Networking File Transfer Protocol

System

i

Networking

File

Transfer

Protocol

Version

5

Release

4

System

i

Networking

File

Transfer

Protocol

Version

5

Release

4

Note

Beforeusingthisinformationandtheproductitsupports,read theinformationin“Notices,”on page161.

EighthEdition(September2007)

Thiseditionappliestoversion5,release4,modification0ofIBMi5/OS(productnumber5722-SS1)andtoall subsequentreleasesandmodificationsuntilotherwiseindicatedinneweditions.Thisversiondoesnotrunonall reducedinstructionsetcomputer(RISC)modelsnordoesitrunonCISCmodels.

©CopyrightInternationalBusinessMachinesCorporation1998,2007.Allrightsreserved.

Contents

File

Transfer

Protocol

.

.

.

.

.

.

.

.

. 1

What’snewforV5R4 . . . 1

PrintablePDF . . . 1

Scenarios:FileTransferProtocol . . . 2

Scenario:Transferringafilefromaremotehost. . 2

Scenario:SecuringFileTransferProtocolwith SecureSocketsLayer. . . 3

Configurationdetails . . . 4

Creatingandoperatingalocalcertificate authorityontheMyCosystem . . . 4

EnablingSecureSocketsLayerforMyCo’s FTPserver . . . 5

ExportingacopyofMyCo’slocalcertificate authoritycertificatetoafile . . . 6

Creatingan*SYSTEMcertificatestoreon TheirCo’ssystem . . . 6

ImportingMyCo’slocalCAcertificateinto TheirCo’s*SYSTEMcertificatestore. . . . 7

SpecifyingMyCo’slocalCAasatrustedCA forTheirCo’sFTPclient . . . 7

ConfiguringtheFileTransferProtocolserver . . . 8

ConfiguringFileTransferProtocolserveriniSeries Navigator . . . 8

ConfiguringFTPserversforgraphicalFTPclients andWebtools . . . 8

Fileanddirectoryentriesini5/OSformat . . 9

FilesanddirectoryentriesinUNIX-style format . . . 10

ConfiguringanonymousFileTransferProtocol . 12

PreparingforanonymousFileTransfer Protocol . . . 13

WritingexitprogramsforanonymousFile TransferProtocol . . . 13

Creatingani5/OSuserprofile: ANONYMOUS . . . 14

Creatingapubliclibraryordirectory. . . . 15

Installingandregisteringexitprograms . . . 15

Installingexitprograms . . . 15

Registeringexitprograms . . . 15

SecuringFileTransferProtocol . . . 16

PreventingFileTransferProtocolserveraccess. . 16

PreventingtheFileTransferProtocolserver fromstartingautomatically . . . 16

PreventingaccesstoFileTransferProtocol ports . . . 16

ControllingFileTransferProtocolaccess. . . . 17

UsingSecureSocketsLayertosecuretheFile TransferProtocolserver . . . 19

Creatingalocalcertificateauthority . . . . 19

AssociatingacertificatewiththeFileTransfer Protocolserver . . . 20

RequiringclientauthenticationfortheFile TransferProtocolserver . . . 21

EnablingSecureSocketsLayerontheFile TransferProtocolserver . . . 21

SecuringFTPclientswithTransportLayer SecurityorSecureSocketsLayer . . . 22

ManagingaccessusingFileTransferProtocolexit programs . . . 24

ManagingaccessusingiSeriesNavigator . . . 25

MonitoringincomingFileTransferProtocolusers 25 ManagingtheFileTransferProtocolserver . . . . 26

StartingandstoppingtheFileTransferProtocol server . . . 26

SettingthenumberofavailableFileTransfer Protocolservers . . . 26

ImprovingFTPserverperformancewith configurablesubsystemsupport . . . 27

UsingtheFileTransferProtocolclientontheSystem iplatform . . . 27

Startingandstoppingaclientsession. . . 28

Servertimeoutconsiderations . . . 31

TransferringfileswithFileTransferProtocol . . 31

RunningFileTransferProtocolinunattended modeusingabatchjob . . . 32

Simpleexample:BatchFTP . . . 33

Complexexample:BatchFTP . . . 35

Example:CreatingaCLprogramtostart FTP . . . 35

Example:CreatingtheFTPinputfile (FTCPDMS) . . . 36

Example:CLprogramforsubmittingthe FTPBATCHjob . . . 38

Example:CheckingtheFTPoutputfilefor errors . . . 38

FileTransferProtocolreferenceinformation. . . . 41

FileTransferProtocolserversubcommands. . . 41

FileTransferProtocolclientsubcommands . . . 60

FileTransferProtocolexitprograms . . . 93

Requestvalidationexitpoint:clientandserver 94 Example:FTPclientorserverrequest validationexitprograminCLcode . . . 95

Example:FTPserverrequestvalidationexit programinILERPGcode . . . 97

VLRQ0100exitpointformat . . . 101

FTPserverlogonexitpoint. . . 105

Example:FTPServerLogonexitprogram inCLcode . . . 107

Example:FTPserverlogonexitprogram inCcode. . . 108

Example:FTPserverlogonexitprogram inILERPGcode . . . 117

TCPL0100exitpointformat . . . 119

TCPL0200exitpointformat . . . 123

TCPL0300exitpointformat . . . 125

Removingexitprograms . . . 128

Datatransfermethods . . . 129

Transferringfilesthatcontainpackeddecimal databetweenSystemiplatforms . . . 129

Transferring*SAVFfiles . . . 130

TransferringQDLSdocuments. . . 131

Transferringroot,QOpenSys,QDLS,and

QOPTfiles . . . 131

TransferringfilesusingQfileSvr.400 . . . . 131

TransferringQSYS.LIBfiles. . . 132

ReceivingtextfilestoQSYS.LIB . . . . 134

Considerationsforcreatingfilesbefore transferringthemintoQSYS.LIB . . . 135

Codedcharactersetidentifierconversions 135 Specifyingmappingtables . . . 135

CCSIDcodepagetaggingfori5/OSfiles 136 Nationallanguagesupportconsiderations forFTP . . . 137

Filesystemsandnamingconventions . . . . 138

i5/OSfilesystemsthataresupportedbyFile TransferProtocol . . . 139

StatusmessagesfromtheFileTransferProtocol server . . . 139

FileTransferProtocolserversyntaxconventions 141 FileTransferProtocolclientsyntaxconventions 144 Enclosingsubcommandparameters . . . . 147

Filenamesforclient-transfersubcommands 147 Namingfilesfortransfer . . . 150

TroubleshootingFileTransferProtocol . . . 151

DeterminingproblemswithFileTransfer Protocol . . . 151

MaterialsrequiredforreportingFTPproblems 154 TracingtheFTPserver . . . 154

TracingtheFTPclient . . . 157

WorkingwithFTPserverjobsandjoblog. . . 158

Appendix.

Notices

.

.

.

.

.

.

.

.

. 161

ProgrammingInterfaceInformation . . . 162

Trademarks . . . 163

File

Transfer

Protocol

Youcanset upyourIBM®Systemi™platformtosend, receive,andshare filesacrossnetworksbyusing FileTransferProtocol(FTP).Youcanalsorename,add,anddeletefilesacrossanetworkusingFTP. Beforeyousetupyoursystem totransferfiles,youmust haveTCP/IPconfigured andstartedonyour system.

Note: By usingthecodeexamples,youagreetothetermsoftheCodelicenseanddisclaimer

information.

What’s

new

for

V5R4

Thistopichighlightschanges totheFileTransferProtocolforV5R4.

What’s

new

as

of

9

May

2006

SecureFTP supportfornetworkaddress translationfirewalls

InanFTPsessionsecuredbyTransportLayerSecurity(TLS) orSecureSockets Layer(SSL),youcanuse theClearCommandChannel(CCC)subcommandtochangethetransmissionmodeinacontrol

connectionfromtheencryptedmodetothecleartextmode. Thusyoucansecuresensitiveinformation includingyour usernameandpasswordbysendingthemintheencryptedmodeinthecontrol

connection.ThenyoucanusetheCCCsubcommandtochangetothecleartextmodeandsendtheport andIPinformation.

Seetheserversubcommand“CCC(ClearCommandChannel)”onpage45and theclientsubcommand “CCC(ClearCommandChannel)”onpage64topicsfor moreinformation.

How

to

see

what’s

new

or

changed

Tohelpyouseewheretechnicalchanges havebeen made,this informationuses: v

The

imagetomarkwhereneworchangedinformationbegins. v The

imagetomarkwhereneworchangedinformationends.

Tofindotherinformationaboutwhat’s neworchangedthisrelease,seetheMemotousers.

Printable

PDF

Usethistoview andprintaPDFofthis information.

ToviewordownloadthePDFversionofthisdocument,selectFTP(about1636KB).

Saving

PDF

files

Tosavea PDFonyour workstationforviewingorprinting:

1. Right-clickthePDFinyourbrowser(right-click thelinkabove).

2. Click theoption thatsavesthePDFlocally.

3. Navigatetothedirectoryinwhichyouwanttosave thePDF.

4. Click Save. | | | | | | | | | | | | | | | | | |

Downloading

Adobe

Reader

YouneedAdobe Readerinstalledonyour systemtovieworprintthesePDFs.Youcandownloada free copyfromtheAdobe Website(www.adobe.com/products/acrobat/readstep.html)

.

