Secure FTP POC Document

Wiggle Wireless

WIGGLE Wireless

Secure FTP for IBM i5/OS

All of the information contained within this document has been created for the sole purpose of providing an easy reference for the setup and configuration of Secure FTP for WIGGLE Wireless. All attempts have been made to provide this information accurately and as it pertains to the IBM i5/OS Version 5.3.

For up to date information and or potential changes please refer to the IBM iSeries Infocenter located at http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp.

Confidential document.doc2 Page 1 4/10/2023

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp

Wiggle Wireless

Table of Contents

1.1 Introduction to Secure File Transfer (SFTP).....................................................31.2 Planning and Prerequisites for Secure FTP on the IBM iSeries....................3

1.2.1 Planning Suggestions:.........................................................................31.2.2 SSL Prerequisites:...............................................................................4

1.3 Digital Certificate Manager.................................................................................51.4 Certificate Stores..................................................................................................6

1.4.1 Local Certificate Authority (CA):..........................................................61.4.2 *SYSTEM............................................................................................61.4.3 *OBJECTSIGNING..............................................................................61.4.4 Other System Certificate Store............................................................7

2.1 Transferring files using secure FTP..................................................................82.1.2 Plan the configuration of the server certificate....................................92.1.3 Create the *SYSTEM Certificate Store................................................92.1.5 Obtaining a server certificate from a well-known CA - VeriSign........17

2.1.5.1 Create a system certificate request........................................172.1.6 Import the VeriSign certificate into the Certificate store....................272.1.7 Configure the FTP client to trust the Certificate Authority.................422.1.8 Configure the FTP server to listen for secure connections................472.1.9 Test the configuration.........................................................................48

3.1 Renewing the Server Certificate.......................................................................50Additional material......................................................................................................60

Certificate store structure and locations.......................................................60Certificate Authority store location.....................................60System certificate store location.........................................60

Cleaning up DCM.........................................................................................61Migrating to New Hardware..........................................................................61Local CA Certificate Parameters..................................................................63Server Certificate Parameters......................................................................64Public Certificates versus Private Certificates..............................................65Using public certificates............................................................................65Using private certificates...........................................................................66

Troubleshooting...........................................................................................................67Troubleshooting ADMIN Server Problems...................................................67Troubleshooting - Problem Determination for FTP.......................................68FTP Problem Analysis..................................................................................68Documentation and Links.............................................................................70


Wiggle Wireless

1.1 Introduction to Secure File Transfer (SFTP)

The FTP server con be configured to provide enhanced security while sending and receiving files over an un-trusted network. FTP server can use Secure Sockets Layer (SSL) to secure passwords and other sensitive data during an information exchange. The FTP server supports either SSL or TLS protected sessions, including client authentication and automatic sign-on.

Most SSL-enabled applications connect a client to separate TCP ports, one port for "unprotected" sessions and the other for secure sessions. However, secure FTP is a bit more flexible. A client can connect to a non-encrypted TCP port (usually TCP port 21) and then negotiate authentication and encryption options. A client can also choose a secure FTP port (usually TCP port 990), where connections are assumed to be SSL. The iSeries™ FTP server provides for both of these options. To ensure that your FTP sessions are encrypted, limit your client connections to port 990 through the use of a firewall or native iSeries TCP/IP filtering.

Before you can configure the FTP server to use SSL, you must have installed the prerequisite programs and set up digital certificates on your iSeries.

1.2 Planning and Prerequisites for Secure FTP on the IBM iSeries

When planning to enable SSL on an iSeries™ server, consider the following:

Planning suggestions SSL prerequisites

1.2.1 Planning Suggestions: Password Management – Implement a password policy

o Create one password to be used for all Certificate StoresWarning: You must be sure that you can remember the password that you set, or that you write it down and store it in a secure place.

Create and secure an Import Folder in the IFS for Certificates on each System. Make this consistent across systems.

Decide on a distinct name to be used for Certificate label.Note: Certificate (key) labels in a certificate store must be unique. Therefore, you should plan ahead regarding the use of the certificate being created here and where that certificate will be stored. For example, if the default label is used and then you try to add this certificate to a different certificate store that already has a certificate with the default label, you will not be able to add this certificate to that store because the labels are not unique (a duplicate key label error will occur). There is no function in DCM to change a certificate label. If you have a duplicate key problem, the only choice is to create a new certificate with a different label.


Wiggle Wireless

Decide on a distinct Common Name to be used on each Certificate.Enter a name to describe the certificate application. This is a required field when creating the certificate or the certificate request. How you choose a name for the certificate varies depending on the environment in which the application communicates data. For example, if you are creating a certificate for a server application that communicates data over the Internet, you should use the fully qualified domain name for the server. This ensures that browser software can validate the certificate correctly. When the certificate's common name does not match the URL domain name, the browser can validate the certificate. However, the browser cannot verify the server's identity. Consequently, the browser may warn the user of this discrepancy and prompt the user to decide whether to trust the certificate.

Ensure that you have a well planned disaster recovery plan including frequent and well maintained backups of data. In the case of digital certificates, it is important to backup the IFS directory /QIBM/UserData/ICSS and all subdirectories as well as the certificates received from your certificate provider (like VeriSign).

Maintain a table of certificate installation and expiration dates and make it easily accessible to those who will maintain certificates. Although Digital Certificate Manager (DCM) has a facility to view certificate expiry information, there is currently no easy method to centrally maintain certificate information other than a user maintained database.

1.2.2 SSL Prerequisites:

User profile Must have *ALLOBJ and *SECADM for Administration purposes IBM® Digital Certificate Manager (DCM), option 34 of OS/400® (5722-SS1) TCP/IP Connectivity Utilities for iSeries (5722-TC1) IBM HTTP Server for iSeries (5722-DG1) If you are trying to use the HTTP server to use the DCM, ensure that you have the

correct option of the IBM Developer Kit for Java™ (5722–JV1) installed. Otherwise, the HTTP admin server will not start.

