IBM i Global

IBM i Global

Connect, learn, share, and engage with IBM Power.

 View Only

Secure FTP (SFTP & FTPS) on IBM i: Overview and Implementation Guide

By Gaurav Khanna posted Tue March 25, 2025 03:33 AM

  

Introduction

IBM i supports multiple file transfer protocols, including FTP (File Transfer Protocol), SFTP (SSH File Transfer Protocol), and FTPS (FTP Secure). Understanding these options is essential for choosing the right method for secure and efficient data transfer. This guide provides an overview of FTP, SFTP, and FTPS, along with step-by-step implementation for IBM i.

Understanding File Transfer Protocols on IBM i

1. FTP (File Transfer Protocol)

  • Traditional method for transferring files between systems.
  • Uses clear-text transmission, making it insecure.
  • Requires an FTP server running on IBM i.
  • Supports binary and ASCII modes for file transfer.

2. SFTP (SSH File Transfer Protocol)

  • Uses SSH (Secure Shell) for encryption.
  • Does not require an FTP server to be active on IBM i.
  • Supported by IBM i’s OpenSSH package.
  • Provides secure authentication and data transfer.

3. FTPS (FTP Secure)

  • Extends traditional FTP with SSL/TLS encryption.
  • Requires an FTP server on IBM i with SSL enabled.
  • Compatible with clients supporting FTP over TLS (e.g., FileZilla, WinSCP).
  • Offers explicit (TLS negotiation) and implicit (always SSL) modes.

Setting Up FTP on IBM i

Step 1: Enable the FTP Server

  • Start the FTP server using the following command:
  • STRTCPSVR SERVER(*FTP)
  • Verify that the FTP service is active:
  • WRKACTJOB SBS(QSYSWRK) JOB(QTFTP*)

Step 2: Connect Using an FTP Client

  • Use an FTP client like FileZilla, WinSCP, or the IBM i FTP command.
  • Run the following command from a Windows or Linux terminal:
  • ftp your-ibmi-host
  • Enter your IBM i username and password, then use commands like put, get, and ls for file operations.

Security Note: FTP transfers data in clear text, making it vulnerable to interception. Use SFTP or FTPS for secure transfers.

Setting Up SFTP on IBM i

Step 1: Verify OpenSSH Installation

IBM i includes OpenSSH, but you should verify its presence:

  • Run the following command in QSH (QShell):
  • ssh -V
  • If OpenSSH is not installed, install it using Access Client Solutions (ACS).

Step 2: Start the SSH Daemon

  • Use CL command to start SSH:
  • STRTCPSVR SERVER(*SSHD)
  • Ensure SSH starts automatically at IPL by adding it to your startup program.

Step 3: Configure User Access

  • IBM i users must have IFS home directories to use SFTP.
  • Create a home directory for a user (e.g., USER1):
  • mkdir /home/USER1
  • chown USER1 /home/USER1
  • chmod 755 /home/USER1
  • Set up SSH keys if needed for password-less authentication.

Step 4: Test SFTP Connection

From a client machine, use:

sftp USER1@your-ibmi-host

Once connected, use commands like put, get, and ls for file operations.

Setting Up FTPS on IBM i

Step 1: Enable FTP Server with SSL/TLS

  • Start the FTP server:
  • STRTCPSVR SERVER(*FTP)
  • Configure FTP over SSL in IBM Navigator for i:
    • Navigate to Network > Servers > TCP/IP Servers > FTP Server.
    • Enable SSL/TLS and specify required security settings.

Step 2: Create a Digital Certificate

  • Use IBM Digital Certificate Manager (DCM) to create an SSL certificate.
  • Assign it to the FTP server to enable encrypted connections.

Step 3: Connect Using an FTPS Client

  • Use an FTP client (e.g., FileZilla, WinSCP) with FTPS (Explicit or Implicit SSL).
  • Enter the IBM i host IP, username, and password.
  • Choose TLS/SSL encryption in the connection settings.

Conclusion

IBM i provides FTP, SFTP, and FTPS for file transfers.

  • FTP is simple but lacks security.
  • SFTP offers a secure SSH-based alternative.
  • FTPS is best for environments needing traditional FTP with encryption.

For secure file transfers, SFTP and FTPS are highly recommended. Implementing either method ensures data protection while transferring files on IBM i.

2 comments
26 views

Permalink

https://community.ibm.com/community/user/blogs/gaurav-khanna/2025/03/25/secure-ftp-sftp-ftps-on-ibm-i-overview-and-impleme

Comments

Gaurav Khanna
Tue April 01, 2025 09:27 AM

Thank you Satid for your valuable feedback!

This blog was primarily written as an introductory guide for beginners, focusing on setting up and using FTP, SFTP, and FTPS on IBM i. However, I completely agree that discussing FTPS in a secured IT environment, particularly regarding firewall considerations, passive vs. active mode, and port range restrictions, would add depth and practical relevance for enterprise users.

I appreciate the reference to the EnterpriseDT article; it provides useful insights into FTP firewall behavior. Based on your suggestion, I will consider writing a separate section/blog covering these aspects in detail. Readers looking for a deeper understanding of FTPS implementation in secured IT environments can refer to that blog once published.

Thanks again for your insights!

Satid S
Sun March 30, 2025 09:23 PM

The topic of using FTPS needs more information on using it in a "secured" IT setting - e.g. with presence of Firewalls, because this is a prevalent IT norm. I see you need to add 2 more elements:

1) Description of  Passive VS Active mode of FTP. 

2) The use of Port Range Restriction on FTPS server side and corresponding port setting in Firewall. This is because the presence of Firewall in many IT shops is the contemporary norm.  

This article is useful:  https://enterprisedt.com/blogs/discussion/ftp-firewall/    (I have no connection whatsoever to this Enterprise DT).