Scenarios:

File

Transfer

Protocol

TheFileTransferProtocol(FTP)scenariosdemonstratehowFTPisconfigured andusedinthei5/OS® environment.ThescenarioshelpyouunderstandhowFTPworksandhow youcanusean FTP environmentinyournetwork.

ThesescenariosintroducefundamentalFTPconceptsfromwhichbeginnersandexperienceduserscan benefitbefore theyproceedtotheplanningandconfigurationtasks.

Scenario:

Transferring

a

file

from

a

remote

host

Thescenarioshowshowtousebasicfunctionsof FileTransferProtocol(FTP)togetfilesfroma remote host.Inthis scenario,theclientandtheserverarebothusingi5/OSFTP.

Situation

Supposethata colleaguedevelopedJava™_{filesona remotesystem.Asa systemengineer,youneedto}

transfertheexample.jarfilefromtheremotesystem toyourlocaltestsystem.

Objectives

UseFTPtotransfer thefileacrossaTCP/IPnetwork.

Details

Totransferthefile,twoconnectionsare used:thecontrolconnection andthedataconnection.Thecontrol connectionisusedtosend subcommandsfromtheclienttotheserverandreceiveresponsestothose commandsfromtheservertotheclient.TheclientinitiatesFTPcommandstotheFTPserver.The data connectionisusedtotransfer theactualfiles.Boththeclientandtheserverinterfacewith thei5/OSfile system.

Totransferfiles,youneedauser IDonbothsystems. Herearethesystemrequirements: v Systemrunningi5/OS

v IBMTCP/IPConnectivityUtilities fori5/OS(5722-TC1)

v FTPserverconfigured

Totransferfiles,youalsoneedtoknowthefollowinginformation: v Hostnameof theremote system

v

Yourusernameandpasswordontheremotesystem

v Nameofthefiletotransfer

v

Locationofthefiletotransfer

v Fileformat(formatthatyoumusttransfer thefilein,suchasbinaryorASCII)

Configurationtasks

Youneedtocompletethefollowingtaskstoperform asimple filetransfer:

Note: Youcanalsotransfer filesautomaticallybyusingFTPasabatchjob.

| |

1. Startyour FTPclientsession.For thisscenario,inthecharacter-basedinterface,type STRTCPFTPand

pressEnter.

2. Specify thenameoftheremotesystemto whichyouwanttosend thefile.

For thisscenario:theirco.com.

3. Specify youruser namefortheremotesystem.

Enter login ID (yourid): ===>yourid

4. Specify yourpasswordfortheremotesystem.

Enter password: ===>yourpassword

5. Locate thedirectoryontheTheirCosystemfromwhichyouwanttotransferthefile.Forthisscenario:

===>cd /qibm/userdata/os400/dirserv/usrtools/windows

6. Navigatetothedirectoryonthelocalsystemtowhichyouwanttotransferthefile.Forthisscenario:

===>lcd /qibm/userdata/os400/dirserv/usrtools/windows

7. Specify filetype,ASCIIorBINARY.Default filetypeisASCII.Fora .jarfile,youmust switchthefile

transfer typetobinary. For this scenario: ===>BINARY

8. Requesta filetransferfromtheremoteserversystemtotheclientsystem.

For this scenario: ===> get example.jar 9. Whenfinished,ExitfromFTP.

For this scenario: ===>QUIT

Related tasks

“Transferringfiles withFileTransferProtocol”onpage31

Youcansendand receivefileswith FileTransferProtocol(FTP).

Related reference

“Running FileTransferProtocolinunattendedmodeusingabatchjob” onpage32

InadditiontorunningtheFTPclientinteractively,youcanruntheFTPclientinanunattendedmode. Thistopicprovidesa simpleexampleanda complexexampleofthebatchFTPmethod.

“Startingandstoppinga clientsession”onpage28

Afteryouobtaina logonIDandpasswordtoaremote FileTransferProtocol(FTP)server,youcan start aclientsession withthatFTPserver.Youcanendtheclientsession usingtheQUITFTP subcommand.

“ASCII(ChangeFileTypetoASCII)”onpage63

TheASCIIi5/OSFTPclientsubcommandsetsthefiletransfer typetoASCIIformat.

“BINARY(SetTransferType toImage)”onpage64

TheBINARYi5/OSFTPclient subcommandsetsthefiletransfertype toBINARYformat.

Scenario:

Securing

File

Transfer

Protocol

with

Secure

Sockets

Layer

Thescenarioshowshowtotransferdatatoyour partnercompanybyusingSecureSockets Layer(SSL). WithSSL,theFileTransfer Protocol(FTP)clientand serveronSystemi platformscancommunicateina waythatisdesignedtopreventeavesdropping,tampering,andmessageforgery.

Situation

SupposethatyouworkforMyCo,acompanythatresearchesstartupcompaniesand sellstheresearchto companiesintheinvestmentplanningindustry.Onesuchcompany,TheirCo,needstheservicesthat MyCoprovides,andwould liketoreceiveresearchreportsthrough FTP.MyCoalways ensuresthe privacyandsecurityofthedataitdispersestoitscustomers--whatevertheformat.Inthiscase, MyCo needsSSL-securedFTPsessionswith TheirCo.

Objectives

Thefollowingitemsareyourobjectivesinthis scenario:

v Createandoperatealocalcertificate authority(CA)ontheMyCo system.

v EnableSSLforMyCo’sFTPserver.

v Exportacopyof MyCo’slocalCAcertificatetoa file.

v

Createan*SYSTEMcertificate storeonTheirCo’ssystem.

v ImportMyCo’slocalCAcertificate intoTheirCo’s*SYSTEMcertificatestore.

v

SpecifyMyCo’slocalCAasa trustedCAforTheirCo’sFTPclient.

Prerequisites

v ASystemiproductisrunningthei5/OSoperatingsystem.

v TheIBMTCP/IPConnectivityUtilities fori5/OS(5722-TC1)isinstalledonthesystem.

v TheIBMDigital CertificateManager(DCM) (5722-SS1option34)isinstalledonthesystem.

v TheIBMHTTPServer(5722-DG1) isinstalledonthesystem.

v

Thesystemusescertificatestoprotectaccesstopublicapplicationsand resources.

TheirCo

v ASystemiproductisrunningthei5/OSoperatingsystem.

v TheTCP/IPConnectivityUtilitiesfori5/OS(5722-TC1)isinstalledonthesystem.

v TheIBMDigital CertificateManager(5722-SS1option 34)isinstalledonthesystem.

v TheIBMHTTPServer(5722-DG1) isinstalledonthesystem.

v Thesystemusesani5/OSoperatingsystemwith aTCP/IPFTPclientforFTPsessions.

Details

TheirCousesani5/OSoperatingsystem withanFTPclienttorequesta secureFTPfiletransferfrom MyCo’sFTPserver.Theserverisauthenticated.TheirCoreceivesfinancialreports fromMyCobyusing anSSL-securedFTPsession.

Related concepts

“Securing FTPclientswith TransportLayerSecurityorSecureSocketsLayer”onpage22

YoucanuseTransport LayerSecurity(TLS)orSecureSockets Layer(SSL)connectionstoencryptdata transferred overFileTransfer Protocol(FTP)controlanddataconnections.

Related tasks

ManagingpublicInternet certificatesforSSLcommunicationssessions Starting DigitalCertificateManager

Related information

Scenario:Using certificatesfor externalauthentication

Configuration

details

InordertosecureFileTransferProtocol(FTP)withSecureSocketsLayer(SSL),youneedtoconfigurethe systemsusingFTP,includingworkingwith thecertificateauthority(CA),enablingSSL,andsoon. Inthisscenario,bothMyCo andTheirConeedtocompleteaseries oftaskstosecuretheirFTPsessions withSSL.

ThisscenarioassumesthatMyCohasnotusedDigitalCertificate Manager(DCM)previouslytoset up certificatesforitssystem.Basedontheobjectivesforthisscenario,MyCohaschosentocreateand operatealocalcertificateauthority(CA)toissue acertificate totheFile TransferProtocol(FTP)server.

Note: Insteadofcreatingand operatingalocalCA,MyCocanalso useDCMtoconfiguretheFTPserver

touseapubliccertificateforSSL.

WhenusingDCMtocreatea localCA,youare guidedthrougha processthatensuresyouconfigure everythingneededtoenableSecureSocketsLayer(SSL).

MyCousesthefollowingstepstocreateand operatea localCAonitssystem,usingtheDCM: 1. StartIBM DCM.Ifyouneed toobtainor createcertificates,orset uporchangeyourcertificate

system,do sonow.

2. InthenavigationframeofDCM,selectCreatea CertificateAuthority (CA)todisplaya seriesof

forms. Theseformsguideyouthrough theprocessofcreatinga localCAand completingothertasks neededtobeginusingdigitalcertificatesforSSL,objectsigning,and signatureverification.

