You got it right, Greg. With most TCPIP using SSL/TLS you need to import
the CA(s) used by the server system so your IBM i "trusts" the certificate
(to be more specific, it makes your system trust the issuers of the
certificate... ie.. the Certificate Authority).

Some applications have the ability to bypass that "trust" check (GETURI,
HTTPAPI, MAILTOOL, etc)... but system ones like FTP most likely don't.

On Wed, Apr 6, 2022 at 3:26 PM Greg Wilburn <
gwilburn@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

I am using the IBM i FTP client to connect to an external server for the
data transfer.

As far as getting the CA certificates in DCM, I'm not sure how/when we
installed this particular CA. We are not installing specific certificate
chains... just the CA certificate (which was already on there).

Keep in mind that my understanding here is very limited.

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
Pete Helgren
Sent: Tuesday, April 5, 2022 1:23 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: CA Certificates

Let me follow up with my follow up.

IBM i as a client. A client to what, exactly? You are accessing the
FTP server securely and using a certificate in that handshake? Or, are
you using ftp to pull back a certificate that is then used for securely
connecting to something else?

I may have lost the thread somewhere.....apologies for following the
wrong understanding.....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek

On 4/5/2022 12:15 PM, Pete Helgren wrote:
My guess is that at some point, maybe already, IBM will have the LE
roots installed and maintained by them as they do other well-known CA
roots.

So, if the renewal is "automatic" and you FTP back to IBM i, then all
you need to do is to point to the IFS location and use "renew"
manually in the old DCM. At some point, I am going to get the DCM API
working and will share the implementation, as well as use it in my
servlet and update Jesse's repo. Then you might be able to leverage
it in a script to automate the whole tamale.

In my particular case, I have a few wildcard certs so have to use the
DNS-01 Challenge type to renew. I have automated that step of
generating the TXT record in GoDaddy as well. Just need to get that
"import/renew" feature of the DCM API figured out.

You said: "I just need the IBM i to accept the new cert from within
the FTP client." I am not sure what your expectation is with that
statement. There are only two ways I can think of to get a new
certificate updated in DCM: The manual method of using the DCM UI to
select and import the file. Or, using the DCM API to directly import
the file (which I am try to get to work). How are you updating DCM
currently?

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
AWS Certified Cloud Practitioner
Microsoft Certified: Azure Fundamentals
Twitter - Sys_i_Geek IBM_i_Geek

On 4/5/2022 8:58 AM, Greg Wilburn wrote:
Thanks!

The CA I'm working with is Let's Encrypt!

Just to be clear... this is for the IBM i as the CLIENT, not the server.
Our external FTP server is hosted somewhere in the fog (I mean
cloud), and is using Let's Encrypt to auto-renew the certificate
before it expires every 90 days (it has yet to work). I just need
the IBM i to accept the new cert from within the FTP client.

I have the root certificates installed and enabled, but they expire
in 2025.

Greg
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.