× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2007

Re: System i as FTP SSL Client

Hi Jeff,

According to the vendor documentation,"FTP/SSL requires the exchange
of SSL certificates ... in concert with the RFC 2228 standard. Does
this not imply that I *do* in fact need to have a certificate?

All this says is "you need to use SSL". It doesn't say anything more or less than that. SSL always requires the exchange of certificates.

Lukas was telling you that you don't need a *CLIENT* certificate, which may or may not be true, depending on the requirements that have been given to you. 95% of the time, an FTP client application does not require a client certificate, and therefore DOES NOT need any sort of CSR or registration with a major certificate authority.

That doesn't mean that you can eschew certificates altogether, however. The FTP software will (automatically) download the server's certificate when you connect, and it'll attempt to verify that it's a legal and valid certificate. To do that, it'll need to compare it with a Certificate Authority certificate. The major ones (VeriSign, Thawte, etc) are automatically installed on i5/OS when the *SYSTEM certificate store is created in the digital certificate manager, and they are included with i5/OS, you don't have to buy them or install them separately (unless it's NOT one of the major ones, of course -- but CA certificates are usually free, and can be downloaded by anyone.)

You *will* need the following licensed programs on your system:

5722-SS1, option 34 = Digital Certificate Manager
5722-TC1 = TCP/IP connectivity utilities (probably already installed)
5722-AC3 = Cryptographic Access Provider (Not needed on V5R4)
5722-DG1 = IBM HTTP server
5722-JV1 = Java Developer Kit

The last two (the HTTP server and Java) are not needed for normal operation of the FTP session. However, they are required for configuration. You see, when IBM created the digital certificate manager, they decided NOT to use an old-style 5250 green screen interface for it. Instead, they created a web interface. So all of the menus and menu options needed to configure SSL are via this web interface -- and the web interface requires the HTTP server and Java in order to run. But, the HTTP server only has to be running to do the initial setup, once it's running you end the http server, and FTP over SSL will continue to work just fine.

Make sense?

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.