3. Completealltheformsthatdisplay. Thereisa formforeachofthetasksrequiredtocreateand

operatea localCAonthesystem.

a. Choosehow tostoretheprivatekeyforthelocalCAcertificate.Thisstepisincludedonlyifyou

haveanIBM4758-023 PCICryptographicCoprocessorinstalledonyoursystem.Ifyoursystem doesnothaveacryptographiccoprocessor,DCM automaticallystoresthecertificate anditsprivate keyinthelocalCAcertificate store.

b. ProvideidentifyinginformationforthelocalCA.

c. InstallthelocalCAcertificateonyourPCorinyour browser.Thisenablessoftwaretorecognize

thelocalCAand validatecertificatesthattheCAissues. d. ChoosethepolicydataforyourlocalCA.

e. UsethenewlocalCAtoissuea serveror clientcertificatethatapplicationscanuseforSSL

connections.IfyouhaveanIBM4758-023 PCICryptographic Coprocessorinstalledinthesystem, youcanselecthowtostore theprivate keyfortheserverorclientcertificate. Ifyoursystemdoes nothaveacoprocessor,DCMautomaticallyplacesthecertificateand itsprivatekeyinthe *SYSTEMcertificate store.DCMcreatesthe*SYSTEMcertificatestore aspart ofthistask. f. SelecttheapplicationsthatcanusetheserverorclientcertificateforSSLconnections.

Note: Be suretoselecttheapplication IDforthei5/OSTCP/IPFTPserver

(QIBM_QTMF_FTP_SERVER).

g. UsethenewlocalCAtoissueanobjectsigningcertificatethatapplicationscanusetodigitally

signobjects.Thiscreatesthe*OBJECTSIGNING certificatestore,whichyouusetomanageobject signingcertificates.

Note: Althoughthis scenariodoesnotuseobjectsigningcertificates,besureto completethisstep.

Ifyoucancelatthis pointinthetask,thetaskends andyouneed toperformseparatetasks tocompleteyour SSLcertificateconfiguration.

h. SelecttheapplicationsthatyouwanttotrustthelocalCA.

Note: Besuretoselecttheapplication IDfor thei5/OSTCP/IPFTPserver

(QIBM_QTMF_FTP_SERVER).

EnablingSecureSocketsLayerforMyCo’s FTPserver:

NowthattheFileTransferProtocol(FTP)serverhasa certificateassignedtoit,MyConeedstoconfigure theFTPservertouseSecureSocketsLayer(SSL).

1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ TCP/IP.

2. Right-clickFTP.

3. SelectProperties.

4. SelecttheGeneraltab.

5. Choosethefollowingoption forSSLsupport:Secureonly.Selectthis toallowonlySSLsessionswith

theFTPserver.Connections canbe madetothenon-secureFTPport,buttheFTPclientmust negotiateanSSLsession beforetheuserisallowedtologin.

Withthistaskcomplete,MyCo’sFTPservercannow useSSLtoencryptcommunicationsessionsand protecttheprivacyofthedatatransmittedduringthese sessions.However, toconfiguretheFTPclientto participateinanSSLsession withtheFTPserver,MyComust providetheirclient,TheirCo,with acopy ofthelocalCAcertificate.Todo this,MyConeedstoexporta copyofthelocalCAcertificate toafileand makethefileavailabletoTheirCo.AfterTheirCohasthis file,theycanuseDCMtoimporttheLocalCA certificateintothe*SYSTEMcertificate store,and configurethei5/OSFTPclienttouseSSL.

Exportinga copyofMyCo’slocal certificateauthoritycertificate toafile:

ToenablesecureFTPconnectionbetweenthetwosystems, MyComustprovideTheirCowith acopyof thelocalcertificateauthority(CA)certificate.TheirCo’sclientapplicationmust beconfiguredtotrustthe CAcertificate beforeitcanparticipateina SecureSockets Layer(SSL)session.

MyCousesthefollowingstepstoexporta copyofthelocalCAcertificateto afile:

1. StartIBMDigitalCertificate Manager(DCM).Ifyouneedtoobtainorcreatecertificates,orset upor

changeyourcertificate system,dosonow. 2. ClickSelectaCertificate Store.

3. Select*SYSTEMasthecertificate storetoopenandclick Continue.

4. WhentheCertificate Storeand Passwordpagedisplays,providethepasswordthatwas specifiedfor

thecertificatestorewhenitwas created,andclickContinue.

5. Afterthenavigationframerefreshes,selectManageCertificates,andthen selecttheExport

certificatetask.

6. SelectCertificateAuthority (CA)andclick ContinuetodisplayalistofCAcertificates.

7. SelecttheMyColocalCAcertificate fromthelistand clickExport.

8. SpecifyFileastheexportdestinationand clickContinue.

9. Specifya fullyqualifiedpathandfilenamefortheexported LocalCAcertificateand clickContinue

toexportthecertificate.

10. ClickOKtoexittheExportconfirmationpage.

Nowyoucantransfer thesefilestotheendpointsystemsonwhichyouintendtoverifysignaturesthat youcreatedwith thecertificate.Youcanusee-mailorFTPtotransferthefilesbecausetheydonotneed tobesentsecurely.

Creatingan*SYSTEMcertificate storeonTheirCo’s system:

ToparticipateinaSecureSocketsLayer(SSL)session,TheirCo’sFileTransferProtocol(FTP)clientmust beable torecognizeand acceptthecertificate thatMyCo’sFTPserverpresents.Toauthenticate the certificate,TheirCo’sFTPclientmusthavea copyofthecertificateauthority(CA)certificate inthe *SYSTEMcertificatestore.

ThisscenarioassumesthatDigitalCertificate Manager(DCM)hasnotbeenpreviouslyusedtocreateor managecertificates.Consequently,TheirComustcreatethe*SYSTEMcertificatestore byfollowingthese steps:

1. StartIBM DCM.Ifyouneed toobtainor createcertificates,orset uporchangeyourcertificate

system,do sonow.

2. IntheDCMnavigationframe,selectCreateNew CertificateStoreandselect*SYSTEMasthe

certificate storetocreateandclick Continue.

3. Select Notocreatea certificateaspartofcreating the*SYSTEMcertificate storeandclick Continue.

4. Specify apasswordforthenewcertificatestore andclickContinuetodisplaya confirmationpage.

5. Click OK.

ImportingMyCo’slocalCAcertificate intoTheirCo’s*SYSTEMcertificate store:

TheirCo’s*SYSTEMcertificate storecontainsa copyofmostpubliccertificate authority(CA) certificates. However,becauseMyCo’sFileTransfer Protocol(FTP)serverusesacertificate fromalocalCA,TheirCo’s FTPclientmust obtaina copyofthelocalCAcertificate andimportitintothe*SYSTEMcertificatestore. TheirCousesthesestepstoimportthelocalcertificateauthoritycertificate intothe*SYSTEMcertificate storeandspecifythatitisatrusted sourceforcertificates:

1. IntheDCMnavigationframe,clickSelectaCertificate Storeand select*SYSTEMasthecertificate

store toopen.

2. WhentheCertificateStoreandPasswordpagedisplays,providethepasswordthatwasspecified for

thecertificate storewhenitwascreated,and clickContinue.

3. Afterthenavigationframerefreshes,selectManageCertificatestodisplayalistoftasks.

4. From thetasklist,selectImportcertificate.

5. Select CertificateAuthority(CA) asthecertificate typeandclick Continue.

6. Specify thefullyqualifiedpathandfilenamefortheCAcertificatefileandclick Continue.Amessage

displays thateitherconfirmsthattheimportprocess succeededorprovideerrorinformationifthe process failed.

SpecifyingMyCo’slocalCA asatrustedCAforTheirCo’s FTPclient:

BeforeTheirCocanusetheFileTransfer Protocol(FTP)clienttomake secureconnectionstotheMyCo FTPserver,TheirComustuseDigitalCertificateManager (DCM)tospecifywhichcertificateauthorities (CA)theclientshouldtrust.ThismeansthatTheirComustspecifythatthelocalCAcertificate thatwas importedpreviouslyistobe trusted.

TheirCousesthefollowingstepstospecifythattheirFTPclientshouldtrustMyCo’slocalCAcertificate: 1. StartDCM.

2. Click Selecta CertificateStoreandselect*SYSTEMasthecertificatestoretoopen.

3. WhentheCertificateStoreandPasswordpagedisplays,providethepasswordthatwasspecified for

thecertificate storewhenitwascreated,and clickContinue.

4. Inthenavigationframe,selectManageApplicationstodisplayalistoftasks.

5. From thetasklist,selectDefineCAtrustlist.

6. Select Clientasthetype ofapplicationforwhichyouwanttodefinethelistandclickContinue.

7. Select thei5/OSTCP/IPFTPclientapplication(QIBM_QTMF_FTP_CLIENT)fromthelistandclick

Continuetodisplaya listofCAcertificates.

8. Select MyCo’slocalCAcertificatethatwasimportedpreviouslyandclick OK.DCMdisplaysa

messageto confirmthetrustlistselection.

Withthesestepscomplete,MyCo’sFTPservercanestablishanSSLsession withTheirCo’sFTPclientand server.

“Securing FTPclientswith TransportLayerSecurityorSecureSocketsLayer”onpage22

YoucanuseTransport LayerSecurity(TLS)orSecureSockets Layer(SSL)connectionstoencryptdata transferred overFileTransfer Protocol(FTP)controlanddataconnections.