The IBM Cryptographic Access Provider product, 5722-AC3 (128-bit). The bit size for this product indicates the maximum size of the secret material within the symmetric keys that can be used in cryptographic operations. The size allowed for a symmetric key is controlled by the export and import laws of each country. A higher bit size results in a more secure connection.

You may also want to install cryptographic hardware to use with SSL to speed up the SSL handshake processing. See the Cryptographic hardware information for available options. If you want to install the 4758 IBM Cryptographic Coprocessor or the 4764 IBM Cryptographic Coprocessor, you must also install Option 35, the Cryptographic Service Provider.

If you want to use SSL with iSeries Access for Windows® components, you must also install the iSeries Client Encryption product, 5722-CE3 (128-bit). iSeries Access for Windows requires this product in order to establish the secure connection.

Note: You do not need to install a Client Encryption Product to use the PC5250 emulator that is shipped with the Personal Communications product. Personal Communications has its own built-in encryption code.


Wiggle Wireless

1.3 Digital Certificate Manager

IBM Digital Certificate Manager (DCM) is the iSeries server solution for managing digital certificates.

Digital Certificate Manager (DCM) provides a browser-based user interface that you can use to manage digital certificates for your applications and users. The user interface is divided into two main frames: a navigation frame and a task frame

You use the navigation frame to select the tasks to manage certificates or the applications that use them. While some individual tasks appear directly in the main navigation frame, most tasks in the navigation frame are organized into categories. For example, Manage Certificates is a task category that contains a variety of individual guided tasks, such as View certificate, Renew certificate, Import certificate, and so forth. If an item in the navigation frame is a category that contains more than one task, an arrow appears to the left of it. The arrow indicates that when you select the category link, an expanded list of tasks displays so that you may choose which task to perform.

With the exception of the Fast Path category, each task in the navigation frame is a guided task that takes you through a series of steps to complete the task quickly and easily. The Fast Path category provides a cluster of certificate and application management functions which allows experienced DCM users to quickly access a variety of related tasks from a central set of pages.

Which tasks are available in the navigation frame vary based on the certificate store in which you are working. Also, the category and number of tasks that you see in the navigation frame vary depending on the authorizations that your i5/OS™ user profile has. All tasks for operating a CA, managing the certificates that applications use, and other system level tasks are available only to security officers or administrators. The security officer or administrator must have *SECADM and *ALLOBJ special authorities to view and use these tasks. Users without these special authorities have access to user certificate functions only.

Before you can use any of its functions, you need to start Digital Certificate Manager (DCM). Complete these tasks to ensure that you can start DCM successfully:

1. Sign on with a profile that has *SECADM and *ALLOBJ.2. Install 5722 SS1 Option 34. This is Digital Certificate Manager (DCM).3. Install 5722 DG1. This is the IBM® HTTP Server for iSeries™.4. Install 5722 AC3. This is the cryptography product that DCM uses to generate a public-

private key pair for certificates, to encrypt exported certificate files, and decrypt imported certificate files.

5. On the command line, type STRTCPSVR *HTTP HTTPSVR(*ADMIN).6. Verify HTTPSVR started, type WRKSBSJOB QHTTPSVR.


Wiggle Wireless

1.4 Certificate Stores

A certificate store is a special key database file that Digital Certificate Manager (DCM) uses to store digital certificates. The certificate store also contains the certificate's private key unless you choose to use an IBM® Cryptographic Coprocessor to store the key instead. DCM allows you to create and manage several types of certificate stores. DCM controls access to certificate stores through passwords in conjunction with access control of the integrated file system directory and the files that constitute the certificate store.

Certificate stores are classified based on the types of certificates that they contain. The management tasks that you can perform for each certificate store vary based on the type of certificate that the certificate store contains. DCM provides the following predefined certificate stores that you can create and manage:

1.4.1 Local Certificate Authority (CA):

DCM uses this certificate store to store the Local CA certificate and its private key if you create a Local CA. You can use the certificate in this certificate store to sign certificates that you use the Local CA to issue. When the Local CA issues a certificate, DCM puts a copy of the CA certificate (without the private key) in the appropriate certificate store (for example, *SYSTEM) for authentication purposes. Applications use CA certificates to verify the origination of certificates that they must validate as part of the SSL negotiation to grant authorization to resources.

1.4.2 *SYSTEM

DCM provides this certificate store for managing server or client certificates that applications use to participate in Secure Sockets Layer (SSL) communications sessions. IBM applications (and many other software developers' applications) are written to use certificates in the *SYSTEM certificate store only. When you use DCM to create a Local CA, DCM creates this certificate store as part of the process. When you choose to obtain certificates from a public CA, such as VeriSign, for your server or client applications to use, you must create this certificate store.

1.4.3 *OBJECTSIGNING

DCM provides this certificate store for managing certificates that you use to digitally sign objects. Also, the tasks in this certificate store allow you to create digital signatures on objects, as well as view and verify signatures on objects. When you use DCM to create a Local CA, DCM creates this certificate store as part of the process. When you choose to obtain certificates from a public CA, such as VeriSign, for signing objects, you must create this certificate store.


Wiggle Wireless

1.4.4 Other System Certificate Store

This certificate store provides an alternate storage location for server or client certificates that you use for SSL sessions. Other System Certificate Stores are user-defined secondary certificate stores for SSL certificates. The Other System Certificate Store option allows you to manage certificates for applications that you or others write that use the SSL_Init API to programmatically access and use a certificate to establish an SSL session. This API allows an application to use the default certificate for a certificate store rather than a certificate that you specifically identify. Most commonly, you use this certificate store when migrating certificates from a prior release of DCM, or to create a special subset of certificates for SSL use.

