I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Later on I did one more experiment.  I disabled the root certificate and found that FTPs client failed to connect with error -23.  Only unsecured FTP works.  FTPs connection came back to work after I enable the root certificate which means it is needed for FTPs connection to work.   I have had the notion that a client certificate is needed to be assigned to IBM i FTP Client definition for FTPs to work but this incident is curiously interesting as to why it works. 

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Is it possible, if you haven't registered a "client certificate", that the server really just doesn't verify client certificates in the first place (try with another client if you are curious).

The client trust the server, and maybe that is sufficient for the current server setup. Public CA are usually already updated. Private/internal CAs of course must be imported and trusted.

Doing client certification in FTPS is indeed possibile, maybe not so mainstream.

Many people uses SFTP (SSH) "normally" with that requirement.

Later on I did one more experiment.  I disabled the root certificate and found that FTPs client failed to connect with error -23.  Only unsecured FTP works.  FTPs connection came back to work after I enable the root certificate which means it is needed for FTPs connection to work.   I have had the notion that a client certificate is needed to be assigned to IBM i FTP Client definition for FTPs to work but this incident is curiously interesting as to why it works. 

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Later on I did one more experiment.  I disabled the root certificate and found that FTPs client failed to connect with error -23.  Only unsecured FTP works.  FTPs connection came back to work after I enable the root certificate which means it is needed for FTPs connection to work.   I have had the notion that a client certificate is needed to be assigned to IBM i FTP Client definition for FTPs to work but this incident is curiously interesting as to why it works. 

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Hi,

If you add the root CA to you CA list in *system it means that all your TCP services using SSL will trust this signer certificate unless you specifically set a trust list for each service. There is an old IBM guide:

https://www.ibm.com/support/pages/ssltls-ftp-client-configuration-using-heritage-digital-certificate-manager

(it is optionally to create the trustlist). The FTP server you connect to has a certificate which is signed by this root CA and therefore you trust his certificate. You can retrieve the certificate from the FTP to check it through QMGTOOLS:

https://www.ibm.com/support/pages/qmgtools-getssl-utility 

Regards

Kim

Later on I did one more experiment.  I disabled the root certificate and found that FTPs client failed to connect with error -23.  Only unsecured FTP works.  FTPs connection came back to work after I enable the root certificate which means it is needed for FTPs connection to work.   I have had the notion that a client certificate is needed to be assigned to IBM i FTP Client definition for FTPs to work but this incident is curiously interesting as to why it works. 

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------

Hi Satid.

What you have running now is TLS with server verification! Your IBM i FTP client has the root certificate used to issue the FTP server certificate and will now trust the FTP server and TLS can run. Did you not have the root certificate, your FTP client would not trust the FTP server and TLS would not work.

You're probably thinking of a client certificate verifying the FTP client - the IBM i. But this is only needed if the server only will accept connections from specific, trusted clients!

I tend to avoid FTPS if possible and go for SFTP - FTP over SSH - instead, since this is much simpler to set up: Just generate a SSH key and copy the public key to the server, and you're good to go. SSH is almost always available on IBM i - just install licensed program 5733SC1 - and it will also give you a secure terminal. And the best part? No expiring certificate here! :-)

Best regards

Christian

------------------------------
Christian Jorgensen
IT System Administrator
Network of Music Partners A/S

Original Message:
Sent: Thu August 10, 2023 08:41 AM
From: Satid Singkorapoom
Subject: Importing a root certificate without any accompnaying client/server one

I work for a system integrator as an IBM i SME for a bank customer under way of its core bank replacement project.   I now have a request from a core bank ISV team member to install a certificate file in IBM i 7.4 LPAR that acts as a client to an FTPs server on Intel box that he takes care of.   His core bank application running in IBM i sends many stream files with FTPs to this Intel server every night after EoD batch process finishes.

When I use Windows certificate viewer against the crtificate file I receive, I see only a root certificate without any associated client certificate. 

I ask that person for a client certificate and explain its difference from a root certificate but I receive a response that he always generates a certificate file like this and I have an impression he does know the difference.   I then import it to IBM i *SYSTEM store anyway and validate it with a successful result.   Since, there is no client certificate, I cannot assign one to IBM i FTP Client application.   With curiosity, I try initiating an FTPs connection to the Intel server and it works with TLS active, to my surprise!   In DCM *SYSTEM store, IBM i FTP Client has no certificate assigned and its CA Trust List is disabled.

Could any kind soul help explain to me why FTPs works with no client certificate assigned to it ?  Clearly with my limited understanding in this certificate matter, I have always thought a client certificate is needed to be assigned to IBM i FTP Client in DCM for FTPS to work but my real-life experiment proves me wrong. Or is this a strange bug?

Thanks in advance for any clarification/education.

------------------------------
Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
------------------------------
Satid S.
------------------------------