Configuring

the

File

Transfer

Protocol

server

Youcanconfigureyour FileTransferProtocol(FTP)servertoworkwithgraphicalFTPclients,Web browsers,andWebtools.

TheTCP/IPConnectivityUtilitieslicensedprogramcomeswith TCP/IPFTPserversconfigured.When youstart TCP/IP,theFTPserverstartssimultaneously.BeforeyouconfigureanFTPserveronthe Internet,youneedtoreviewthesesafeguardstoprotect yourdata:

v Usea firewallbetweenyour systemandtheInternet.

v Usea nonproductionsystemforyour FTPserver.

v Donotattach theFTPserverto therestofyour company’sLocalAreaNetworks(LANs)orWideArea

Network(WANs).

v UseFTPexit programstosecureaccesstotheFTPserver.

v TestFTPexit programsoncea monthtoensure thatthey donotcontainsecurityloopholes.

v

DonotallowanonymousFTPusersto haveread andwriteaccessto thesamedirectory. Thispermits

theanonymoususertobe untraceableontheInternet.

v Logallaccesstoyour FTPserverandreview thelogs dailyorweeklyforpossibleattacks.

v VerifythatthecorrectexitprogramsareregisteredfortheFTPserveronceamonth.

v ReviewtheSecureFTPtopicforinformationaboutsecuringyour FTPserver. Related reference

“Securing FileTransferProtocol”onpage16

Youcanprotectyour databysecuring FTPwithSecureSocketsLayer(SSL),monitoringFileTransfer Protocol(FTP)users,and managinguser accesstoFTPfunctions.

Configuring

File

Transfer

Protocol

server

in

iSeries

Navigator

iSeriesNavigatorprovides agraphicaluser interface(GUI)fromwhichyoucanconfigureand manage thei5/OSFileTransfer Protocol(FTP)server.

ToaccesstheGUIforFTPiniSeriesNavigator,followthese steps:

1. FromiSeriesNavigator,expandyoursystem→Network→Servers→TCP/IP.

2. Intherightpane,right-click FTPandselectProperties.

3. Fromhere,youcanchangethepropertiesforyourFTPserver.Youcanviewtheonlinehelp by

clickingthehelpbutton.Toobtainhelpforaspecific field,clickthequestionmarkbutton,and then clickthatfield.

Related tasks

“StartingandstoppingtheFileTransferProtocol server”onpage26

Youcanstartand stoptheFileTransferProtocol(FTP)serverbyusingiSeriesNavigator.

Configuring

FTP

servers

for

graphical

FTP

clients

and

Web

tools

FileTransferProtocol(FTP)serversonthei5/OSoperatingsystem supportgraphicalFTPclients, Web browsers,andotherWebtools.Becausemostgraphical FTPclientsusetheUNIX-style formatastheirlist formatand pathfileastheirfilenameformat,youneedtoconfigureyourFTPservertosupportthese formats.

Tousethesupportedformats,followtheseinstructionstoset theFTPserverproperties 1. FromiSeriesNavigator,expandyoursystem→Network→Servers→TCP/IP.

2. Intherightpane,right-click FTPandselectProperties.

3. On thePropertiespage,clicktheInitial Formatstab.

v EnablePathastheFileNamingFormat.

v EnableUNIXlistformatastheFileListFormat.

Note: YoucancontroltheLISTFMTandNAMEFMTsettingsforspecific FTPsessionsusingan exit

programfortheTCPL0200formatorTCPL0300formatoftheFTPserverlogonexitpoint. Youcanalso changethelistformatafteran FTPsessionisinprogresswithoptionsfortheFTPserver SITE(SendInformationUsed bya ServerSystem)subcommand.Thesesettingscontroltheresults returnedbytheLIST(FileList)andNLST(NameList)FTPserversubcommands.

Related reference

“TCPL0200 exitpointformat”onpage123

Theexitpointfor FileTransferProtocol(FTP)ServerLogonisQIBM_QTMF_SVR_LOGON.TCPL0200 isoneoftheinterfacesthatcontrolstheparameterformatfortheseexitpoints.Thistopicdiscusses theparametersoftheTCPL0200exitpointformat.

“TCPL0300 exitpointformat”onpage125

Theexitpointfor FileTransferProtocol(FTP)ServerLogonisQIBM_QTMF_SVR_LOGON.Theexit pointforRemoteExecutionProtocol(REXEC)ServerLogonisQIBM_QTMX_SVR_LOGON.TCPL0300 isoneoftheinterfacesthatcontrolstheparameterformatfortheseexitpoints.Thistopicdiscusses theparametersoftheTCPL0300exitpointformat.

“SITE(SendInformationUsed bya ServerSystem)”onpage55

TheSITEi5/OSFTPserversubcommandsendsinformationorprovidesservices thatareusedbythe FTPserver.

“LIST(FileList)”onpage48

TheLISTi5/OSFTPserversubcommanddisplays alistofdirectoryentries, librarycontents, orfiles ina filegroup.

“NLST(Name List)”onpage50

TheNLSTi5/OSFTPserversubcommanddisplaysnamesofmultiple files,a filegroup,adirectory, ora library.

File

and

directory

entries

in

i5/OS

format

Systemiclientssupport listingthefilesonaFileTransfer Protocol(FTP)serverinboththei5/OSformat andtheformatspecific toUNIX.Thistopicdiscussesthei5/OSformat.

Hereistheoriginali5/OSstyleformatfor theLISTsubcommand (whenLISTFMT=0):

owner size date time type name

Ablankspaceseparateseachfield. Thisisadescriptionofeachfield:

owner The10-characterstringthatrepresentstheuserprofilewhichownsthesubject.Thisstringis left-aligned,and includesblanks. ThisfieldisblankforanonymousFTPsessions.

size The10-characternumber thatrepresentsthesize oftheobject.Thisnumberisright-aligned,and includesblanks. Thisfieldisblankwhenanobjecthasnosize associatedwithit.

date The8-charactermodificationdateintheformatthatisdefinedfortheserverjob.Itusesdate separatorsthatare definedfortheserverjob.Thismodification dateisleft-aligned,andit includesblanks.

time The8-charactermodificationtimethatusesthetimeseparator,whichtheserverjobdefines.

name Thevariablelengthnameoftheobjectthatfollowsa CRLF(carriagereturn,linefeedpair). This namecanincludeblanks.

Hereisanexampleoftheoriginali5/OSstyleformat:

BAILEYSE 5263360 06/11/97 12:27:39 *FILE BPTFSAVF Related reference

“Filesand directoryentriesinUNIX-style format”

Whenlistingfilesand directoriesona FileTransferProtocol(FTP)server,Systemi clientslistthefiles inboththei5/OSformatand theUNIX-styleformat. ThistopicdiscussestheUNIX®format.

“SITE(SendInformationUsed bya ServerSystem)”onpage55

TheSITEi5/OSFTPserversubcommandsendsinformationorprovidesservices thatareusedbythe FTPserver.

“LIST(FileList)”onpage48

TheLISTi5/OSFTPserversubcommanddisplays alistofdirectory entries,librarycontents, orfiles ina filegroup.

“NLST(Name List)”onpage50

TheNLSTi5/OSFTPserversubcommanddisplaysnamesofmultiple files,a filegroup,adirectory, ora library.

Files

and

directory

entries

in

UNIX-style

format

Whenlisting filesanddirectoriesonaFileTransfer Protocol(FTP)server,Systemiclients listthefilesin boththei5/OSformatandtheUNIX-styleformat.ThistopicdiscussestheUNIXformat.

HereistheUNIX-styleformatfortheLISTsubcommand (whenLISTFMT=1):

mode links owner group size date time name

Ablankspaceseparateseachfield.

Thisisa descriptionofeachfieldintheUNIX-styleformat:

mode Youcanuse10characters.Eachcharacterhasaspecific meaning.

Thefirstcharacter Meaning

d Theentryisadirectory.

b Theentryisablockspecialfile.

c Theentryisacharacterspecialfile.

l Theentryisasymboliclink.Eitherthe-Nflagwasspecified,orthesymboliclink didnotpointtoanexistingfile.

p Theentryisafirst-in,first-out(FIFO)specialfile.

s Theentryisalocalsocket.

- Theentryisanordinaryfile.

Thenextninecharactersdivideintothreesetsofthreecharacterseach.Thethreecharacters in eachsetindicate, respectively,read,write,andexecutepermissionof thefile.Withexecute permissionofa directory,youcansearcha directoryfora specifiedfile.Indicate permissionslike this:Thefirstset ofthreecharactersshowtheowner’spermission.Thenext setofthreecharacters showthepermissionoftheotherusersinthegroup.Thelastsetofthreecharactersshowsthe permissionofanyoneelsewithaccesstothefile.