Note: If you have an IBM Cryptographic Coprocessor installed on your server, you can choose other private key storage options for your certificates (with the exception of object signing certificates). You can elect to store the private key on the coprocessor itself or use the coprocessor to encrypt the private key and store it in a special key file instead of in a certificate store. DCM controls access to certificate stores through passwords. DCM also maintains access control of the integrated file system directory and the files that constitute the certificate stores. The Local Certificate Authority (CA), *SYSTEM, *OBJECTSIGNING, and *SIGNATUREVERIFICATION certificate stores must be located in the specific paths within the integrated file system, Other System Certificate stores can be located anywhere in the integrated file system.


Wiggle Wireless

2.1 Transferring files using secure FTP

We will walk through the steps to configure the FTP server on the iSeries to support secure connections from clients using TLS/SSL (Transport Layer Security/Secure Sockets Layer), and how to configure the iSeries FTP client to securely connect to an FTP server.

In order to use SSL secured FTP sessions, the FTP server needs to have a certificate associated with it. Also, the FTP clients need to trust the Certificate Authority (CA) that issued the FTP server’s certificate.

WIGGLE has opted to use a Public (well-known) Certificate Authority to issue the server’s certificate.

How-toTo configure the iSeries servers to connect using the secured FTP, perform the followingsteps:

1. Plan the configuration of the server certificate on each system.

2. Create the *SYSTEM certificate store and certificate signing request.

3. Import the certificate into the *SYSTEM certificate store.

4. Configure the server to listen for secure connections.

5. Configure the FTP client to trust the Certificate Authority.

6. Test the configuration.


Wiggle Wireless

2.1.2 Plan the configuration of the server certificate

The FTP server needs an server certificate in order to create secure connections with theFTP clients. The specifications of the server certificate are included in Table 2-2 and are ordered from www.VeriSign.com.

Configuration Parameter ValueKey size 1024Certificate Label CW iSeries CertCertificate Store Password XXXXXXXXXXPassword Confirmation XXXXXXXXXXCommon Name CFGTCP option 12 will be used as the

fully qualified host name (common name)Organization unit

Organization name WIGGLELocality

State GeorgiaCountry USTable 2-1 FTP Server certificate configuration parameters

2.1.3 Create the *SYSTEM Certificate Store

The *SYSTEM Certificate Store is used to store the server certificate that will be used by theFTP server. To create the *SYSTEM Certificate Store, perform the following steps, using the values in Table 2-1:

1. Verify that the Administration server is started on the iSeries. On the iSeries run the command: WRKACTJOB SBS(QHTTPSVR) or type

WRKSBSJOB QHTTPSVR.

You should see several jobs name ADMIN running in this subsystem. If you do, go to Step 2.

If you don’t see ADMIN jobs running issue the following command:STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN).

Verify that the jobs start. If this is the first time the ADMIN server has been started it may take several minutes before you are able to access it. Proceed to the next step once you verify that all of the ADMIN jobs (there should be 3) have started and are in SIGW status.

You should see several jobs name ADMIN running in this subsystem. If you do not, see Troubleshooting Admin Server Problems in the Additional Material Section.


Wiggle Wireless

2. Access the iSeries Task page by opening the location http://Your_System_Name:2001(you would supply your iSeries host name followed by :2001), using your browser. Enter User Name and Password.

3. The iSeries Tasks page is displayed as in Figure 2-2. Click on Digital Certificate Manager.

Figure 2-2 iSeries Task page


Wiggle Wireless

4. The Digital Certificate Manager Screen should look as shown in Figure 2-3. The left frame of Digital Certificate Manager (DCM) is the task navigation frame. You can use this frame to select a wide variety of tasks for managing certificates and the applications that use them. Which tasks are available depends on which certificate store (if any) you work with and your user profile special authorities. Most tasks are available only if you have *ALLOBJ and *SECADM special authorities. If you do not see all of the options in the selection pane on the left, you are probably signed on with a profile without proper Authority.

Figure 2-3 Digital Certificate Manager page


Wiggle Wireless

5. Once in the DCM environment (Figure 2-3) Select Create New Certificate Store from the navigation (left) panel.

Since there is currently no *SYSTEM store on this iSeries the default value will be *SYSTEM (Figure 2-4) in the Create New Certificate Store window.

Click Continue.

Figure 2-4 Select the type of certificate store to create


Wiggle Wireless

6. In the Create a Certificate in New Certificate Store window, shown in Figure 2-5, choose not to create a certificate. Select No - Do not create a certificate in the certificate store. Click Continue.

Figure 2-5 Do not create a certificate in the new store


Wiggle Wireless

7. The next window (Figure 2-6) allows you to create a password for the new certificate store. You are asked to enter the password twice to verify. Remember the password, you will need it later.

Key in store password and confirm password. Click Continue.

Figure 2-6 Choose a password for the *SYSTEM store


Wiggle Wireless

8. The next window (Figure 2-7) confirms that the new certificate store has been created.

Figure 2-7 Message indicating that the certificate store was created

The *SYSTEM certificate store has been created. The Certificate Authority import process can now take place.


Wiggle Wireless

2.1.5 Obtaining a server certificate from a well-known CA - VeriSignThis section shows how to request and receive a server certificate from awell-known CA. WIGGLE has chosen to use VeriSign. When using such a certificate, you do not have to worry about distributing and maintaining a local CAs certificate. But from the security point of view you and the users have to fully trust the issuing CA.The following steps take you through the process of obtaining a server certificate from a well-known CA.

2.1.5.1 Create a system certificate requestThe first task when obtaining a system certificate is to create the certificate request using DCM.

1. click Select a Certificate Store from the left panel of the DCM.2. Select the Radio button for *SYSTEM as show in Figure 2-8.3. Click Continue.

