8 V5 TCP/IP Applications on the IBM Eserver iSeries Server
Figure 1-4 iSeries Navigator - FTP Properties: Configure FTP to run in a user created subsystem
The FTP server should be ended and restarted in order to run in the new selected subsystem.
1.3 Security enhancements
As mentioned earlier in the chapter, many of the enhancements to FTP have been in the area
of security. When accessing the iSeries through the FTP server the data that resides on the
iSeries has always been protected by the normal OS/400 safeguards such as user IDs,
passwords, and object authorities. If more security was required exit points are provided to
allow administrators to define restrictions based on users, groups, addresses or other types of
criteria. At a lower level IP filter rules can be employed to screen access to the server
altogether. The V5 implementation of FTP adds several new methods of securing FTP
(described below and in the sections that follow):
Secure Socket Layer (SSL)/Transport Layer Security (TLS) support for FTP server: At
V5R1 the FTP server can be secured using digital certificates.
Client authentication (when SSL/TLS is configured): Starting with V5R1, the FTP server
can also be configured to require client authentication via digital certificates.
Secure Socket Layer (SSL)/Transport Layer Security (TLS) support for FTP client: At
V5R2 the FTP client was enhanced to use digital certificates to secure file transfers.
Restrict FTP functions via iSeries Navigator: Starting with V5R1, iSeries Navigator can be
used to restrict FTP server and client functions globally, on a user profile, or on a group
OS/400 security: Server logon exit points were modified to take advantage of the 128
Chapter 1. File Transfer Protocol 9
1.3.1 iSeries FTP server: SSL/TLS secure connections
The FTP server can now provide an enhanced security while sending and receiving files over
an untrusted network. The iSeries FTP server has been enabled to provide a secure
connection using SSL/TLS. RFC 2228 provides the framework for providing secure FTP. By
default the iSeries FTP server listens for secure connections on TCP port 990.
The following FTP subcommands have been added to the FTP server:
AUTH - Defines the authentication/security mechanism that is used for the current FTP
PBSZ - Defines largest buffer size to be used for application-level encoded data sent or
received on the data connection.
PROT - Defines the protection used for FTP data connections, used to transmit directory
listings and file data.
To use SSL for FTP connections, a digital certificate must be assigned to the FTP server.
Digital Certificate Manager is used to associate the digital certificate with the FTP server.
The FTP server can be configured to listen for connections in three ways, shown in Table 1-1.
Table 1-1 FTP Connection options
An FTP client can connect directly to a secure FTP port, in which case the session is set up
with SSL initially, or client may connect to the FTP server on the regular non-encrypted port
and then negotiate authentication and encryption options.
For instructions about setting up a secure FTP data transfer between two iSeries, refer to
“Transferring files using secure FTP” on page 136.
1.3.2 iSeries FTP server: Client authentication
When the FTP server is configured to allow secure connections it can be further configured to
require clients to present a User certificate prior to accessing the iSeries. Once configured
Note: SSL and TLS are compatible protocols that are used to encrypt data. We use both
SSL acronym and the SSL/TLS acronym to mean the same thing.
Type of connection allowed Description
Secure connections only The server listens on both port 990 and port 21.
However, if a connection is made to port 21, the user is
not allowed to log in, unless the client negotiates a
secure control connection, using the AUTH FTP
subcommand (a connection to port 990 has a implied
AUTH SSL subcommand in the “state diagram” for the
server). Also, anonymous FTP logon is allowed to
connect through a non-secure connection (since the
anonymous FTP requires a customer-written exit
program, allowing this exception does not compromise
the security of the server).
Non-secure connections only SSL connections are not allowed. That is, the AUTH
subcommand is rejected. The server listens on port 21
Both secure and non-secure Both SSL and non-SSL connections are allowed. The
FTP server listens on port 21 and 990.