Thefirstcharacter Function

r read

Thefirstcharacter Function

x execute(search)

- correspondingpermissionnotgranted

links Thenumberoflinkstotheobject.Theminimumnumber ofcharactersis3.Themaximum numberofcharactersis5.Thecharactersare rightjustified,and theyincludeblanks.

owner Theowneroftheobject.Theminimumnumber ofcharactersis8.Themaximumnumber of charactersis10.Thecharactersare leftjustified,andtheyincludeblanks. Thisfieldcontainsthe userprofilenameoftheobjectowner.However,foranonymous FTPsessions,this fieldcontains theowner IDnumber.

group Theowneroftheobject.Theminimumnumber ofcharactersis8.Themaximumnumber of charactersis10.Thecharactersare leftjustified,andtheyincludeblanks. Thisfieldcontainsthe userprofilenameofthegroup.However, ifthereisnogroup,thisfieldcontainsthegroupID number.ThefieldalsocontainsthegroupIDnumberforananonymousFTPsession.

size Thesizeoftheobject.Theminimumnumber ofcharactersis7.Themaximumnumberof charactersis10.Thecharactersare right-aligned,andthey includeblanks.Whenthereisnosize fortheobject, thedefaultiszero.

datetime

The12charactermodification time.Thecharactersare left-aligned,and theyincludeblanks.This istheformatofthisfieldwhenthemodificationtimeiswithintheprevious180days:

Mmm dd hh:mm

Thisistheformatofthis fieldwhenthemodification timeisnotwithintheprevious180 days:

Mmm dd yyyy

Hereisthedescriptionofeachfield.

Characters Meaning

Mmm Abbreviatedmonth.

dd Twocharacterdayofthemonth.Thecharactersarerightjustifiedandpaddedwith blanks.

hh Two-digithour(00-23).Thedigitsarerightjustifiedandpaddedwithzeros. mm Two-digitminute(00-59).Thedigitsarerightjustifiedandpaddedwithzeros.

yyyy Four-digityear.

name Thevariablelengthnameoftheobject,whichprecedesa CRLF(carriagereturn,linefeedpair). Thenamemayinclude blanks.

HereisanexampleoftheUNIXstyleformat:

drwxrwxrwx 4 QSYS 0 51200 Feb 9 21:28 home

ConsiderthisinformationasyouworkwithUNIXformatdatathatisreturnedbytheLISTsubcommand: WhenLISTFMT=1,theLISTcontent variesforQSYS.LIBfilesdependingontheNAMEFMTsetting: v WhenNAMEFMT=1, youwillseeonlytheQSYS.LIBfilenames.

v WhenNAMEFMT=0, youwillseeboththeQSYS.LIBfilenamesandthenamesofthemembers inthe

fileorfiles.

“Fileanddirectoryentriesini5/OSformat”onpage9

Systemiclients supportlistingthefilesona FileTransferProtocol(FTP)serverinboththei5/OS formatandtheformatspecifictoUNIX.Thistopicdiscussesthei5/OSformat.

“SITE(SendInformationUsed bya ServerSystem)”onpage55

TheSITEi5/OSFTPserversubcommandsendsinformationorprovidesservices thatareusedbythe FTPserver.

“LIST(FileList)”onpage48

TheLISTi5/OSFTPserversubcommanddisplays alistofdirectory entries,librarycontents, orfiles ina filegroup.

“NLST(Name List)”onpage50

TheNLSTi5/OSFTPserversubcommanddisplaysnamesofmultiple files,a filegroup,adirectory, ora library.

Configuring

anonymous

File

Transfer

Protocol

AnonymousFileTransfer Protocol(FTP)enablesremoteuserstousetheFTPserverwithoutanassigned userIDandpassword.

AnonymousFTPenablesunprotectedaccess(nopasswordrequired)toselectedinformationabouta remotesystem.Theremotesitedetermineswhatinformationismadeavailable forgeneralaccess.Such informationisconsideredtobepublicly accessibleand canbereadbyanyone.Itistheresponsibilityof thepersonwhoownstheinformationandthesystemtoassurethatonlyappropriateinformationismade available.

Toaccessthis information,a userlogsontothehostsusingtheuserIDANONYMOUS. Theuser ANONYMOUShaslimitedaccessrightstothefiles ontheFTPserverand hassomeoperating restrictions.Typically,thefollowingoperationsare onlyoperations allowed.

v LoggingonusingFTP

v Listingthecontentsofa limitedset ofdirectories

v Retrievingfiles fromthesedirectories.

Typically,anonymoususersare notallowed totransferfilestotheFTPserver.Somesystemsdoprovide anincomingdirectory foranonymoususerstosenddatato.Traditionally,thespecialanonymoususer accountacceptsa stringasa password,althoughitiscommontouseeitherthepasswordguestorone’s e-mailaddress.Some archivesitesexplicitlyask fortheuser’se-mailaddressanddo notallowlogon withtheguestpassword.Providingane-mailaddressisacourtesy thatallowsthearchivesiteoperators togetsomeideaofwho isusingtheirservices.

Anonymous

FTP

on

the

i5/OS

operating

system

TheFileTransferProtocol(FTP)serverdoesnotuseanonymousFTP.Toset upanonymousFTPonthe i5/OSoperatingsystem,youneedtoprovideexitprogramsfortheFTPserverlogonexitpointandthe FTPRequestValidationexitpoint.

YoumightwanttoprovideanonymousFTPbecauseitisaconvenientand oftennecessaryservice. However,usinganonymousFTPraisessecurityconcernsforthesystem.

Related concepts

“ManagingaccessusingFileTransferProtocolexitprograms”onpage24

YoucanprovideadditionalsecuritybyaddingFTPexit programstotheFile TransferProtocol(FTP) serverand clientexitpoints,sothatyoucanfurtherrestrictFTPaccesstoyoursystem.

“ControllingFileTransfer Protocolaccess”onpage17

IfyouareusingFileTransferProtocol(FTP), youneedtocontroluserstoprotectyourdataand network. Thistopicoffers tipsandsecurityconsiderations.

“FTPserverlogonexitpoint”onpage105

Youcancontroltheauthentication toaTCP/IPapplicationserverwith theTCP/IPApplicationServer Logonexitpoint.Thisexitpointallows FTPserveraccessbased ontheoriginatingsession’saddress. Italsoallows youtospecifyaninitial workingdirectorythatisdifferentfromthosethatareinthe user profile.

Preparing

for

anonymous

File

Transfer

Protocol

Tosetupyour anonymousFileTransferProtocol(FTP),youneedtobe awareofcertainsecurity considerations.

Skill

requirements

TosetupanonymousFTP, youneedthefollowingskills:

v Familiaritywiththei5/OScharacter-basedinterfaceandcommandswith multipleparametersand

keywords.

v Abilitytocreatelibraries,members,andsourcephysical filesonyoursystem(youshouldhaveat least

*SECOFRauthority).

v Abilitytoassignauthoritiestolibraries,files,members,andprograms.

v Abilitytowrite,change,compile,andtest programsonyoursystem.

Security

considerations

Thefirststep inimplementinganonymousFTPistodefineyouranonymousFTPserversitepolicy.This plandefinestheFTPsitesecurityanddetermineshowtocodeyour exitprograms.BecausetheFTP serverwillallowanyonetoaccessyour data,youmustcarefullyconsider howyouwantittobe used, andwhatdatamustbeprotected.

ReviewthefollowingguidelinesforyourFTPsitepolicyplan: v Usea firewallbetweenyour systemandtheInternet.

v Usea nonproductionsystemforyour FTPserver.

v

Donotattach theFTPservertotherestofyour company’sLANsorWANs.

v UseFTPexitprograms tosecureaccesstotheFTPserver.

v

TestFTPexit programstoensurethattheydonotcontainsecurityloopholes.

v DonotallowanonymousFTPuserstohaveread andwriteaccesstothesamedirectory. Thispermits

theanonymoususertobe untraceableontheInternet.

v AllowANONYMOUSaccessonly.DonotallowanyotheruserIDsand donotauthenticatepasswords.

v RestrictANONYMOUSaccesstoonepubliclibraryordirectoryonly.(Wherewillitbe? Whatwillyou

callit?)

v Placeonlypublicaccessfiles inthepubliclibraryordirectory.

v RestrictANONYMOUSusersto’view’and’retrieve’subcommandsonly(get,mget). Donot under

anycircumstancesallow ANONYMOUSuserstouseCLcommands.

v Logallaccesstoyour FTPserver.

v

ReviewFTPserverlogsdailyorweeklyfor possibleattacks.

v VerifythattheFTPserverregistersthecorrectexitprogramsonceamonth.

v TesttheFTPserverforsecurityholesoncea month.

Writing

exit

programs

for

anonymous

File

Transfer

Protocol

TouseanonymousFile TransferProtocol(FTP)onthei5/OSoperatingsystem,youneedtowritetwo exitprograms:FTPserverlogonexitprogramand FTPserverrequestvalidationexitprogram.

TheFTPserverlogonexitprogramenablestheANONYMOUSuserIDandforcestheANONYMOUS usertothepubliclibraryordirectory. TheFTPserverrequestvalidation exitprogramrestrictsthe commands,files,and directoriesorlibrariesthattheANONYMOUSusercanuse.

Exit

points

and

exit

point

formats

TheFTPservercommunicateswitheachexitprogramthrough aspecific exitpoint.Parametersare passedbetweentheserverandtheexitprogram.Theformatoftheexchangedinformationisspecifiedby anexitpointformat.