Figure 2-8 Select *SYSTEM Store


Wiggle Wireless

4. Enter Store Password and Click Continue.

Figure 2-9 Store Password Page


Wiggle Wireless

5. To create a system certificate request.a. Click Create Certificate from the left panel of the DCM.b. Select the Radio button for Server or Client certificate.c. Click Continue.

Figure 2-10 Create Certificate page


Wiggle Wireless

d. Select the radio button for VeriSign. e. Click on Continue.

Figure 2-11 Select a Certificate Authority


Wiggle Wireless

f. Fill in the requested information as show below, Make the Certificate Label: CW iSeries Cert , Enter the Common name, Organization name, state, country.

g. Click on Continue.

Figure 2-12 Create Certificate

h. Open a Change Request to get permission to install a certificate on the server, for the following maintenance window, unless the window is less than 24 hours away, if so, then use the next maintenance window.


Wiggle Wireless

i. Copy the certificate request to notepad and email the.*txt file to the appropriate WIGGLE resource to submit to VeriSign. Make sure you select the area that includes “-----BEGIN NEW CERTIFICATE REQUEST-----” through the area that ends with “-----END NEW CERTIFICATE REQUEST-----”

j. Give it the name of the server with csrr appended, i.e. (aatcar52csr.txt) See Figure 2-13. k. Click OK.l. After you email the notepad file to WIGGLE Resource to submit to VeriSign, delete

the *txt notepad file.

Figure 2-13 Saving CSR as .txt


Wiggle Wireless

m. After a certain time the person who submitted the CSR request to VeriSign receives the certificate through e-mail. They should.

Copy and paste the certificate data received from VeriSign into a text file on your PC using, for example the Notepad editor.

Make sure you select the area that includes “-----BEGIN CERTIFICATE -----” through the area that ends with “-----END CERTIFICATE -----”.

Make sure it is given a meaningful identifying name. Save in a protected folder.

Remove the email received from VeriSign or save in a protected (preferably encrypted) email folder.

Send Certificate file CSR requester.

Figure 2-14 Copy and Paste VeriSign Certificate


Wiggle Wireless

n. On the Command line of the server, make sure the CW_Cert directory exists: Type WRKLNK ‘/CW_cert’ If it does not exist, type MKDIR DIR(‘CW_cert’) Secure the Directory:

WRKLNK ‘/CW_cert’ Enter 9 beside the directory, press ENTER

Work with Object Links Directory . . . . : / Type options, press Enter. 9=Work with authority 10=Move 13=Change directory attributes ... Opt Object link Type Attribute Text 9 CW_cert DIR

Enter a 2 beside *PUBLIC

Work with Authority Object . . . . . . . . . . . . : /CW_cert Owner . . . . . . . . . . . . : JSTEWART Primary group . . . . . . . . : *NONE Authorization list . . . . . . : *NONE

Type options, press Enter. 1=Add user 2=Change user authority 4=Remove user Data --Object Authorities-- Opt User Authority Exist Mgt Alter Ref 2 *PUBLIC *RWX X X X X JSTEWART *RWX X X X X QDIRSRV *X QNOTES *RWX


Wiggle Wireless

Change all Object authorities (OBJAUT) to *NONE Press ENTER , and Enter again then Press CMD 5 to Refresh

Change Authority (CHGAUT) Type choices, press Enter. Object . . . . . . . . . . . . . OBJ > '/CW_cert' User . . . . . . . . . . . . . . USER > *PUBLIC New data authorities . . . . . . DTAAUT > *RWX New object authorities . . . . . OBJAUT > *OBJMGT > *OBJEXIST > *OBJALTER > *OBJREF Authorization list . . . . . . . AUTL

Enter a 2 beside *PUBLIC again

Work with Authority Object . . . . . . . . . . . . : /CW_cert Owner . . . . . . . . . . . . : JSTEWART Primary group . . . . . . . . : *NONE Authorization list . . . . . . : *NONE Type options, press Enter. 1=Add user 2=Change user authority 4=Remove user Data --Object Authorities-- Opt User Authority Exist Mgt Alter Ref 2 *PUBLIC *RWX JSTEWART *RWX X X X X QDIRSRV *X QNOTES *RWX

Change data authorities (DTAAUT) to *NONE Press ENTER , and Enter again Press CMD 5,

Change Authority (CHGAUT) Type choices, press Enter. Object . . . . . . . . . . . . . OBJ > '/CW_cert' User . . . . . . . . . . . . . . USER > *PUBLIC New data authorities . . . . . . DTAAUT > *RWX New object authorities . . . . . OBJAUT *SAME


Wiggle Wireless

+ for more values Authorization list . . . . . . . AUTL

o. FTP the VeriSign Certificate .txt file the Server cd /CW_cert Be sure to enter NAMEFMT 1 Put certificatname.txt

Figure 2-15 FTP VeriSign certificate to Server


Wiggle Wireless

2.1.6 Import the VeriSign certificate into the Certificate store

Now import the VeriSign certificate in the *SYSTEM certificate store. Starting from the window in Figure 2-16, follow these steps:

Note: Make sure the HTTP server is started (See Section 1.3, step 5 and 6)

1. In the DCM navigation panel: Click on the Select a Certificate Store button. In the Select a Store window verify that the radio button next to *SYSTEM is selected. Click Continue.

Figure 2-16 Select the *SYSTEM store to import the file into


Wiggle Wireless

2. In the Certificate Store and Password window provide the password and click Continue.

Figure 2-17 Certificate Store Password


Wiggle Wireless

3. Once the screen refreshes, in DCM navigation panel on the left, Click on Manage Certificates, as shown in Figure 2-18.

Figure 2-18 Select the option to Manage Certificates


Wiggle Wireless

4. From the Manage Certificates page as shown in Figure 2-19, Select the radio button for Import Certificate. Click on Continue.

Figure 2-19 Import Certificates selection


Wiggle Wireless

5. The Import Certificate page is displayed, as shown in Figure 2-20. Select the Server or Client radio button. Click Continue.

