1.  Home
  2. MIDRANGE-L
  3. April 2007

Re: iSeries SSL FTP to WS-FTP server??

Hi Steve,

I'm sorry, I missed the beginning of this thread. It sounds like you're having a problem that the i5/OS SSL engine is not trusting someone's certificate? I.e. you're getting an error like "certificate not trusted" or "the issuer is not in the certificate store" or something like that?

I like the use the OpenSSL tools to troubleshoot problems like this. I don't know if you have OpenSSL installed somewhere, but if not, I've stuck a Windows version of the program you need on my web server:

http://www.scottklement.com/tools/openssl.exe

Download that exe to a folder on your PC, then open up a command prompt (MS-DOS Window) and run the program like this:

openssl s_client -showcerts -connect ftp.example.com:990

(the 990 in the preceding example is the port number. If you're using a different port number, supply that instead.)

The openssl tool will attempt to connect and establish an SSL connection. It will print various diagnostics, including the server's certificate and the issuer's certificate. (server certificate first, then issuer). When you're done, press Ctrl-C to exit the tool.

The issuer's certificate can be copy/pasted into a file in the IFS, and then installed into the digital certificate manager. This is an easy way to find out who the issuer is, and make you sure you have the correct issuer certificate.

Make sure you install it as a CA (Certificate Authority) certificate. After you've installed it, use the Verify option in the i5/OS digitcal certificate manager to make sure it's valid, and then go to the "manage applications" section and make sure that the FTP client trusts the certificate.

You do not need (or want) to install the actual server certificate -- just the issuer (i.e., certificate authority). The server's certificate is automatically sent to you when you connect. It's the issuer that's important, since the SSL engine needs to verify that the server certificate is valid, and it does that by verifying that it matches the issuer.

Hope that helps.


Steve McKay wrote:
How can I determine 'who' is the signer of the certificate?

BTW - The certificate that I was sent (from WS-FTP Server) is
identical to the certificate that I exported from my copy of WS-FTP
Pro



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.