Program ExitPoint Format

Serverlogon QIBM_QTMF_SVR_LOGON TCPL0100,TCPL0200,orTCPL0300.1

Requestvalidation QIBM_QTMF_SERVER_REQ VLRQ0100

1

Anexitpointmighthavemorethanoneformat,butanexitprogramcanonlyberegisteredforoneofthe exitpointformats.Examineeachoftheseformats,thenchoosetheonemostappropriateforyoursystem.

Example

programs

Exampleprogramsareavailable tohelpyouset upanonymousFTPonyoursystem.Youcanusethese examplesasa startingpointto buildyourownprograms.By copyingportionsofthecodefromthe examples,youcanaddthemtoprogramsthatyouwriteyourself.Itissuggestedthatyourunthe exampleprogramsonasystem otherthanyour productionsystem.

Note: Theseexamplesare forillustrationpurposesonly.Theydo notcontainenoughfeaturestorunona

productionmachineasis. Feelfreeto usethemasastartingpoint,ortousesectionsofcodeas youwriteyourownprograms.

Related concepts

GettingtoknowiSeriesNavigator

“Request validationexitpoint:clientandserver” onpage94

Therequestvalidationexitpoints canbeusedtorestrictoperationswhichcanbe performedbyFTP users.

Related reference

“FileTransferProtocolexitprograms”onpage93

YoucanuseFile TransferProtocol(FTP)exit programstosecureFTP.TheFTPservercommunicates with eachexitprogramthrough aspecific exitpoint.Thistopicincludesparameterdescriptionsand codeexamples.

“FTPserverlogonexitpoint”onpage105

Youcancontroltheauthentication toaTCP/IPapplicationserverwith theTCP/IPApplicationServer Logonexitpoint.Thisexitpointallows FTPserveraccessbased ontheoriginatingsession’saddress. Italsoallows youtospecifyaninitial workingdirectorythatisdifferentfromthosethatareinthe user profile.

Creating

an

i5/OS

user

profile:

ANONYMOUS

Topreventanyonefromsigningontothei5/OSoperatingsystemwiththeuserprofileANONYMOUS directly,youneedtocreatea userprofileofANONYMOUSandassignitapasswordof*NONE. Youcancreatethis profileusingiSeriesNavigator.

1. IniSeriesNavigator,expandUsersandGroups.

2. Right-clickAllUsersandselectNewUsers.

3. OntheNewUserspanel, enterthefollowinginformation: Username=ANONYMOUSand

Password=Nopassword.

4. Click theJobsbuttonand selecttheGeneraltab.

5. On theGeneraltab,assignthecurrentlibraryandhome directorythattheanonymoususershould

use.

6. Click OKandcompleteanyothersettings.

7. Click Addtocreatetheprofile.

Creating

a

public

library

or

directory

Aftercreating anonymoususers,youmightwanttocreateapubliclibraryordirectory forthemtouse. Typicallyanonymous usersshouldonlybeabletoaccesspublicfiles.

Itissuggestedthatyourestrictanonymoususerstoa singlelibraryorasingledirectory tree,whichonly contain″public″files.

1. Createthepubliclibrariesordirectoriesthatwillcontainfilesaccessiblethrough anonymousFile

Transfer Protocol(FTP).

2. Loadyour publiclibraries ordirectorieswith thepublicaccessfiles.

3. SetthepubliclibrariesordirectoriesandfileauthoritiestoPUBLIC*USE.

Installing

and

registering

exit

programs

Youcancreatea librarytocontainyour exitprogramsandtheirlogfiles,compiletheprograms,and registerthemforusebytheFile TransferProtocol(FTP)server.

Related concepts

“ManagingaccessusingFileTransferProtocolexitprograms”onpage24

YoucanprovideadditionalsecuritybyaddingFTPexit programstotheFile TransferProtocol(FTP) serverandclient exitpoints,sothatyoucanfurtherrestrictFTPaccesstoyoursystem.

Related tasks

“Removingexitprograms”onpage128

Whenyounolongerneedanexitprogram, youcanremoveitfromtheWorkwithExitProgram display.

Related reference

“FileTransferProtocolexitprograms”onpage93

YoucanuseFile TransferProtocol(FTP)exit programstosecureFTP.TheFTPservercommunicates with eachexitprogramthrough aspecific exitpoint.Thistopicincludesparameterdescriptionsand codeexamples.

Installingexitprograms:

Toinstallexitprogramsforyour i5/OSFile TransferProtocol(FTP),youneedtocreatealibraryto containtheexit programsandtheirlogfiles,compileyourexitprogramsinthelibrary,andgrant PUBLIC*EXCLUDEauthoritytothelibrary,program,andfileobjects.

TheFTPserverapplicationadoptsauthoritywhennecessarytoresolve andcalltheexitprogram.

Registeringexitprograms:

Youmustregisteryourexitprogramsbefore theexitprogramstakeeffect.UsetheWorkwith

RegistrationInformation(WRKREGINF)commandtoregisteryour exitprogramsonyouri5/OSFTP server.

Toregisteryourexitprograms,followthese steps: 1. Atthecharacter-basedinterface,enterWRKREGINF.

QIBM_QTMF_SVR_LOGON TCPL0100

QIBM_QTMF_SVR_LOGON TCPL0200

QIBM_QTMF_SVR_LOGON TCPL0300

QIBM_QTMF_SERVER_REQ

VLRQ0100

3. Enter8 intheOptfieldtotheleftoftheexitpointentryand pressEnter.

4. AttheWorkwithExitProgramsdisplay,entera 1(add).

5. EnterthenameoftheexitprogramintheExitProgramfield.

6. EnterthenameofthelibrarythatcontainstheexitprogramintheLibraryfield.

7. PressEnter.

8. Endand restarttheFTPservertoensurethatallFTPserverinstancesusetheexitprograms.

9. Testyourexitprogramsthoroughly.

Note: ExitprogramstakeeffectassoonastheFTPserverrequestsanew FTPsession.Sessionsthatare

alreadyrunningare notaffected.

Securing

File

Transfer

Protocol

Youcanprotect yourdatabysecuringFTPwith SecureSockets Layer(SSL),monitoringFileTransfer Protocol(FTP)users,andmanaginguseraccesstoFTPfunctions.

Ifyouuseyoursystem asan FTPserverontheInternet, itisaccessibletotheentireworld.Therefore, attentiontoFTPsecurityisnecessarytoensurethatvitalbusinessdatastoredonyoursystem isnot compromised.

Related concepts

“ConfiguringtheFileTransferProtocol server”onpage8

YoucanconfigureyourFileTransfer Protocol(FTP)servertoworkwith graphicalFTPclients,Web browsers,and Webtools.

Preventing

File

Transfer

Protocol

server

access

YoucanblocktheFileTransferProtocol(FTP)porttodisableanyFTPaccesstoyour system.Ifyoudo notwantanyonetouseFTPtoaccessyour system,youshouldpreventtheFTPserverfromrunning.

Preventing

the

File

Transfer

Protocol

server

from

starting

automatically

Oneway tosecureyourFileTransfer Protocol(FTP)istopreventtheFTPserverfromstarting automatically.

TopreventFTPserverjobsfromstartingautomaticallywhenyoustart TCP/IP,followthesesteps: 1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ TCP/IP.

2. Right-clickFTP andselectProperties.

3. DeselectStartwhenTCP/IP starts.

Preventing

access

to

File

Transfer

Protocol

ports

Oneway tosecureyourFileTransfer Protocol(FTP)istopreventaccesstoFTPports.

TopreventFTPfromstarting,andtopreventsomeonefromassociatingauser application(suchasa socketapplication) withtheportthatthesystem normallyusesforFTP, followthesesteps:

1. IniSeriesNavigator, expandyoursystem→ Network→ Servers→ TCP/IP.

2. Right-clickTCP/IPConfiguration andselectProperties.

3. IntheTCP/IPConfiguration Propertieswindow,clickthePortRestrictions tab.

4. OnthePortRestrictionspage,clickAdd.

v Username:Specify auser profilenamethatisprotectedonyoursystem.(Aprotecteduserprofileisa

userprofilethatdoesnotown programsthatadoptauthorityanddoesnothaveapasswordthatis knownbyotherusers.)Byrestricting theporttoa specificuser,youautomaticallyexclude allother users.

v Startingport:20

v Endingport:21

v Protocol:TCP

6. Click OKtoaddtherestriction.

7. On thePortRestrictionspage,clickAddand repeattheprocedurefortheUDPprotocol.

8. Click OKtosaveyour portrestrictionsandclosetheTCP/IPConfigurationPropertieswindow.

Notes:

v Theportrestrictiontakeseffectthenexttimethatyoustart TCP/IP.IfTCP/IPisactivewhen

yousettheportrestrictions,youshouldendTCP/IPandstart itagain.

v TheInternetAssignedNumbersAuthority(IANA)Websiteprovidesinformationabout

assignedportnumbersathttp://www.iana.org.

v Ifports20or21are restrictedtoauser profileotherthanQTCP,attemptingtostart theFTP

serverwillcauseittoimmediatelyendwith errors.

v Thismethodworksonlyforcompletelyrestrictinganapplication suchastheFTPserver.It

doesnotworkforrestrictingspecificusers.Whena userconnectsto theFTPserver,therequest usestheQTCPprofileinitially.Thesystemchanges totheindividual userprofileafterthe connectionissuccessful.EveryuseroftheFTPserverusesQTCP’sauthoritytotheport.