Figure 2-20 DCM - Import Certificate page


Wiggle Wireless

6. The Import Server or Client Certificate page is displayed, as you can see inFigure 2-21.

In the Import file field, specify the full name of the file (including the leading “/”) that contains the Certificate to be imported. We used /CW_cert/aatcar51cer.txt

Click Continue.

Figure 2-21 DCM - Import Server or Client Certificate page


Wiggle Wireless

7. You should see a message stating the import was successful, as in figure 2-22 Click OK.

Figure 2-22 DCM – Import Server or Client Certificate


Wiggle Wireless

8. From the left panel select Fast Path, shown in Figure 2-23. Click on Fast Path.

Figure 2-23 DCM – Select Fast Path


Wiggle Wireless

9. From the Fast Path page, shown in Figure 2-24: Select Radio Button Work with server and client certificates. Click Continue.

Figure 2-24 DCM – Select Fast Path


Wiggle Wireless

10. The Work with Server and Client Certificates page is displayed, as seen in Figure 2-25. Select the certificate, here it is labeled CW iSeries Cert. Click on Assign to Applications.

Figure 2-25 DCM – Assign Certificate


Wiggle Wireless

11. The Select Applications page is displayed, as seen in Figure 2-26. Scroll down until you see the OS/400 TCP/IP FTP Server option. Select OS/400 TCP/IP FTP Server. Click Continue.

Figure 2-26 DCM – Assign Certificate


Wiggle Wireless

12. You should see an Application Status message as shown in Figure 2-27. Click OK.

Figure 2-27 DCM – Select Applications – Application Status Message

You will be returned to the Work with Server and Client Certificates page, Click Cancel. From the Fast Path page, Click Cancel.


Wiggle Wireless

13. Verify Server Certificates assignment Click on Manage Applications from the left side Panel in the DCM. Click on radio button View application definition. Click Continue.

Figure 2-28 DCM – Manage Applications Page


Wiggle Wireless

14. View Application Definition Click on radio button for Server. Click Continue.

Figure 2-29 DCM – View Applications Definition Page


Wiggle Wireless

15. From the View Application Definition Page Scroll down and select the Radio button for OS/400 TCP/IP FTP Server. Click View. Next, Click on View Certificate and verify correct certificate

assignment.

Figure 2-30 DCM – View Applications Definition Page


Wiggle Wireless

2.1.7 Configure the FTP client to trust the Certificate Authority

To configure the FTP client to trust the local CA, perform the following steps:

1. Continuing from the previous DCM session: Click on Manage Applications from the list of tasks in the DCM navigation panel

on the left as shown in Figure 2-30. Select Define CA trust list. Click on Continue.

Figure 2-31 DCM – Define CA trust List


Wiggle Wireless

2. The Define CA Trust List page is displayed, as shown in Figure 2-32. Select the Client radio button. Click Continue.

Figure 2-32 DCM - Define CA Trust List page


Wiggle Wireless

3. The list with client applications installed on the iSeries server is displayed, as you can see in Figure 2-33.

Select the OS/400 TCP/IP FTP Client radio button. Click Define CA Trust List.

Figure 2-33 DCM - Client applications trust list


Wiggle Wireless

4. A list with all the Certificate Authorities on the system is displayed in the next window, as shown in Figure 2-34. Select all the VeriSign CA’s listed. Click OK.

Figure 2-34 DCM - Certificate Authorities list


Wiggle Wireless

5. A message is displayed in the next page, stating that the Certificate Authority changes have been applied (see Figure 2-35). Click Cancel to end the procedure.

Figure 2-35 DCM - Certificate Authority changes applied


Wiggle Wireless

2.1.8 Configure the FTP server to listen for secure connections

To enable the FTP server to listen only for secure connections, perform the following steps:

1. Use the command line to configure FTP to listen for secure connections. This changes FTP attributes to allow SSL connections. (ALWSSL) which can be set to allow only SSL, or both SSL and non-secure connections. When this parameter is set to allow only SSL the FTP server will not start without a certificate assigned to the application (FTP server).

Enter CHGFTPA ALWSSL(*YES)

Note : ALWSSL(*YES) The iSeries FTP server accepts non-SSL FTP sessions. If the prerequisite products needed to allow SSL support are installed and a valid FTP server certificate is configured in the Digital certificate Manager, SSL sessions will also be allowed. Note: If ALWSSL(*YES) is specified and the Digital Certificate Manager is configured for required FTP client authentication, non-SSL sessions are accepted by the FTP server. However, non-anonymous FTP users must switch to SSL mode in order to log in to the iSeries FTP server. Command Entry Request level Previous commands and messages: (No previous commands or messages) Type command, press Enter. ===> CHGFTPA ALLWSSL(*YES)

Figure 2-36 iSeries Command Entry – Change FTP Properties

2. In order for the modifications to take effect, the FTP server must be restarted. Once this done the FTP server will be able to support secure connects with any clients that trust our Certificate Authority. On the Command line enter the following command:

ENDTCPSVR SERVER(*FTP). Wait a moment and then enter the following command: STRTCPSVR SERVER(*FTP).

This completes the configuration of the FTP server to accept only secure connections.


Wiggle Wireless

2.1.9 Test the configuration

Test the configuration, on a client and sever that have had the VeriSign certificates completely installed.

To test the configuration, perform the following steps:1. Connect to the client (non-repository) iSeries (FTP client) using a 5250 session.2. Start a secure FTP session on Repository iSeries server by running the following command:

FTP System_name port(*SECURE)

Using this command, the client tries to establish secure control and data connections.

3. The FTP client is started and status messages are displayed on the screen. As you can see in Figure 2-37, the control messages are displayed on the screen.

