >>new root to the FTP
> >>   
> >>
> >>>Server and Client trust list?
> >>>
> >>>Chris Bipes
> >>>Information Services Director
> >>>CrossCheck, Inc.
> >>>
> >>>
> >>>-----Original Message-----
> >>>From: Patrick L Archibald
> >>>     
> >>>
> >>[mailto:mailinglists4pla@xxxxxxxxxxxxxxxxxxxx] Sent:
> >>Wednesday, May 18, 2005 11:26 AM
> >>   
> >>
> >>>To: Midrange Systems Technical Discussion
> >>>Subject: Re: SSL FTP from V5R2 AS/400 to BellSouth
> >>>
> >>>
> >>>Sean
> >>>
> >>>I just ended and started the Admin http instance. I
> get
> >>>     
> >>>
> >>the same error.
> >>   
> >>
> >>>Thanx, PLA
> >>>
> >>>
> >>>
> >>>     
> >>>
> >>-- 
> >>// 
> >>// Patrick L Archibald
> >>// http://www.PatrickArchibald.com
> >>// http://www.GooseCreekRotary.org
> >>// http://www.BeeSharp.us
> >>// http://www.SeveredTiesROCKS.com
> >>//
> >>
> >>
> >>-- 
> >>This is the Midrange Systems Technical Discussion
> >>(MIDRANGE-L) mailing list
> >>To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> >>To subscribe, unsubscribe, or change list options,
> >>visit:
> >>http://lists.midrange.com/mailman/listinfo/midrange-l
> >>or email: MIDRANGE-L-request@xxxxxxxxxxxx
> >>Before posting, please take a moment to review the
> >>archives
> >>at http://archive.midrange.com/midrange-l.
> >>
> >>   
> >>
> >
> >Bradley V. Stone
> >BVS.Tools
> >www.bvstools.com
> > 
> >
> 
> -- 
> // 
> // Patrick L Archibald
> // http://www.PatrickArchibald.com
> // http://www.GooseCreekRotary.org
> // http://www.BeeSharp.us
> // http://www.SeveredTiesROCKS.com
> //
> 
> -- 
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 

Bradley V. Stone
BVS.Tools
www.bvstools.com