Controlling

File

Transfer

Protocol

access

Ifyouare usingFileTransfer Protocol(FTP),youneedtocontroluserstoprotect yourdataandnetwork. Thistopicoffers tipsand securityconsiderations.

IfyouwanttoallowFTPclientstoaccessyoursystem,be awareofthefollowingsecurityconcerns: v Yourobjectauthorityschememight notprovidedetailedenoughprotectionwhenyouallowFTPon

yoursystem.For example,whenauser hastheauthoritytoviewa file(*USE authority),theusercan alsocopythefiletoa PCortoanothersystem.Youmightwanttoprotectsomefilesfrombeingcopied toanothersystem.

v YoucanuseFTPexitprograms torestricttheFTPoperations thatuserscanperform.Youcanusethe

FTPrequestvalidationexittocontrolwhatoperations youallow.For example,youcanrejectGET requestsforspecificdatabase files.

v YoucanusetheserverlogonexitpointtoauthenticateuserswhologontotheFTPserver.Configure

anonymousFTPdescribes howtouseexitprogramstosetupsupport foranonymousFTPonyour system.

v UnlessyouuseTransportLayerSecurity(TLS)orSecureSocketsLayer(SSL),FTPpasswordsarenot

encryptedwhentheyaresentbetweentheclientsystemand theserversystem.Dependingonyour connectionmethods,your systemmight bevulnerabletopasswordtheftthrough linesniffing. v

IftheQMAXSGNACNsystemvalueissetto1, theQMAXSIGN systemvalueappliestoTELNETbut

nottoFTP.IfQMAXSGNACNissetto2 or3(valueswhichdisabletheprofileif themaximum signon countisreached),FTPlogonattemptsarecounted.Inthiscase, ahackercanmounta denialofservice attackthroughFTPbyrepeatedlyattemptingtologonwithanincorrect passworduntiltheuser profileisdisabled.

v Foreachunsuccessfulattempt,thesystemwritesmessageCPF2234totheQHSTlog.Youcanwritea

programtomonitortheQHSTlogforthemessage.Iftheprogramdetectsrepeatedattempts,it can endtheFTPservers.

v YoucanusetheInactivitytimeout(INACTTIMO)parameterontheFTPconfigurationtoreducethe

exposurewhena userleavesanFTPsessionunattended.Besure toreadthedocumentationoronline helptounderstandhowtheINACTTIMOparameterandtheconnectiontimer(forsystemstartup) worktogether.

Note: The Time-outintervalforinactivejobs(QINACTITV)systemvalue doesnotaffectFTPsessions.

v WhenyouuseFTPbatchsupport,theprogrammust sendboththeuserIDandthepasswordtothe

system.EithertheuserIDandpasswordmustbe codedintheprogram,ortheprogrammustretrieve themfromafile.BothoftheseoptionsforstoringpasswordsanduserIDsrepresentapotential securityexposure.IfyouuseFTPbatch,youmust ensurethatyouuseobjectsecuritytoprotectthe userIDandpasswordinformation.Youshouldalsouseasingleuser IDthathaslimitedauthorityon thetargetsystem.Itshouldhaveonlyenoughauthoritytoperformthefunction thatyouwant,suchas filetransfer.

v FTPprovides remote-commandcapability, justasadvancedprogram-to-programcommunications

(APPC)and iSeriesAccessforWindows® _{do.TheRCMD(RemoteCommand)FTP-server subcommand}

istheequivalentof havingacommandlineonthesystem.BeforeyouallowFTP, youmust ensurethat yourobjectsecurityschemeisadequate.Youcanalso usetheFTPexitprogramtolimitorreject attemptstousetheRCMDsubcommand.FTPexitprogramsdescribesthisexit pointandprovides sampleprograms.

v

Ausercanaccessobjectsintheintegratedfilesystem withFTP.Therefore,youneed toensurethat

yourauthorityschemefortheintegratedfilesystemisadequatewhenyouruntheFTPserveronyour system.

v Apopularhackeractivityistosetupan unsuspectingsiteasarepositoryforinformation.Sometimes,

theinformationmightbe illegalorpornographic.Ifa hackergainsaccesstoyoursitethroughFTP, the hackeruploadsthisundesirableinformationtoyoursystem.Thehacker theninformsotherhackersof yourFTPaddress.They,inturn,accessyoursystem withFTPand downloadtheundesirable

information.

YoucanusetheFTPexitprogramstoprotect againstthis typeofattack.For example,youmight direct allrequeststouploadinformationtoa directorythatiswrite-only.Thisdefeatsthehacker’sobjective, becausethehacker’sfriendswillnotbe abletodownloadtheinformationinthedirectory.

Related concepts

“ConfiguringanonymousFile TransferProtocol”onpage12

Anonymous FileTransferProtocol(FTP)enablesremoteuserstousetheFTPserverwithoutan assigneduser IDandpassword.

Related reference

“FTPserverlogonexitpoint”onpage105

Youcancontroltheauthentication toaTCP/IPapplicationserverwith theTCP/IPApplicationServer Logonexitpoint.Thisexitpointallows FTPserveraccessbased ontheoriginatingsession’saddress. Italsoallows youtospecifyaninitial workingdirectorythatisdifferentfromthosethatareinthe user profile.

“Running FileTransferProtocolinunattendedmodeusingabatchjob” onpage32

InadditiontorunningtheFTPclientinteractively,youcanruntheFTPclientinanunattendedmode. Thistopicprovidesa simpleexampleanda complexexampleofthebatchFTPmethod.

“FileTransferProtocolexitprograms”onpage93

YoucanuseFile TransferProtocol(FTP)exit programstosecureFTP.TheFTPservercommunicates with eachexitprogramthrough aspecific exitpoint.Thistopicincludesparameterdescriptionsand codeexamples.

Related information

Using

Secure

Sockets

Layer

to

secure

the

File

Transfer

Protocol

server

WithSecureSockets Layer(SSL)youcaneliminatetheexposure oftransmittingpasswordsanddatain theclearwhenusingtheFileTransferProtocol(FTP)serverwithanFTPclient thatalsousesSSL. TheFTPserverprovidesenhancedsecuritywhilesendingand receivingfilesovera untrustednetwork. FTPserverusesSSLtosecurepasswordsandothersensitivedataduringan informationexchange.The FTPserversupportseitherSSLorTLSprotectedsessions,includingclientauthentication andautomatic sign-on.

MostSSL-enabledapplicationsconnecta clienttoseparateTCPports,oneportforunprotectedsessions andtheotherforsecuresessions.However, secureFTPisabitmoreflexible.Aclientcanconnecttoa nonencryptedTCPport(typicallyTCPport21),andthennegotiate authenticationandencryption options.Aclientcanalso chooseasecureFTPport(typicallyTCPport990),whereconnectionsare assumedto beSSL.TheFTPserverprovidesbothoftheseoptions.

BeforeyouconfiguretheFTPserverto useSSL,youmust installtheprerequisiteprogramsandset up digitalcertificatesonyour system.

Note: Createa localcertificateauthority(CA)oruseDigitalCertificateManager (DCM)toconfigurethe

FTPservertouseapubliccertificate forSSL.

Related concepts

SecureSocketsLayer(SSL) SSLconcepts

Prerequisiteprograms

“Securing FTPclientswith TransportLayerSecurityorSecureSocketsLayer”onpage22

YoucanuseTransport LayerSecurity(TLS)orSecureSockets Layer(SSL)connectionstoencryptdata transferred overFileTransfer Protocol(FTP)controlanddataconnections.

Related tasks

Settingupdigitalcertificates Using apubliccertificate

Creating

a

local

certificate

authority

YoucanusetheIBMDigitalCertificate Manager(DCM)tocreateand operatea localcertificateauthority (CA)onyoursystem.AlocalCAenablesyoutoissueprivatecertificatesforapplicationsthatrunon yoursystem.

TouseDCM tocreateandoperatealocalCAonthesystem,followthesesteps:

1. StartIBM DigitalCertificate Manager.Ifyouneedtoobtainorcreatecertificates,orsetuporchange

your certificatesystem,do sonow.

2. InthenavigationframeofDCM,selectCreatea CertificateAuthority (CA)todisplaya seriesof

forms. Theseformsguideyouthrough theprocessofcreatinga localCAand completingothertasks neededtobeginusingdigitalcertificatesforSSL,objectsigning,and signatureverification.