File Transfer Protocol

Previous FTP subcommands and messages:Connecting to remote host WAXLAB01.WIGGLElab.com using port 990 Connection is secure. 220-QTCP at WAXLAB01.WIGGLElab.com 220 Connection will close if idle more than 5 minutes.

Enter password:===>

F3=Exit F6=Print F9=RetrieveF17=Top F18=Bottom F21=CL command lineFigure 2-37 FTP client screen - secure connection to server


Wiggle Wireless

4. Connect to the FTP server and transfer a file to the server. The messages displayed on the FTP client session screen should be like the ones in Figure 2-38.

Figure 2-38 FTP client screen - transfer a file to the server


Wiggle Wireless

3.1 Renewing the Server Certificate

1. You will need to contact your certificate provider prior to the expiry date of the certificate to request the certificate renewal. Check with your certificate provider for instructions. Give yourself plenty of time to renew your certificate before it expires. One to 2 weeks prior to the certificate expiration is probably good. You normally do not need to go through the full Certificate Signing Request that you did when you first created the certificate as most certificate providers will renew your certificate without an additionsl CSR (Certificate Signing Request).

2. Next, you will need to FTP the renewed certificate you received to your iSeries. Refer to section 2.1.5.1, steps 5 m through o for instructions to FTP the file you received from your certificate provider up to the IFS on your system. After FTPing the certificate to your system, continue with step 3.

3. Go to the Tasks page (Figure 3-11) via the iSeries HTTP Administration server using theURL: http://your_server_name.com:2001

Supply the user ID and password (must have IOSYSCFG, *ALLOBJ, *SECADM authority).

Select Digital Certificate Manager. Click on Select a Certificate Store.

Figure 3-11 Digital Certificate Manager page


http://your_server_name.com:2001/

Wiggle Wireless

4. Enter the Certificate store password as shown in figure 3-12 and click Continue.

Figure 3-12 Certificate Store and Password page


Wiggle Wireless

On the Current Certificate Store screen, Click on Manage Certificates to expand the selection and then click on the Renew certificate link.

Figure 3-13 Current Certificate Store page


Wiggle Wireless

5. Choose the certificate that you wish to renew and then click the Renew button as shown in Figure 3-14.

Figure 3-14 Renew Certificate page


Wiggle Wireless

6. Choose VeriSign or other Internet Certificate Authority (CA) as shown in Figure 3-15 and click Continue.

Figure 3-15 Select a Certificate Authority page


Wiggle Wireless

7. Choose No – Import the renewed signed certificate from an existing file and click Continue.

Figure 3-16 Renew Certificate page


Wiggle Wireless

8. Enter the path to the Import File that you FTPed up to the system in step 2 as shown in Figure 3-17. When done, click Continue.

Figure 3-17 Import Server or Client Certificate page


Wiggle Wireless

9. You will see the Certificate Renewed Successfully page as shown in Figure 3-18. Here you will select the application/s that you want to assign this renewed certificate to.

Figure 3-18 Certificate Renewed Successfully page


Wiggle Wireless

10. Scroll down and check all applications that you wish to assign this certificate to and click Continue when finished.

Figure 3-19 Certificate Renewed Successfully page


Wiggle Wireless

Figure 3-20 Application Status page

11. When you have finished, you will see the page displayed above in Figure 3-20.

12. You may need to cycle the application/s using the renewed certificate. Test the application and ensure that if functions properly.


Wiggle Wireless

Additional material

Certificate store structure and locations

Certificate Authority, server and user certificates and related information are stored in different directories on the AS/400 system. DCM provides a default store location for you.

Certificate Authority store locationDCM uses a fixed store location for the local CA. You cannot change its location. After you create a local CA you will see the following files in a specific directory. These directories must be protected from unauthorized access. The directory and files for the CA objects are:

/QIBM/UserData/ICSS/Cert/CertAuth DirectoryCA.TXT CA certificate and public key

DEFAULT.KDB CA certificate and CA private key

DEFAULT.POL CA policy file

DEFAULT.STH Stashed password for accessing the local CA KDB.

/QIBM/UserData/ICSS/Cert/Download/CertAuthDirectory containing the CA certificate available for distribution to clients

CA.CACRT CA certificate in binary format

System certificate store locationYou can select two types of locations to store a certificate. OS/400 server applications, such as HTTP and Telnet, can only use certificates stored in the *SYSTEM certificate store. Another selection is OTHER, which enables you to store certificates in any directory on the AS/400 Integrated File System (IFS).

The directory and file structure is as follows:

*SYSTEM (default store location)/QIBM/UserData/ICSS/Cert/Server

Directory

DEFAULT.KDB System certificate(s), private key(s) and CA certificates

DEFAULT.RDB Certificate request

DEFAULT.STH Stashed password for automatic access to a KDB file by the server

OTHERYou can specify another directory such as /your_directory_name to store certificates. Customer applications that are written to use SSL_Init (instead of the newer SSL_Init_App) can make more


Wiggle Wireless

use of this. System administrators can also make use of this certificate store for certain kinds of backups or testing before moving into their production environment. Some functions, such as exporting certificates from certificate stores created while the system was on a previous release, may also make use of this. Again do not use this if you want to use OS/400 secure applications.

Cleaning up DCM

Here are the locations to cleanup in order to start over with DCM (NOTE: We'll want to cleanup all files in these locations): These files can be deleted allowing you to start from scratch. Prior to deleting the *System store you should verify that the store does not contain certificates that have been purchased or are currently in use. There is no way to recover files that have not been backed up after performing this operation.

Only remove *STMF files, Do NOT remove the folders

/QIBM/UserData/ICSS/Cert/Server/ --> This location holds the *SYSTEM store /QIBM/UserData/ICSS/Cert/CertAuth/ --> This location holds the Local CA store /QIBM/UserData/ICSS/Cert/Download/CertAuth/CertAuth --> This locations holds a file that gets created when a CA is created (so that you can't create it again).

