IBM i Global

I am trying to connect to a third party FTP server, set with Secure Self Signed certificate from an AS/400 session but an issue occurred. I don't get the ftp prompt to enter user id and password. On the as400 side it right fully attempts the connection via port 990 and then after about 2 min returns error code -11

FTP RMTSYS(xxx.xxx.x.xxx ) PORT(*SECURE) SECCNN(*IMPLICIT)

Previous FTP subcommands and messages:

Connecting to host xxx.xxx.x.xxx at address xxx.xxx.x.xxx using port 990.

Secure connection error, return code -11.I never get the chance to enter user id and password . If I try to connect to the same server using filezilla, the connection is successfully established.

Any idea to solve the problem?

Thanks for any suggestion

Regards

FTP RMTSYS Secure connection error, return code -23.

Have the same issue, did you solved it?

please for your help

Dear Gede

I had troubled experience with using FTPS before.  Is there a firewall between your IBM i and 3rd party server?  I guess there is because you would not have had the issue if there is none. 

You need to ask the firewall admin to open the ports for you and you supply the FTP port numbers to the admin.  But before notifying your firewall admin, you need to ask the 3rd party admin to specify "FTP data port range" in the FTP server part by explicitly specify a small range of port numbers to be used by FTP server and let you know the ports and you convey it to firewall admin. (A sample for Windows server can be found here: https://learn.microsoft.com/en-us/iis/publish/using-the-ftp-service/configuring-ftp-firewall-settings-in-iis-7  )  

Why?  There is a quirk about using FTP/FTPS that anyone using it should know first to be able to deal with the firewall setting.  Each FTP operation opens a new TCP/IP socket connection which means a new random port is used. A "modern" firewall has an optional ability to automatically accommodate this new "temporary" FTP port by looking into the FTP conversation to know which port is to be used and allowing the temp port during the FTP session. But in FTPS, the conversation is encrypted which means firewall cannot look into the conversation.  This entails manual specification of the range of FTP ports in FTP server so that we can set the firewall to allow these port range accordingly.    

Please read the article I attach herewith to understand it.  If you do not understand any part in the article, please ask again here.

------------------------------
Satid S
------------------------------

Attachment(s)

FTPS-How to FTPS Through Firewall.pdf   1.31 MB 1 version

Another point I forgot to mention.  If your IBM i is always the FTPS client to the 3rd party server, there is no need for you to generate a self-signed certificate in IBM i and send it to 3rd party server to use.  This is for "client" authentication and it is optional.  The 3rd party FTPS server needs to create and use its own self-signed certificate for "server" authentication which is mandatory.