3. Completealltheformsthatare displayed.Thereisa formforeachofthetasksthatyouneedto

perform tocreateandoperatealocalCAonthesystem.By completingtheseforms,youcandothe followingactions:

a. Choosehow tostoretheprivatekeyforthelocalCAcertificate.Thisstepisincludedonlyifyou

haveanIBM4758-023 PCICryptographicCoprocessorinstalledonyoursystem.Ifyoursystem doesnothaveacryptographiccoprocessor,DCM automaticallystoresthecertificate anditsprivate keyinthelocalCAcertificate store.

c. Install thelocalCAcertificateonyourPCorinyour browser.Thisenablessoftwaretorecognize

thelocalCAandvalidatecertificatesthattheCAissues. d. ChoosethepolicydataforyourlocalCA.

e. UsethenewlocalCAtoissuea serverorclientcertificatethatapplicationscanuseforSSL

connections.IfyouhaveanIBM4758-023 PCICryptographic Coprocessorinstalledonthesystem, thisstep allowsyoutoselecthowto storetheprivate keyfor theserverorclientcertificate. If your systemdoesnothavea coprocessor,DCMautomaticallyplacesthecertificate anditsprivate keyinthe*SYSTEMcertificatestore.DCM createsthe*SYSTEMcertificatestoreaspartofthis task.

f. SelecttheapplicationsthatcanusetheserverorclientcertificateforSSLconnections.

Note: Besuretoselecttheapplication IDforthei5/OSFTPServer(QIBM_QTMF_FTP_SERVER).

g. UsethenewlocalCAtoissueanobjectsigningcertificatethatapplicationscanusetodigitally

signobjects.Thiscreates the*OBJECTSIGNING certificatestore,whichyouusetomanageobject signingcertificates.

Note: Althoughthis scenariodoesnotuseobjectsigningcertificates,besure tocompletethisstep.

Ifyoucancelat thispointinthetask,thetaskends andyoumust performseparate tasksto completeyour SSLcertificateconfiguration.

h. SelecttheapplicationsthatyouwanttotrustthelocalCA.

Note: Besuretoselecttheapplication IDforthei5/OSFTPServer (QIBM_QTMF_FTP_SERVER). Related tasks

Starting DigitalCertificateManager Managingusercertificates

UsingAPIstoprogrammaticallyissuecertificatestonon-Systemi users Obtaininga copyoftheprivateCAcertificate

Associating

a

certificate

with

the

File

Transfer

Protocol

server

Ifyoudidnotassigna certificatetotheFileTransferProtocol (FTP)serverapplicationduring thecreation ofthelocalcertificateauthority(CA),orifyouhaveconfiguredyoursystemtorequestacertificate from apublicCA,youneed toassociatethecertificate withtheFTPserver.

Toassociateacertificate withyourFTPserver,followthesesteps:

1. StartIBMDigitalCertificate Manager.Ifyouneedtoobtainorcreatecertificates,orotherwiseset up

orchangeyourcertificate system,dosonow.SeeConfiguring DCMforinformationaboutsettingup acertificate system.

2. ClicktheSelectaCertificateStorebutton.

3. Select*SYSTEM.ClickContinue.

4. Entertheappropriatepasswordfor*SYSTEMcertificate store.Click Continue.

5. Whentheleftnavigationalmenureloads,expand ManageApplications.

6. ClickUpdatecertificateassignment.

7. Onthenextscreen, selectServer application.ClickContinue.

8. Clicki5/OSTCP/IPFTPServer.

9. ClickUpdateCertificateAssignment toassigna certificatetothis FTPServer.

10. Selectacertificate fromthelistto assigntotheserver.

11. ClickAssignNew Certificate.

12. DCMreloadsto theUpdateCertificate Assignmentpagewitha confirmationmessage.Whenyou

arefinishedsettingupthecertificatesfortheFTPserver,clickDone.

Starting DigitalCertificateManager

“EnablingSecureSocketsLayerontheFileTransferProtocolserver”

Enabling SecureSocketsLayer(SSL)ontheFileTransferProtocol(FTP)serverprovidesmoresecurity featuresforyourFTPserver.

Requiring

client

authentication

for

the

File

Transfer

Protocol

server

IfyouneedtheFileTransfer Protocol(FTP)servertoauthenticate clients,youcanchangetheapplication specificationsinIBM DigitalCertificateManager (DCM).Thisstep isoptional.

Note: WiththeFTPserveryoucanauthenticateclients,butyoucannotdo sowith thei5/OSFTPclient.

Youcanrequireclientauthentication, butitwillexclude connectionsthatarefori5/OSFTPclients. IfanFTPclientconnects andclientauthenticationisenabledfortheFTPserver,theclientmuststill send aUSERsubcommand.AftertheUSERsubcommandinformationissent,theFTPserverwillcheck that theusermatchestheprofileassociatedwiththeclientcertificate sentduringtheSSLhandshake.Ifthe usermatches theclientcertificate, nopasswordisneededand theFTPserverwilllogtheuserontothe system.TheUSERsubcommand isneededbecausethereisnomechanismintheFTPprotocoltoinform theclientthatitislogged onwithoutthecommand.

1. StartIBMDigitalCertificate Manager.Ifyouneedtoobtainorcreatecertificates,orotherwiseset up

orchangeyourcertificate system,dosonow.SeeConfigureDCM forinformationaboutsettingupa certificatesystem.

2. ClicktheSelectaCertificateStorebutton.

3. Select*SYSTEM.ClickContinue.

4. Entertheappropriatepasswordfor*SYSTEMcertificate store.Click Continue.

5. Whentheleftnavigationalmenureloads,expand ManageApplications.

6. ClickUpdateapplicationdefinition.

7. Onthenextscreen, selectServerapplication. ClickContinue.

8. Clicki5/OSTCP/IPFTPServer.

9. ClickUpdateApplicationDefinition.

10. Inthetablethatdisplays,selectYestorequireclientauthentication.

11. ClickApply.

12. DCMreloadstotheUpdateApplication Definitionpagewitha confirmationmessage.Whenyou

arefinishedupdatingtheapplication definitionfortheFTPserver,click Done.

Related tasks

Starting DigitalCertificateManager

Enabling

Secure

Sockets

Layer

on

the

File

Transfer

Protocol

server

EnablingSecureSocketsLayer(SSL)ontheFile TransferProtocol(FTP)serverprovides moresecurity featuresforyour FTPserver.

PerformthefollowingstepstoenableSSLontheFTPserver:

1. IniSeriesNavigator,expand yoursystem→Network→ Servers→ TCP/IP.

2. Right-clickFTP.

3. Select Properties.

4. Select theGeneraltab.

5. Choose oneoftheseoptionsforSSLsupport:

v Secureonly

SelectthistoallowonlySSLsessionswith theFTPserver.Connections canbemadetothe

non-secureFTPport,buttheFTPclientmust negotiateanSSLsession beforetheuserisallowedto login.

v Non-secureonly

Selectthistoprohibitsecuresessionswith theFTPserver.AttemptstoconnecttoanSSLportwill notconnect.

v Bothsecureandnon-secure

Allowsbothsecureandnon-securesessionswiththeFTPserver.

Note: Youdonotneedtorestart theFTPserver.Itwilldynamicallydetectthatacertificate hasbeen

assignedtoit.Ifitdoesnotdynamicallydetectthischange,verifythatyouhavethelatestPTFs applied toyoursystem.

Related tasks

“Associatingacertificate withtheFileTransfer Protocolserver”onpage20

Ifyoudidnotassignacertificate totheFile TransferProtocol(FTP)serverapplication duringthe creationofthelocalcertificate authority(CA),orif youhaveconfiguredyour systemtorequesta certificate fromapublicCA,youneedto associatethecertificate withtheFTPserver.

Securing

FTP

clients

with

Transport

Layer

Security

or

Secure

Sockets

Layer

YoucanuseTransportLayerSecurity(TLS)or SecureSocketsLayer(SSL)connectionstoencryptdata transferredoverFileTransferProtocol(FTP)controland dataconnections.

Theprimaryreasonforencryptiononthecontrolconnectionistoconceal thepasswordwhenloggingon totheFTPserver.

BeforeusingtheFTPclienttomakesecureconnectionstoFTPservers,youmust useDCM toconfigure trustedcertificateauthorities fortheFTPclient.Anycertificateauthoritiesthatwere usedtocreate certificatesassignedto FTPserversthatyouwanttoconnecttomustbe added.Exportingorimporting certificateauthority(CA)certificatesmightbe requireddependingontheCAsused.

Ifyouchoose TLSorSSLencryptionforthecontrolconnection,theFTPclientwillalsoencryptthedata sentontheFTPdataconnectionbydefault.FTPprotocol doesnotallowyoutohavea securedata connectionwithouta securecontrolconnection.

Encryptioncanhavea significantperformancecostand canbe bypassedonthedataconnection.This allowsyouto transfernon-sensitivefileswithoutdecreasingperformanceand stillprotectthesystem’s securitybynotexposingpasswords.

TheFTPclienthasparametersfortheSTRTCPFTPCLcommandand subcommandswhichareusedas partoftheTLSorSSLsupport (SECOpenandSECData).

Specifying

Transport

Layer

Security

or

Secure

Sockets

Layer

protection

for

the

i5/OS

FTP

client

Controlconnection

TLS/SSLprotectioncanbespecifiedontheSTRTCPFTPcommandandtheSECOPEN subcommand.

FortheSTRTCPFTP(FTP)command,specify*SSLfortheSECCNNsecureconnectionparameter torequesta securecontrolconnection.Also,youmight beable tospecify*IMPLICITto obtaina secureconnectiononapre-defined serverportnumber.

WithinyourFTPclient session,theSECOPENsubcommand canbeusedtoobtainasecure controlconnection.

Dataconnection