Once all the files are cleared from these locations, get out of DCM and go back into it. You should now have the option to create a Local CA (which will in turn create a *SYSTEM store and a server/client cert in the store).

Also, from command line on the iSeries issue this command to clean up Cache:

CALL QSOMAINT PARM('10' '3')

Migrating to New Hardware

When performing a system migration to new iSeries hardware, DCM must be synchronized to run on the new serial number and hardware. If you do not perform this step, you will receive an error message when trying to start servers that require a digital certificate. The error will read:

TCP7421 f/qzhbhttp qhttpsvr *stmt t/qzhbhttp qhttpsvr *stmt

Message . . . . : The server cannot start with SSL mode on because SSLsecurity is not installed.

Cause . . . . . . : The AC1, AC2 or AC3 product must be installed before theHTTP server will start with SSL mode on.

Recovery . . . : Remove "sslmode on" from your configuration file orinstall AC1, AC2 or AC3 and try to start the server again.

To correct the error, on an iSeries command line type the following:


Wiggle Wireless

CALL QCAP3/QYAC3INAT


Wiggle Wireless

Local CA Certificate Parameters

– Key size. You may select 512, 768, 1024, or 2048. It is true that the larger the key size the more secure the encryption level is, but a larger key size also creates more overhead on the system and the network.

– Password: This will be used to access the Local Certificate Authority certificate store. You will need to know this password in the future so follow whatever process you have in place to document passwords of this nature.

– Certificate Authority (CA) name: This is the name that will be displayed as the issuer of server certificates.

– Organization unit: This is an optional field. It may be used for accounting type purposes.

– Organization name: This is the name of the person or group that is responsible for operating and maintaining policy for this Certificate Authority.

– Locality or city: This parameter is not required. We supplied the value Atlanta.

– State or province: Note that this parameter requires at least 3 letters. It is best to spell out the state or province name completely. If you ever decide to change to a well know issuer of certificates the full name will be required when requesting certificates.

– Country or region: We supplied the value US.

– Validity period of Certificate Authority: Sets the length of time, in days, that the Certificate Authority certificate is valid. Certificates that are issued by this CA will also expire on or before this time period is reached.


Wiggle Wireless

Server Certificate Parameters

– Key size. As with the Certificate authority you may select 512, 768, 1024, or 2048. But keep in mind that the larger key size, although more secure, creates more overhead.

– Certificate label is just the name the certificate will be referred to as, in our case we called it iSeriesftp. There are no implications other than you want to make the name descriptive enough that its purpose is easily recognizable.

– Certificate store password is used to secure the certificate store. You need to follow your security guidelines for choosing the password.

– Common name parameter should be a meaningful identifier. If you plan to use the certificate for browser access, this becomes one of the more important fields on this screen. In this case, the best way to complete this field is to use the fully qualified host and domain name that is listed in the Change TCP/IP Domain (CHGTCPDMN) screen. When you make a secure connection (from a browser) and the Common name does not match the configured fully qualified domain name there is a warning that is displayed to the user.Although the warning does not stop the connection it is a nuisance that can be avoided.

– The Organization unit parameter is not a required field. We used IT Dept again, in keeping with the scenario.

– The Organization name should reflect the name of the group of users that will take advantage of the certificate.

– Locality or city does not need to be supplied, but we used the location of the server.

– The State or province field is a required parameter and must contain at least three characters. We suggest you spell out your location completely.

– Country or region must be filled in with a two character abbreviation of your country or region.

Note: The remaining fields on this screen are used to further secure a Virtual PrivateNetwork (VPN) connection. Much like the process we are completing now when VPN isused SSL is configured to provide client certificates as an added level of security.


Wiggle Wireless

Public Certificates versus Private Certificates

Once you decide to use certificates, you need to choose the type of certificate implementation that best suits your security needs. The choices that you have for obtaining your certificates include:

Purchasing your certificates from a public Internet Certificate Authority (CA). Operating your own Local CA to issue private certificates for your users and applications. Using a combination of certificates from public Internet CAs and your own Local CA.

Which of these implementation choices you make depends on a number of factors, one of the most important being the environment in which the certificates are used. Here's some information to help you better determine which implementation choice is right for your business and security needs.

Using public certificates

Public Internet CAs issue certificates to anyone who pays the necessary fee. However, an Internet CA still requires some proof of identity before it issues a certificate. This level of proof varies, though, depending on the identification policy of the CA. You need to evaluate whether the stringency of the identification policy of the CA suits your security needs before deciding to obtain certificates from the CA or to trust the certificates that it issues. As Public Key Infrastructure for X.509 (PKIX) standards have evolved, some public CAs now provide much more stringent identification standards for issuing certificates. While the process for obtaining certificates from such PKIX CAs is more involved, the certificates the CA issues provide better assurance for securing access to applications by specific users. Digital Certificate Manager (DCM) allows you to use and manage certificates from PKIX CAs that use these new certificate standards.

You must also consider the cost associated with using a public CA to issue certificates. If you need certificates for a limited number of server or client applications and users, cost may not be an important factor for you. However, cost can be particularly important if you have a large number of private users that need public certificates for client authentication. In this case, you need to also consider the administrative and programming effort needed to configure server applications to accept only a specific subset of certificates that a public CA issues.

Using certificates from a public CA may save you time and resources because many server, client, and user applications are configured to recognize most of the well-known public CAs. Also, other companies and users may recognize and trust certificates that a well-known public CA issues more than those that your private Local CA issues.


Wiggle Wireless

Using private certificates

If you create your own Local CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own Local CA allows you to issue certificates only to those users who are trusted members of your group. This provides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadvantage of maintaining your own Local CA is the amount of time and resources that you must invest. However, Digital Certificate Manager (DCM) makes this process easier for you.

