How to Configure FTPS on IBM i Systems

There are several steps to follow in order to use FTPS on an IBM i system
1. Create the *SYSTEM Store to install a new Certificate Authority (CA)
OR
Select the existing *SYSTEM Store to import a new CA
2. Importing a Certificate Authority (CA) into the *SYSTEM Store and set the FTP application to not use a
Trust list for this CA
3. Test FTPS from the IBM i Command Line and from the IBM i Panels

Create the *SYSTEM Store or use an existing *SYSTEM Store

The *SYSTEM Store is the place where SSL Certificates and Certificate Authorities (CAs) are stored for use by
the IBM i systems. We will need to work with IBM i Digital Certificate Manager (DCM).
1. Open a browser window to work with the DCM
2. Type the name of the IBM i system where we need to create the *SYSTEM store: <your IBM i
hostname>:2001 (where :2001 is the port for the Digital Certificate Manager). You will be presented
with an IBM Navigator for i login screen
3. Login with user with system privilege access
4. If you will be importing a new CA to an already existing *SYSTEM Store, click on Select a Certificate
Store and then select *SYSTEM followed by clicking on Continue. Then jump to step 12.
5. Otherwise, from the selection on the left of the following screen, select the Create New Certificate
Store option.

6. Select *SYSTEM on the right to Create New Certificate Store and click Continue
7. Select No Do not create a certificate in the certificate store and click Continue

8. Enter a password, confirm it, and click Continue. Remember this password!!!
9. The certificate store successfully created.

10. Click OK and then click on "Certificate Store" to refresh the DCM to work with the new certificate
store.
11. Select *SYSTEM and click on Continue
 12. Keep DCM open as we will come back to it

Importing a Certificate Authority (CA)

In some cases we will need to import one or more Certificate Authorities into the *SYSTEM store we created
earlier in the steps above.
1. Upload the binary certificate file (.cer or .der) onto your PC in a folder of your choice.
2. Transfer the certificate file to your IBM i system. Use FTP and store them in the /tmp or any other
directory on the IBM i system.

3. Return to DCM on your IBM i system.

4. In the left-hand navigation frame, click Expand All.
5. Under Fast Path, click on "Work with CA certificates".
 We can see a list of CAs already installed on our system. Most of these CAs were installed when we
created the *SYSTEM store. We are going to import a new certificate.
6. Import the certificate that we put under /tmp on our IBM i system. Click on the Import button at the
bottom of the right-hand navigation frame.
7. You will be asked to provide the binary certificate file we placed under /tmp. Enter the file name and
click Continue.
8. Label the CA (use msciftpgw) and click Continue
9. You have successfully imported the CA!!!
10. From the "Fast Path", click on "Work with client applications", Select the FTP client and click the 'Work
with application' button.
11. Make sure you set the Define Trust List to No and click Apply
 12. Applications have been successfully updated.

Test FTPS from your IBM i server

Note: The screenshots in this section were created from our internal system msciftpdata. You will be
uploading to msciftpgw.

1. From your IBM i command line:

FTP RMTSYS('msciftpgw.im-ies.ibm.com') SECCNN(*SSL)

2. Enter your Blue Diamond userid and password to login to msciftpgw

3. Successful FTPS connection to the msciftpgw Secure FTP Server

4. You can also start an FTPS session from the IBM i Main Menu panels. Select Option 6.

5. Select Option 5 Network Management

6. Select Option 10 TCP/IP administration
7. Select Option 9 Start TCP/IP FTP session
8. After entering the FTP server msciftpgw.im-ies.ibm.com, Hit Enter
9. We are ready to launch our Secure FTP session with these options.

10. This may take a very long time for the FTP login to appear. If FTP times out, please try again.