When you use a Local CA to issue certificates to users for client authentication, you need to decide where you want to store the user certificates. When users obtain their certificates from the Local CA through DCM their certificates are stored with a user profile by default. However, you can configure DCM to work with Enterprise Identity Mapping (EIM) so that their certificates are stored in a Lightweight Directory Access Protocol (LDAP) location instead. If you prefer not to have user certificates associated or stored with a user profile in any manner, you can use APIs to programmatically issue certificates to non-iSeries users.


Wiggle Wireless

Troubleshooting

Troubleshooting ADMIN Server Problems

If the *ADMIN server fails to start, you will need to determine the reason why and take corrective action.

1. On an iSeries command line, type WRKSPLF QTMHHTTP. This will display spooled files that belong to user QTMHHTTP (this is the user that is responsible for starting the *ADMIN server. Look at the last spooled file belonging to QTMHHTTP and it should tell you why the *ADMIN server failed to start.

2. Edit the ADMIN custom config file that resides in the IFSa. On the iSeries run the command WRKLNK and navigate to directory

/QIBM/UserData/HTTPA/admin/conf/ b. Edit the file admin-cust.conf and look for any invalid directives, if

you can not determine the cause of the error, comment out all of the lines in the custom config as shown in the following example using the # character.

#------------------------------------------------------# The following directives should be added to# /QIBM/UserData/HTTPA/admin/conf/admin-cust.conf# and uncommented in order to enable SSL for ADMIN.#------------------------------------------------------# LoadModule ibm_ssl_module /QSYS.LIB/QHTTPSVR.LIB/QZSRVSSL.SRVPGM# Listen 2001# Listen 2010# SetEnv HTTPS_PORT 2010# <VirtualHost *:2010># SSLEnable# SSLAppName QIBM_HTTP_SERVER_ADMIN# </VirtualHost>

Restart the *ADMIN server and ensure that it starts correctly.


Wiggle Wireless

Troubleshooting - Problem Determination for FTP

If you detect a problem when using FTP, use the following flow chart to identify the cause after using the flow chart for general TCP/IP problems. The cause lists that follow list steps to help you identify the cause of the problem.

FTP Problem Analysis

Cause List A

1. Is there is a long delay between connecting to the iSeries (TM) FTP server and receiving a prompt for a user id? If so, check the configuration of the domain name server on your iSeries. The FTP server performs a DNS query as soon as a new connection is received. DNS problems may cause the server to hang for several minutes before a response is received.

2. Check to see if an exit program has been added to the FTP Server Logon Exit Point. Refer to the Server logon exit point subtopic. If yes, then check if the logon that is unsuccessful is allowed by the exit program.

3. Check to see if the remote logon requires a password if a password was requested. Some systems request a password, but the connection can fail because it is not required.


Wiggle Wireless

4. Set up a password on the remote system if required. You may have to restart if you change the security information on the system.

5. Check your user ID and password by attempting to sign on to your remote system. If you are unable to do so, contact the system owner to verify that your user ID and password are correct.

Cause List B 1. Make sure binary mode is in effect if you are transferring binary files.2. Check to be sure the mapping tables on both the client and server systems are

compatible. You need only do this if you are using your own mapping tables.3. Check to see that the correct CCSID has been specified for the transfer. If not, use the

TYPE or LTYPE subcommand to set the correct CCSID value before the transfer is performed.

4. Create a file on the system that you are planning to store data into. Set the proper record length, number of members, and number of increments. Try the data transfer again and verify that it was successful.

5. Make sure that you are authorized to use the file and the file members.6. Check to see if the transfer file contains packed decimal or zoned decimal data.7. If you are transferring a Save file, verify that the appropriate method was used.

Cause List C

1. Check file size limits on the remote system.2. Check to see if the FTP server timer ended. The iSeries server time-out value can be set

using the QUOTE TIME command.3. Use the NETSTAT command to verify that the *LOOPBACK interface is active. Then re-

create the problem doing FTP LOOPBACK (iSeries-to-iSeries internally).

If the problem cannot be recreated, it is probably a remote system problem.

If you can re-create the problem, do the following:

a. If the problem is an FTP server problem, then start the FTP server trace using the TRCTCPAPP command.

b. Create the problem again.c. End the FTP connection. Refer to the Starting and stopping the FTP

server.d. End the FTP server trace using the TRCTCPAPP command.e. Find a spooled file with the following characteristics:

The file name is QTMFFTRC The username associated with the file is the name of the user

who issued the TRCTCPAPP command.

The trace is a spooled file in the default output queue of the system associated with the FTP server job.

f. Send in that spooled file.g. If the problem was on the iSeries FTP client, a trace can be obtained

using the DEBUG 100 client subcommand.h. When running the FTP client interactively, use the F6 (Print) key to

create a spool file that contains a history of the FTP client subcommands


http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/rzaiq/rzaiqonavnote.htm

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/rzaiq/rzaiqonavnote.htm

Wiggle Wireless

entered, and the associated FTP server replies. When the FTP client is run in batch unattended mode, then this history of subcommands and server replies is written to the specified OUTPUT file. For more details, see "FTP as Batch Job".

Documentation and Links

Several good publications exist in downloadable PDF format at the following site:


Good publications to get here include:

Digital Certificate Manager – V5R3 book on the basics of DCMRedbook SG24-5659-00 - AS/400 Internet Security: Developing a Digital Certificate InfrastructureRedbook SG24-6168-00 - iSeries Wired Network Security OS/400 V5R1 DCM and Cryptographic

Enhancements (highly recommend this Redbook-most of it is current in V5R3 and V5R4)

http://www.rsasecurity.com/rsalabs/faq/3-1-5.html

RSA article on how large a key should be used in the RSA cryptosystem. iSeries DCM utilizes RSA cryptography in its key stores.


http://www.rsasecurity.com/rsalabs/faq/3-1-5.html


Wiggle Wireless


Documents

Secure FTP POC Document